libxml2: add follow-up patch for CVE-2026-0992

References: * https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019 * https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/377 (From OE-Core rev: 957244b2861f394237b8a3ec4d549d5118627955) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
author: Peter Marko <peter.marko@siemens.com> 2026-01-31 15:51:56 +0100
committer: Paul Barker <paul@pbarker.dev> 2026-02-27 15:54:01 +0000
commit: a8c5e5e5734567d1216cde25eb98098479c8152a (patch)
tree: 2a1c4efd2c2ddfce5521eaed33c047a062f8d9a7
parent: 9998d74d24a3986042660c4b13d5ea3bbce90407 (diff)
download: poky-a8c5e5e5734567d1216cde25eb98098479c8152a.tar.gz
4 files changed, 361 insertions, 1 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch b/meta/recipes-core/libxml/libxml2/CVE-2026-0992-01.patch
index d7c0b47b33..d7c0b47b33 100644
--- a/meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch
+++ b/meta/recipes-core/libxml/libxml2/CVE-2026-0992-01.patch
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2026-0992-02.patch b/meta/recipes-core/libxml/libxml2/CVE-2026-0992-02.patch
new file mode 100644
index 0000000000..50f72832d4
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2026-0992-02.patch
@@ -0,0 +1,325 @@
+From f8399e62a31095bf1ced01827c33f9b29494046f Mon Sep 17 00:00:00 2001
+From: Daniel Garcia Moreno <daniel.garcia@suse.com>
+Date: Fri, 19 Dec 2025 12:27:54 +0100
+Subject: [PATCH] testcatalog: Add new tests for catalog.c
+Adds a new test program to run specific tests related to catalog
+parsing.
+This initial version includes a couple of tests, the first one to check
+the infinite recursion detection related to:
+https://gitlab.gnome.org/GNOME/libxml2/-/issues/1018.
+The second one tests the nextCatalog element repeated parsing, related
+to:
+https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019
+https://gitlab.gnome.org/GNOME/libxml2/-/issues/1040
+CVE: CVE-2026-0992
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/f8399e62a31095bf1ced01827c33f9b29494046f]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ CMakeLists.txt                          |  2 +
+ Makefile.am                             |  8 ++-
+ catalog.c                               | 63 +++++++++++-----
+ include/libxml/catalog.h                |  2 +
+ test/catalogs/catalog-recursive.xml     |  3 +
+ test/catalogs/repeated-next-catalog.xml | 10 +++
+ testcatalog.c                           | 96 +++++++++++++++++++++++++
+ 7 files changed, 164 insertions(+), 20 deletions(-)
+ create mode 100644 test/catalogs/catalog-recursive.xml
+ create mode 100644 test/catalogs/repeated-next-catalog.xml
+ create mode 100644 testcatalog.c
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 163661f8..7d5702df 100644
+--- a/CMakeLists.txt
+++ b/CMakeLists.txt
+@@ -555,6 +555,7 @@ if(LIBXML2_WITH_TESTS)
+                testapi
+                testAutomata
+                testC14N
+               testcatalog
+                testchar
+                testdict
+                testHTML
+@@ -579,6 +580,7 @@ if(LIBXML2_WITH_TESTS)
+        if(NOT WIN32)
+                add_test(NAME testapi COMMAND testapi)
+        endif()
+       add_test(NAME testcatalog COMMAND testcatalog)
+        add_test(NAME testchar COMMAND testchar)
+        add_test(NAME testdict COMMAND testdict)
+        add_test(NAME testrecurse COMMAND testrecurse WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR})
+diff --git a/Makefile.am b/Makefile.am
+index c51dfd8e..c794eac8 100644
+--- a/Makefile.am
+++ b/Makefile.am
+@@ -12,7 +12,7 @@ AM_CFLAGS = $(EXTRA_CFLAGS) $(THREAD_CFLAGS) $(Z_CFLAGS) $(LZMA_CFLAGS)
+ 
+ check_PROGRAMS=testSchemas testRelax testSAX testHTML testXPath testURI \
+                testThreads testC14N testAutomata testRegexp \
+-               testReader testapi testModule runtest runsuite testchar \
+               testReader testapi testModule runtest runsuite testcatalog testchar \
+               testdict runxmlconf testrecurse testlimits
+ 
+ bin_PROGRAMS = xmllint xmlcatalog
+@@ -81,6 +81,11 @@ testlimits_LDFLAGS =
+ testlimits_DEPENDENCIES = $(DEPS)
+ testlimits_LDADD= $(BASE_THREAD_LIBS) $(RDL_LIBS) $(LDADDS)
+ 
+testcatalog_SOURCES=testcatalog.c
+testcatalog_LDFLAGS = 
+testcatalog_DEPENDENCIES = $(DEPS)
+testcatalog_LDADD= $(LDADDS)
+
+ testchar_SOURCES=testchar.c
+ testchar_LDFLAGS = 
+ testchar_DEPENDENCIES = $(DEPS)
+@@ -213,6 +218,7 @@ runtests:
+        $(CHECKER) ./runtest$(EXEEXT) && \
+            $(CHECKER) ./testrecurse$(EXEEXT) && \
+            ASAN_OPTIONS="$$ASAN_OPTIONS:detect_leaks=0" $(CHECKER) ./testapi$(EXEEXT) && \
+           $(CHECKER) ./testcatalog$(EXEEXT) \
+            $(CHECKER) ./testchar$(EXEEXT) && \
+            $(CHECKER) ./testdict$(EXEEXT) && \
+            $(CHECKER) ./runxmlconf$(EXEEXT)
+diff --git a/catalog.c b/catalog.c
+index 401dbc14..eb889162 100644
+--- a/catalog.c
+++ b/catalog.c
+@@ -658,43 +658,54 @@ static void xmlDumpXMLCatalogNode(xmlCatalogEntryPtr catal, xmlNodePtr catalog,
+     }
+ }
+ 
+-static int
+-xmlDumpXMLCatalog(FILE *out, xmlCatalogEntryPtr catal) {
+-    int ret;
+-    xmlDocPtr doc;
+static xmlDocPtr
+xmlDumpXMLCatalogToDoc(xmlCatalogEntryPtr catal) {
+     xmlNsPtr ns;
+     xmlDtdPtr dtd;
+     xmlNodePtr catalog;
+-    xmlOutputBufferPtr buf;
+    xmlDocPtr doc = xmlNewDoc(NULL);
+    if (doc == NULL) {
+        return(NULL);
+    }
+ 
+-    /*
+-     * Rebuild a catalog
+-     */
+-    doc = xmlNewDoc(NULL);
+-    if (doc == NULL)
+-       return(-1);
+     dtd = xmlNewDtd(doc, BAD_CAST "catalog",
+-              BAD_CAST "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN",
+-BAD_CAST "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd");
+                    BAD_CAST "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN",
+                    BAD_CAST "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd");
+ 
+     xmlAddChild((xmlNodePtr) doc, (xmlNodePtr) dtd);
+ 
+     ns = xmlNewNs(NULL, XML_CATALOGS_NAMESPACE, NULL);
+     if (ns == NULL) {
+-       xmlFreeDoc(doc);
+-       return(-1);
+        xmlFreeDoc(doc);
+        return(NULL);
+     }
+     catalog = xmlNewDocNode(doc, ns, BAD_CAST "catalog", NULL);
+     if (catalog == NULL) {
+-       xmlFreeNs(ns);
+-       xmlFreeDoc(doc);
+-       return(-1);
+        xmlFreeDoc(doc);
+        xmlFreeNs(ns);
+        return(NULL);
+     }
+     catalog->nsDef = ns;
+     xmlAddChild((xmlNodePtr) doc, catalog);
+-
+     xmlDumpXMLCatalogNode(catal, catalog, doc, ns, NULL);
+ 
+    return(doc);
+}
+
+static int
+xmlDumpXMLCatalog(FILE *out, xmlCatalogEntryPtr catal) {
+    int ret;
+    xmlDocPtr doc;
+    xmlOutputBufferPtr buf;
+
+    /*
+     * Rebuild a catalog
+     */
+    doc = xmlDumpXMLCatalogToDoc(catal);
+    if (doc == NULL) {
+        return(-1);
+    }
+
+     /*
+      * reserialize it
+      */
+@@ -3430,6 +3441,20 @@ xmlCatalogDump(FILE *out) {
+ 
+     xmlACatalogDump(xmlDefaultCatalog, out);
+ }
+
+/**
+ * Dump all the global catalog content as a xmlDoc
+ * This function is just for testing/debugging purposes
+ *
+ * @returns  The catalog as xmlDoc or NULL if failed, it must be freed by the caller.
+ */
+xmlDocPtr
+xmlCatalogDumpDoc(void) {
+    if (!xmlCatalogInitialized)
+        xmlInitializeCatalog();
+
+    return xmlDumpXMLCatalogToDoc(xmlDefaultCatalog->xml);
+}
+ #endif /* LIBXML_OUTPUT_ENABLED */
+ 
+ /**
+diff --git a/include/libxml/catalog.h b/include/libxml/catalog.h
+index 88a7483c..e1bc5feb 100644
+--- a/include/libxml/catalog.h
+++ b/include/libxml/catalog.h
+@@ -119,6 +119,8 @@ XMLPUBFUN void XMLCALL
+ #ifdef LIBXML_OUTPUT_ENABLED
+ XMLPUBFUN void XMLCALL
+                xmlCatalogDump          (FILE *out);
+XMLPUBFUN xmlDocPtr
+               xmlCatalogDumpDoc       (void);
+ #endif /* LIBXML_OUTPUT_ENABLED */
+ XMLPUBFUN xmlChar * XMLCALL
+                xmlCatalogResolve       (const xmlChar *pubID,
+diff --git a/test/catalogs/catalog-recursive.xml b/test/catalogs/catalog-recursive.xml
+new file mode 100644
+index 00000000..3b3d03f9
+--- /dev/null
+++ b/test/catalogs/catalog-recursive.xml
+@@ -0,0 +1,3 @@
+<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog">
+    <delegateURI uriStartString="/foo" catalog="catalog-recursive.xml"/>
+</catalog>
+diff --git a/test/catalogs/repeated-next-catalog.xml b/test/catalogs/repeated-next-catalog.xml
+new file mode 100644
+index 00000000..76d34c3c
+--- /dev/null
+++ b/test/catalogs/repeated-next-catalog.xml
+@@ -0,0 +1,10 @@
+<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog">
+  <nextCatalog catalog="registry.xml"/>
+  <nextCatalog catalog="registry.xml"/>
+  <nextCatalog catalog="./registry.xml"/>
+  <nextCatalog catalog="././registry.xml"/>
+  <nextCatalog catalog="./././registry.xml"/>
+  <nextCatalog catalog="./../catalogs/registry.xml"/>
+  <nextCatalog catalog="./../catalogs/./registry.xml"/>
+</catalog>
+
+diff --git a/testcatalog.c b/testcatalog.c
+new file mode 100644
+index 00000000..86d33bd0
+--- /dev/null
+++ b/testcatalog.c
+@@ -0,0 +1,96 @@
+/*
+ * testcatalog.c: C program to run libxml2 catalog.c unit tests
+ *
+ * To compile on Unixes:
+ * cc -o testcatalog `xml2-config --cflags` testcatalog.c `xml2-config --libs` -lpthread
+ *
+ * See Copyright for the status of this software.
+ *
+ * Author: Daniel Garcia <dani@danigm.net>
+ */
+
+
+#include "libxml.h"
+#include <stdio.h>
+
+#ifdef LIBXML_CATALOG_ENABLED
+#include <libxml/catalog.h>
+
+/* Test catalog resolve uri with recursive catalog */
+static int
+testRecursiveDelegateUri(void) {
+    int ret = 0;
+    const char *cat = "test/catalogs/catalog-recursive.xml";
+    const char *entity = "/foo.ent";
+    xmlChar *resolved = NULL;
+
+    xmlInitParser();
+    xmlLoadCatalog(cat);
+
+    /* This should trigger recursive error */
+    resolved = xmlCatalogResolveURI(BAD_CAST entity);
+    if (resolved != NULL) {
+        fprintf(stderr, "CATALOG-FAILURE: Catalog %s entity should fail to resolve\n", entity);
+        ret = 1;
+    }
+    xmlCatalogCleanup();
+
+    return ret;
+}
+
+/* Test parsing repeated NextCatalog */
+static int
+testRepeatedNextCatalog(void) {
+    int ret = 0;
+    int i = 0;
+    const char *cat = "test/catalogs/repeated-next-catalog.xml";
+    const char *entity = "/foo.ent";
+    xmlDocPtr doc = NULL;
+    xmlNodePtr node = NULL;
+
+    xmlInitParser();
+
+    xmlLoadCatalog(cat);
+    /* To force the complete recursive load */
+    xmlCatalogResolveURI(BAD_CAST entity);
+    /**
+     * Ensure that the doc doesn't contain the same nextCatalog
+     */
+    doc = xmlCatalogDumpDoc();
+    xmlCatalogCleanup();
+
+    if (doc == NULL) {
+        fprintf(stderr, "CATALOG-FAILURE: Failed to dump the catalog\n");
+        return 1;
+    }
+
+    /* Just the root "catalog" node with a series of nextCatalog */
+    node = xmlDocGetRootElement(doc);
+    node = node->children;
+    for (i=0; node != NULL; node=node->next, i++) {}
+    if (i > 1) {
+        fprintf(stderr, "CATALOG-FAILURE: Found %d nextCatalog entries and should be 1\n", i);
+        ret = 1;
+    }
+
+    xmlFreeDoc(doc);
+
+    return ret;
+}
+
+int
+main(void) {
+    int err = 0;
+
+    err |= testRecursiveDelegateUri();
+    err |= testRepeatedNextCatalog();
+
+    return err;
+}
+#else
+/* No catalog, so everything okay */
+int
+main(void) {
+    return 0;
+}
+#endif
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2026-0992-03.patch b/meta/recipes-core/libxml/libxml2/CVE-2026-0992-03.patch
new file mode 100644
index 0000000000..89f5fb1ac6
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2026-0992-03.patch
@@ -0,0 +1,33 @@
+From deed3b7873dff30b7f87f7f33154c9932a772522 Mon Sep 17 00:00:00 2001
+From: Daniel Garcia Moreno <dani@danigm.net>
+Date: Sun, 18 Jan 2026 19:47:11 +0100
+Subject: [PATCH] catalog: Do not check value for duplication nextCatalog
+The value field stores the path as it appears in the catalog definition,
+the URL is built using xmlBuildURI that changes the relative paths to
+absolute.
+This change fixes the issue of using relative path to the same catalog
+in the same file.
+Fix https://gitlab.gnome.org/GNOME/libxml2/-/issues/1040
+CVE: CVE-2026-0992
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/deed3b7873dff30b7f87f7f33154c9932a772522]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ catalog.c | 1 -
+ 1 file changed, 1 deletion(-)
+diff --git a/catalog.c b/catalog.c
+index eb889162..ba9ee7ae 100644
+--- a/catalog.c
+++ b/catalog.c
+@@ -1299,7 +1299,6 @@ xmlParseXMLCatalogNode(xmlNodePtr cur, xmlCatalogPrefer prefer,
+        while (prev != NULL) {
+            if ((prev->type == XML_CATA_NEXT_CATALOG) &&
+                (xmlStrEqual (prev->URL, entry->URL)) &&
+-               (xmlStrEqual (prev->value, entry->value)) &&
+                (prev->prefer == entry->prefer) &&
+                (prev->group == entry->group)) {
+                    if (xmlDebugCatalogs)
diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb
index bf3099c1f4..fa39116404 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.14.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb
@@ -45,7 +45,9 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt
           file://CVE-2025-9714.patch \
           file://CVE-2025-7425.patch \
           file://CVE-2026-0990.patch \
-           file://CVE-2026-0992.patch \
+           file://CVE-2026-0992-01.patch \
+           file://CVE-2026-0992-02.patch \
+           file://CVE-2026-0992-03.patch \
           "
 SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"
author	Peter Marko <peter.marko@siemens.com>	2026-01-31 15:51:56 +0100
committer	Paul Barker <paul@pbarker.dev>	2026-02-27 15:54:01 +0000
commit	a8c5e5e5734567d1216cde25eb98098479c8152a (patch)
tree	2a1c4efd2c2ddfce5521eaed33c047a062f8d9a7
parent	9998d74d24a3986042660c4b13d5ea3bbce90407 (diff)
download	poky-a8c5e5e5734567d1216cde25eb98098479c8152a.tar.gz

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch b/meta/recipes-core/libxml/libxml2/CVE-2026-0992-01.patch index d7c0b47b33..d7c0b47b33 100644 --- a/meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch +++ b/meta/recipes-core/libxml/libxml2/CVE-2026-0992-01.patch


diff --git a/meta/recipes-core/libxml/libxml2/CVE-2026-0992-02.patch b/meta/recipes-core/libxml/libxml2/CVE-2026-0992-02.patch new file mode 100644 index 0000000000..50f72832d4 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2026-0992-02.patch
@@ -0,0 +1,325 @@
		1	From f8399e62a31095bf1ced01827c33f9b29494046f Mon Sep 17 00:00:00 2001
		2	From: Daniel Garcia Moreno <daniel.garcia@suse.com>
		3	Date: Fri, 19 Dec 2025 12:27:54 +0100
		4	Subject: [PATCH] testcatalog: Add new tests for catalog.c
		5
		6	Adds a new test program to run specific tests related to catalog
		7	parsing.
		8
		9	This initial version includes a couple of tests, the first one to check
		10	the infinite recursion detection related to:
		11	https://gitlab.gnome.org/GNOME/libxml2/-/issues/1018.
		12
		13	The second one tests the nextCatalog element repeated parsing, related
		14	to:
		15	https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019
		16	https://gitlab.gnome.org/GNOME/libxml2/-/issues/1040
		17
		18	CVE: CVE-2026-0992
		19	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/f8399e62a31095bf1ced01827c33f9b29494046f]
		20	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		21	---
		22	CMakeLists.txt \| 2 +
		23	Makefile.am \| 8 ++-
		24	catalog.c \| 63 +++++++++++-----
		25	include/libxml/catalog.h \| 2 +
		26	test/catalogs/catalog-recursive.xml \| 3 +
		27	test/catalogs/repeated-next-catalog.xml \| 10 +++
		28	testcatalog.c \| 96 +++++++++++++++++++++++++
		29	7 files changed, 164 insertions(+), 20 deletions(-)
		30	create mode 100644 test/catalogs/catalog-recursive.xml
		31	create mode 100644 test/catalogs/repeated-next-catalog.xml
		32	create mode 100644 testcatalog.c
		33
		34	diff --git a/CMakeLists.txt b/CMakeLists.txt
		35	index 163661f8..7d5702df 100644
		36	--- a/CMakeLists.txt
		37	+++ b/CMakeLists.txt
		38	@@ -555,6 +555,7 @@ if(LIBXML2_WITH_TESTS)
		39	testapi
		40	testAutomata
		41	testC14N
		42	+ testcatalog
		43	testchar
		44	testdict
		45	testHTML
		46	@@ -579,6 +580,7 @@ if(LIBXML2_WITH_TESTS)
		47	if(NOT WIN32)
		48	add_test(NAME testapi COMMAND testapi)
		49	endif()
		50	+ add_test(NAME testcatalog COMMAND testcatalog)
		51	add_test(NAME testchar COMMAND testchar)
		52	add_test(NAME testdict COMMAND testdict)
		53	add_test(NAME testrecurse COMMAND testrecurse WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR})
		54	diff --git a/Makefile.am b/Makefile.am
		55	index c51dfd8e..c794eac8 100644
		56	--- a/Makefile.am
		57	+++ b/Makefile.am
		58	@@ -12,7 +12,7 @@ AM_CFLAGS = $(EXTRA_CFLAGS) $(THREAD_CFLAGS) $(Z_CFLAGS) $(LZMA_CFLAGS)
		59
		60	check_PROGRAMS=testSchemas testRelax testSAX testHTML testXPath testURI \
		61	testThreads testC14N testAutomata testRegexp \
		62	- testReader testapi testModule runtest runsuite testchar \
		63	+ testReader testapi testModule runtest runsuite testcatalog testchar \
		64	testdict runxmlconf testrecurse testlimits
		65
		66	bin_PROGRAMS = xmllint xmlcatalog
		67	@@ -81,6 +81,11 @@ testlimits_LDFLAGS =
		68	testlimits_DEPENDENCIES = $(DEPS)
		69	testlimits_LDADD= $(BASE_THREAD_LIBS) $(RDL_LIBS) $(LDADDS)
		70
		71	+testcatalog_SOURCES=testcatalog.c
		72	+testcatalog_LDFLAGS =
		73	+testcatalog_DEPENDENCIES = $(DEPS)
		74	+testcatalog_LDADD= $(LDADDS)
		75	+
		76	testchar_SOURCES=testchar.c
		77	testchar_LDFLAGS =
		78	testchar_DEPENDENCIES = $(DEPS)
		79	@@ -213,6 +218,7 @@ runtests:
		80	$(CHECKER) ./runtest$(EXEEXT) && \
		81	$(CHECKER) ./testrecurse$(EXEEXT) && \
		82	ASAN_OPTIONS="$$ASAN_OPTIONS:detect_leaks=0" $(CHECKER) ./testapi$(EXEEXT) && \
		83	+ $(CHECKER) ./testcatalog$(EXEEXT) \
		84	$(CHECKER) ./testchar$(EXEEXT) && \
		85	$(CHECKER) ./testdict$(EXEEXT) && \
		86	$(CHECKER) ./runxmlconf$(EXEEXT)
		87	diff --git a/catalog.c b/catalog.c
		88	index 401dbc14..eb889162 100644
		89	--- a/catalog.c
		90	+++ b/catalog.c
		91	@@ -658,43 +658,54 @@ static void xmlDumpXMLCatalogNode(xmlCatalogEntryPtr catal, xmlNodePtr catalog,
		92	}
		93	}
		94
		95	-static int
		96	-xmlDumpXMLCatalog(FILE *out, xmlCatalogEntryPtr catal) {
		97	- int ret;
		98	- xmlDocPtr doc;
		99	+static xmlDocPtr
		100	+xmlDumpXMLCatalogToDoc(xmlCatalogEntryPtr catal) {
		101	xmlNsPtr ns;
		102	xmlDtdPtr dtd;
		103	xmlNodePtr catalog;
		104	- xmlOutputBufferPtr buf;
		105	+ xmlDocPtr doc = xmlNewDoc(NULL);
		106	+ if (doc == NULL) {
		107	+ return(NULL);
		108	+ }
		109
		110	- /*
		111	- * Rebuild a catalog
		112	- */
		113	- doc = xmlNewDoc(NULL);
		114	- if (doc == NULL)
		115	- return(-1);
		116	dtd = xmlNewDtd(doc, BAD_CAST "catalog",
		117	- BAD_CAST "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN",
		118	-BAD_CAST "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd");
		119	+ BAD_CAST "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN",
		120	+ BAD_CAST "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd");
		121
		122	xmlAddChild((xmlNodePtr) doc, (xmlNodePtr) dtd);
		123
		124	ns = xmlNewNs(NULL, XML_CATALOGS_NAMESPACE, NULL);
		125	if (ns == NULL) {
		126	- xmlFreeDoc(doc);
		127	- return(-1);
		128	+ xmlFreeDoc(doc);
		129	+ return(NULL);
		130	}
		131	catalog = xmlNewDocNode(doc, ns, BAD_CAST "catalog", NULL);
		132	if (catalog == NULL) {
		133	- xmlFreeNs(ns);
		134	- xmlFreeDoc(doc);
		135	- return(-1);
		136	+ xmlFreeDoc(doc);
		137	+ xmlFreeNs(ns);
		138	+ return(NULL);
		139	}
		140	catalog->nsDef = ns;
		141	xmlAddChild((xmlNodePtr) doc, catalog);
		142	-
		143	xmlDumpXMLCatalogNode(catal, catalog, doc, ns, NULL);
		144
		145	+ return(doc);
		146	+}
		147	+
		148	+static int
		149	+xmlDumpXMLCatalog(FILE *out, xmlCatalogEntryPtr catal) {
		150	+ int ret;
		151	+ xmlDocPtr doc;
		152	+ xmlOutputBufferPtr buf;
		153	+
		154	+ /*
		155	+ * Rebuild a catalog
		156	+ */
		157	+ doc = xmlDumpXMLCatalogToDoc(catal);
		158	+ if (doc == NULL) {
		159	+ return(-1);
		160	+ }
		161	+
		162	/*
		163	* reserialize it
		164	*/
		165	@@ -3430,6 +3441,20 @@ xmlCatalogDump(FILE *out) {
		166
		167	xmlACatalogDump(xmlDefaultCatalog, out);
		168	}
		169	+
		170	+/**
		171	+ * Dump all the global catalog content as a xmlDoc
		172	+ * This function is just for testing/debugging purposes
		173	+ *
		174	+ * @returns The catalog as xmlDoc or NULL if failed, it must be freed by the caller.
		175	+ */
		176	+xmlDocPtr
		177	+xmlCatalogDumpDoc(void) {
		178	+ if (!xmlCatalogInitialized)
		179	+ xmlInitializeCatalog();
		180	+
		181	+ return xmlDumpXMLCatalogToDoc(xmlDefaultCatalog->xml);
		182	+}
		183	#endif /* LIBXML_OUTPUT_ENABLED */
		184
		185	/**
		186	diff --git a/include/libxml/catalog.h b/include/libxml/catalog.h
		187	index 88a7483c..e1bc5feb 100644
		188	--- a/include/libxml/catalog.h
		189	+++ b/include/libxml/catalog.h
		190	@@ -119,6 +119,8 @@ XMLPUBFUN void XMLCALL
		191	#ifdef LIBXML_OUTPUT_ENABLED
		192	XMLPUBFUN void XMLCALL
		193	xmlCatalogDump (FILE *out);
		194	+XMLPUBFUN xmlDocPtr
		195	+ xmlCatalogDumpDoc (void);
		196	#endif /* LIBXML_OUTPUT_ENABLED */
		197	XMLPUBFUN xmlChar * XMLCALL
		198	xmlCatalogResolve (const xmlChar *pubID,
		199	diff --git a/test/catalogs/catalog-recursive.xml b/test/catalogs/catalog-recursive.xml
		200	new file mode 100644
		201	index 00000000..3b3d03f9
		202	--- /dev/null
		203	+++ b/test/catalogs/catalog-recursive.xml
		204	@@ -0,0 +1,3 @@
		205	+<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog">
		206	+ <delegateURI uriStartString="/foo" catalog="catalog-recursive.xml"/>
		207	+</catalog>
		208	diff --git a/test/catalogs/repeated-next-catalog.xml b/test/catalogs/repeated-next-catalog.xml
		209	new file mode 100644
		210	index 00000000..76d34c3c
		211	--- /dev/null
		212	+++ b/test/catalogs/repeated-next-catalog.xml
		213	@@ -0,0 +1,10 @@
		214	+<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog">
		215	+ <nextCatalog catalog="registry.xml"/>
		216	+ <nextCatalog catalog="registry.xml"/>
		217	+ <nextCatalog catalog="./registry.xml"/>
		218	+ <nextCatalog catalog="././registry.xml"/>
		219	+ <nextCatalog catalog="./././registry.xml"/>
		220	+ <nextCatalog catalog="./../catalogs/registry.xml"/>
		221	+ <nextCatalog catalog="./../catalogs/./registry.xml"/>
		222	+</catalog>
		223	+
		224	diff --git a/testcatalog.c b/testcatalog.c
		225	new file mode 100644
		226	index 00000000..86d33bd0
		227	--- /dev/null
		228	+++ b/testcatalog.c
		229	@@ -0,0 +1,96 @@
		230	+/*
		231	+ * testcatalog.c: C program to run libxml2 catalog.c unit tests
		232	+ *
		233	+ * To compile on Unixes:
		234	+ * cc -o testcatalog `xml2-config --cflags` testcatalog.c `xml2-config --libs` -lpthread
		235	+ *
		236	+ * See Copyright for the status of this software.
		237	+ *
		238	+ * Author: Daniel Garcia <dani@danigm.net>
		239	+ */
		240	+
		241	+
		242	+#include "libxml.h"
		243	+#include <stdio.h>
		244	+
		245	+#ifdef LIBXML_CATALOG_ENABLED
		246	+#include <libxml/catalog.h>
		247	+
		248	+/* Test catalog resolve uri with recursive catalog */
		249	+static int
		250	+testRecursiveDelegateUri(void) {
		251	+ int ret = 0;
		252	+ const char *cat = "test/catalogs/catalog-recursive.xml";
		253	+ const char *entity = "/foo.ent";
		254	+ xmlChar *resolved = NULL;
		255	+
		256	+ xmlInitParser();
		257	+ xmlLoadCatalog(cat);
		258	+
		259	+ /* This should trigger recursive error */
		260	+ resolved = xmlCatalogResolveURI(BAD_CAST entity);
		261	+ if (resolved != NULL) {
		262	+ fprintf(stderr, "CATALOG-FAILURE: Catalog %s entity should fail to resolve\n", entity);
		263	+ ret = 1;
		264	+ }
		265	+ xmlCatalogCleanup();
		266	+
		267	+ return ret;
		268	+}
		269	+
		270	+/* Test parsing repeated NextCatalog */
		271	+static int
		272	+testRepeatedNextCatalog(void) {
		273	+ int ret = 0;
		274	+ int i = 0;
		275	+ const char *cat = "test/catalogs/repeated-next-catalog.xml";
		276	+ const char *entity = "/foo.ent";
		277	+ xmlDocPtr doc = NULL;
		278	+ xmlNodePtr node = NULL;
		279	+
		280	+ xmlInitParser();
		281	+
		282	+ xmlLoadCatalog(cat);
		283	+ /* To force the complete recursive load */
		284	+ xmlCatalogResolveURI(BAD_CAST entity);
		285	+ /**
		286	+ * Ensure that the doc doesn't contain the same nextCatalog
		287	+ */
		288	+ doc = xmlCatalogDumpDoc();
		289	+ xmlCatalogCleanup();
		290	+
		291	+ if (doc == NULL) {
		292	+ fprintf(stderr, "CATALOG-FAILURE: Failed to dump the catalog\n");
		293	+ return 1;
		294	+ }
		295	+
		296	+ /* Just the root "catalog" node with a series of nextCatalog */
		297	+ node = xmlDocGetRootElement(doc);
		298	+ node = node->children;
		299	+ for (i=0; node != NULL; node=node->next, i++) {}
		300	+ if (i > 1) {
		301	+ fprintf(stderr, "CATALOG-FAILURE: Found %d nextCatalog entries and should be 1\n", i);
		302	+ ret = 1;
		303	+ }
		304	+
		305	+ xmlFreeDoc(doc);
		306	+
		307	+ return ret;
		308	+}
		309	+
		310	+int
		311	+main(void) {
		312	+ int err = 0;
		313	+
		314	+ err \|= testRecursiveDelegateUri();
		315	+ err \|= testRepeatedNextCatalog();
		316	+
		317	+ return err;
		318	+}
		319	+#else
		320	+/* No catalog, so everything okay */
		321	+int
		322	+main(void) {
		323	+ return 0;
		324	+}
		325	+#endif


diff --git a/meta/recipes-core/libxml/libxml2/CVE-2026-0992-03.patch b/meta/recipes-core/libxml/libxml2/CVE-2026-0992-03.patch new file mode 100644 index 0000000000..89f5fb1ac6 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2026-0992-03.patch
@@ -0,0 +1,33 @@
		1	From deed3b7873dff30b7f87f7f33154c9932a772522 Mon Sep 17 00:00:00 2001
		2	From: Daniel Garcia Moreno <dani@danigm.net>
		3	Date: Sun, 18 Jan 2026 19:47:11 +0100
		4	Subject: [PATCH] catalog: Do not check value for duplication nextCatalog
		5
		6	The value field stores the path as it appears in the catalog definition,
		7	the URL is built using xmlBuildURI that changes the relative paths to
		8	absolute.
		9
		10	This change fixes the issue of using relative path to the same catalog
		11	in the same file.
		12
		13	Fix https://gitlab.gnome.org/GNOME/libxml2/-/issues/1040
		14
		15	CVE: CVE-2026-0992
		16	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/deed3b7873dff30b7f87f7f33154c9932a772522]
		17	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		18	---
		19	catalog.c \| 1 -
		20	1 file changed, 1 deletion(-)
		21
		22	diff --git a/catalog.c b/catalog.c
		23	index eb889162..ba9ee7ae 100644
		24	--- a/catalog.c
		25	+++ b/catalog.c
		26	@@ -1299,7 +1299,6 @@ xmlParseXMLCatalogNode(xmlNodePtr cur, xmlCatalogPrefer prefer,
		27	while (prev != NULL) {
		28	if ((prev->type == XML_CATA_NEXT_CATALOG) &&
		29	(xmlStrEqual (prev->URL, entry->URL)) &&
		30	- (xmlStrEqual (prev->value, entry->value)) &&
		31	(prev->prefer == entry->prefer) &&
		32	(prev->group == entry->group)) {
		33	if (xmlDebugCatalogs)


diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb index bf3099c1f4..fa39116404 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.14.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb
@@ -45,7 +45,9 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt
45	file://CVE-2025-9714.patch \	45	file://CVE-2025-9714.patch \
46	file://CVE-2025-7425.patch \	46	file://CVE-2025-7425.patch \
47	file://CVE-2026-0990.patch \	47	file://CVE-2026-0990.patch \
48	file://CVE-2026-0992.patch \	48	file://CVE-2026-0992-01.patch \
		49	file://CVE-2026-0992-02.patch \
		50	file://CVE-2026-0992-03.patch \
49	"	51	"
50		52
51	SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"	53	SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"