libxml2: patch CVE-2026-0990

Pick patch which closed [1]. [1] https://gitlab.gnome.org/GNOME/libxml2/-/issues/1018 (From OE-Core rev: 3af64204dec407546bed8f1dc0cb8b4a1501e471) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
author: Peter Marko <peter.marko@siemens.com> 2026-01-25 19:35:18 +0100
committer: Paul Barker <paul@pbarker.dev> 2026-02-27 15:54:01 +0000
commit: bd6c85cfa6846ae0cc9d92ad6e7ddf0e6f034e43 (patch)
tree: f16047ce5f5d23a95d062d43b7b2d096c3c4ce98
parent: e7b549ecaa945a5b9f755316b80d515312d0bf2b (diff)
download: poky-bd6c85cfa6846ae0cc9d92ad6e7ddf0e6f034e43.tar.gz
2 files changed, 77 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2026-0990.patch b/meta/recipes-core/libxml/libxml2/CVE-2026-0990.patch
new file mode 100644
index 0000000000..e0c1e3c707
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2026-0990.patch
@@ -0,0 +1,76 @@
+From 1961208e958ca22f80a0b4e4c9d71cfa050aa982 Mon Sep 17 00:00:00 2001
+From: Daniel Garcia Moreno <daniel.garcia@suse.com>
+Date: Wed, 17 Dec 2025 15:24:08 +0100
+Subject: [PATCH] catalog: prevent inf recursion in xmlCatalogXMLResolveURI
+Fix https://gitlab.gnome.org/GNOME/libxml2/-/issues/1018
+CVE: CVE-2026-0989
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1961208e958ca22f80a0b4e4c9d71cfa050aa982]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ catalog.c | 31 +++++++++++++++++++++++--------
+ 1 file changed, 23 insertions(+), 8 deletions(-)
+diff --git a/catalog.c b/catalog.c
+index 76c063a8..46b877e6 100644
+--- a/catalog.c
+++ b/catalog.c
+@@ -2099,12 +2099,21 @@ static xmlChar *
+ xmlCatalogListXMLResolveURI(xmlCatalogEntryPtr catal, const xmlChar *URI) {
+     xmlChar *ret = NULL;
+     xmlChar *urnID = NULL;
+    xmlCatalogEntryPtr cur = NULL;
+ 
+     if (catal == NULL)
+         return(NULL);
+     if (URI == NULL)
+        return(NULL);
+ 
+    if (catal->depth > MAX_CATAL_DEPTH) {
+       xmlCatalogErr(catal, NULL, XML_CATALOG_RECURSION,
+                     "Detected recursion in catalog %s\n",
+                     catal->name, NULL, NULL);
+       return(NULL);
+    }
+    catal->depth++;
+
+     if (!xmlStrncmp(URI, BAD_CAST XML_URN_PUBID, sizeof(XML_URN_PUBID) - 1)) {
+        urnID = xmlCatalogUnWrapURN(URI);
+        if (xmlDebugCatalogs) {
+@@ -2118,21 +2127,27 @@ xmlCatalogListXMLResolveURI(xmlCatalogEntryPtr catal, const xmlChar *URI) {
+        ret = xmlCatalogListXMLResolve(catal, urnID, NULL);
+        if (urnID != NULL)
+            xmlFree(urnID);
+       catal->depth--;
+        return(ret);
+     }
+-    while (catal != NULL) {
+-       if (catal->type == XML_CATA_CATALOG) {
+-           if (catal->children == NULL) {
+-               xmlFetchXMLCatalogFile(catal);
+    cur = catal;
+    while (cur != NULL) {
+       if (cur->type == XML_CATA_CATALOG) {
+           if (cur->children == NULL) {
+               xmlFetchXMLCatalogFile(cur);
+            }
+-           if (catal->children != NULL) {
+-               ret = xmlCatalogXMLResolveURI(catal->children, URI);
+-               if (ret != NULL)
+           if (cur->children != NULL) {
+               ret = xmlCatalogXMLResolveURI(cur->children, URI);
+               if (ret != NULL) {
+                   catal->depth--;
+                    return(ret);
+               }
+            }
+        }
+-       catal = catal->next;
+       cur = cur->next;
+     }
+
+    catal->depth--;
+     return(ret);
+ }
+ 
diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb
index 05a7dce95b..a72aff6c83 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.14.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb
@@ -44,6 +44,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt
           file://CVE-2025-6170.patch \
           file://CVE-2025-9714.patch \
           file://CVE-2025-7425.patch \
+           file://CVE-2026-0990.patch \
           "
 SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"
author	Peter Marko <peter.marko@siemens.com>	2026-01-25 19:35:18 +0100
committer	Paul Barker <paul@pbarker.dev>	2026-02-27 15:54:01 +0000
commit	bd6c85cfa6846ae0cc9d92ad6e7ddf0e6f034e43 (patch)
tree	f16047ce5f5d23a95d062d43b7b2d096c3c4ce98
parent	e7b549ecaa945a5b9f755316b80d515312d0bf2b (diff)
download	poky-bd6c85cfa6846ae0cc9d92ad6e7ddf0e6f034e43.tar.gz

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2026-0990.patch b/meta/recipes-core/libxml/libxml2/CVE-2026-0990.patch new file mode 100644 index 0000000000..e0c1e3c707 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2026-0990.patch
@@ -0,0 +1,76 @@
		1	From 1961208e958ca22f80a0b4e4c9d71cfa050aa982 Mon Sep 17 00:00:00 2001
		2	From: Daniel Garcia Moreno <daniel.garcia@suse.com>
		3	Date: Wed, 17 Dec 2025 15:24:08 +0100
		4	Subject: [PATCH] catalog: prevent inf recursion in xmlCatalogXMLResolveURI
		5
		6	Fix https://gitlab.gnome.org/GNOME/libxml2/-/issues/1018
		7
		8	CVE: CVE-2026-0989
		9	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1961208e958ca22f80a0b4e4c9d71cfa050aa982]
		10	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		11	---
		12	catalog.c \| 31 +++++++++++++++++++++++--------
		13	1 file changed, 23 insertions(+), 8 deletions(-)
		14
		15	diff --git a/catalog.c b/catalog.c
		16	index 76c063a8..46b877e6 100644
		17	--- a/catalog.c
		18	+++ b/catalog.c
		19	@@ -2099,12 +2099,21 @@ static xmlChar *
		20	xmlCatalogListXMLResolveURI(xmlCatalogEntryPtr catal, const xmlChar *URI) {
		21	xmlChar *ret = NULL;
		22	xmlChar *urnID = NULL;
		23	+ xmlCatalogEntryPtr cur = NULL;
		24
		25	if (catal == NULL)
		26	return(NULL);
		27	if (URI == NULL)
		28	return(NULL);
		29
		30	+ if (catal->depth > MAX_CATAL_DEPTH) {
		31	+ xmlCatalogErr(catal, NULL, XML_CATALOG_RECURSION,
		32	+ "Detected recursion in catalog %s\n",
		33	+ catal->name, NULL, NULL);
		34	+ return(NULL);
		35	+ }
		36	+ catal->depth++;
		37	+
		38	if (!xmlStrncmp(URI, BAD_CAST XML_URN_PUBID, sizeof(XML_URN_PUBID) - 1)) {
		39	urnID = xmlCatalogUnWrapURN(URI);
		40	if (xmlDebugCatalogs) {
		41	@@ -2118,21 +2127,27 @@ xmlCatalogListXMLResolveURI(xmlCatalogEntryPtr catal, const xmlChar *URI) {
		42	ret = xmlCatalogListXMLResolve(catal, urnID, NULL);
		43	if (urnID != NULL)
		44	xmlFree(urnID);
		45	+ catal->depth--;
		46	return(ret);
		47	}
		48	- while (catal != NULL) {
		49	- if (catal->type == XML_CATA_CATALOG) {
		50	- if (catal->children == NULL) {
		51	- xmlFetchXMLCatalogFile(catal);
		52	+ cur = catal;
		53	+ while (cur != NULL) {
		54	+ if (cur->type == XML_CATA_CATALOG) {
		55	+ if (cur->children == NULL) {
		56	+ xmlFetchXMLCatalogFile(cur);
		57	}
		58	- if (catal->children != NULL) {
		59	- ret = xmlCatalogXMLResolveURI(catal->children, URI);
		60	- if (ret != NULL)
		61	+ if (cur->children != NULL) {
		62	+ ret = xmlCatalogXMLResolveURI(cur->children, URI);
		63	+ if (ret != NULL) {
		64	+ catal->depth--;
		65	return(ret);
		66	+ }
		67	}
		68	}
		69	- catal = catal->next;
		70	+ cur = cur->next;
		71	}
		72	+
		73	+ catal->depth--;
		74	return(ret);
		75	}
		76


diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb index 05a7dce95b..a72aff6c83 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.14.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb
@@ -44,6 +44,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt
44	file://CVE-2025-6170.patch \	44	file://CVE-2025-6170.patch \
45	file://CVE-2025-9714.patch \	45	file://CVE-2025-9714.patch \
46	file://CVE-2025-7425.patch \	46	file://CVE-2025-7425.patch \
		47	file://CVE-2026-0990.patch \
47	"	48	"
48		49
49	SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"	50	SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"