libxml2: Fix CVE-2025-49794 & CVE-2025-49796

A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors. A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory. References: https://security-tracker.debian.org/tracker/CVE-2025-49794 https://security-tracker.debian.org/tracker/CVE-2025-49796 Upstream-patch: https://gitlab.gnome.org/GNOME/libxml2/-/commit/71e1e8af5ee46dad1b57bb96cfbf1c3ad21fbd7b (From OE-Core rev: b0f34931f7ae35538d007add80e2f81c85fa950f) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Divya Chellam <divya.chellam@windriver.com> 2025-07-14 15:57:11 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-07-21 09:17:59 -0700
commit: 4a37001c6a4fcdfb6b8fb5627f555e6b9b8c010a (patch)
tree: fb08c21159a115e036c5a21109e7162c2e4d58a5
parent: 58aa4f3e1befbf1a1143501cacb24d1ad4d9c629 (diff)
download: poky-4a37001c6a4fcdfb6b8fb5627f555e6b9b8c010a.tar.gz
2 files changed, 190 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-49794_CVE-2025-49796.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-49794_CVE-2025-49796.patch
new file mode 100644
index 0000000000..77b04f7147
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2025-49794_CVE-2025-49796.patch
@@ -0,0 +1,189 @@
+From 71e1e8af5ee46dad1b57bb96cfbf1c3ad21fbd7b Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 4 Jul 2025 14:28:26 +0200
+Subject: [PATCH] schematron: Fix memory safety issues in
+ xmlSchematronReportOutput
+Fix use-after-free (CVE-2025-49794) and type confusion (CVE-2025-49796)
+in xmlSchematronReportOutput.
+Fixes #931.
+Fixes #933.
+---
+CVE: CVE-2025-49794 CVE-2025-49796
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/71e1e8af5ee46dad1b57bb96cfbf1c3ad21fbd7b]
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ result/schematron/cve-2025-49794_0.err |  2 ++
+ result/schematron/cve-2025-49796_0.err |  2 ++
+ schematron.c                           | 49 ++++++++++++++------------
+ test/schematron/cve-2025-49794.sct     | 10 ++++++
+ test/schematron/cve-2025-49794_0.xml   |  6 ++++
+ test/schematron/cve-2025-49796.sct     |  9 +++++
+ test/schematron/cve-2025-49796_0.xml   |  3 ++
+ 7 files changed, 58 insertions(+), 23 deletions(-)
+ create mode 100644 result/schematron/cve-2025-49794_0.err
+ create mode 100644 result/schematron/cve-2025-49796_0.err
+ create mode 100644 test/schematron/cve-2025-49794.sct
+ create mode 100644 test/schematron/cve-2025-49794_0.xml
+ create mode 100644 test/schematron/cve-2025-49796.sct
+ create mode 100644 test/schematron/cve-2025-49796_0.xml
+diff --git a/result/schematron/cve-2025-49794_0.err b/result/schematron/cve-2025-49794_0.err
+new file mode 100644
+index 0000000..5775231
+--- /dev/null
+++ b/result/schematron/cve-2025-49794_0.err
+@@ -0,0 +1,2 @@
+./test/schematron/cve-2025-49794_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2:  
+./test/schematron/cve-2025-49794_0.xml fails to validate
+diff --git a/result/schematron/cve-2025-49796_0.err b/result/schematron/cve-2025-49796_0.err
+new file mode 100644
+index 0000000..bf875ee
+--- /dev/null
+++ b/result/schematron/cve-2025-49796_0.err
+@@ -0,0 +1,2 @@
+./test/schematron/cve-2025-49796_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2:  
+./test/schematron/cve-2025-49796_0.xml fails to validate
+diff --git a/schematron.c b/schematron.c
+index 1de25de..426300c 100644
+--- a/schematron.c
+++ b/schematron.c
+@@ -1414,27 +1414,15 @@ exit:
+  *                                                                      *
+  ************************************************************************/
+ 
+-static xmlNodePtr
+static xmlXPathObjectPtr
+ xmlSchematronGetNode(xmlSchematronValidCtxtPtr ctxt,
+                      xmlNodePtr cur, const xmlChar *xpath) {
+-    xmlNodePtr node = NULL;
+-    xmlXPathObjectPtr ret;
+-
+     if ((ctxt == NULL) || (cur == NULL) || (xpath == NULL))
+         return(NULL);
+ 
+     ctxt->xctxt->doc = cur->doc;
+     ctxt->xctxt->node = cur;
+-    ret = xmlXPathEval(xpath, ctxt->xctxt);
+-    if (ret == NULL)
+-        return(NULL);
+-
+-    if ((ret->type == XPATH_NODESET) &&
+-        (ret->nodesetval != NULL) && (ret->nodesetval->nodeNr > 0))
+-        node = ret->nodesetval->nodeTab[0];
+-
+-    xmlXPathFreeObject(ret);
+-    return(node);
+    return(xmlXPathEval(xpath, ctxt->xctxt));
+ }
+ 
+ /**
+@@ -1480,25 +1468,40 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt,
+             (child->type == XML_CDATA_SECTION_NODE))
+             ret = xmlStrcat(ret, child->content);
+         else if (IS_SCHEMATRON(child, "name")) {
+            xmlXPathObject *obj = NULL;
+             xmlChar *path;
+ 
+             path = xmlGetNoNsProp(child, BAD_CAST "path");
+ 
+             node = cur;
+             if (path != NULL) {
+-                node = xmlSchematronGetNode(ctxt, cur, path);
+-                if (node == NULL)
+-                    node = cur;
+                obj = xmlSchematronGetNode(ctxt, cur, path);
+                if ((obj != NULL) &&
+                    (obj->type == XPATH_NODESET) &&
+                    (obj->nodesetval != NULL) &&
+                    (obj->nodesetval->nodeNr > 0))
+                    node = obj->nodesetval->nodeTab[0];
+                 xmlFree(path);
+             }
+ 
+-            if ((node->ns == NULL) || (node->ns->prefix == NULL))
+-                ret = xmlStrcat(ret, node->name);
+-            else {
+-                ret = xmlStrcat(ret, node->ns->prefix);
+-                ret = xmlStrcat(ret, BAD_CAST ":");
+-                ret = xmlStrcat(ret, node->name);
+            switch (node->type) {
+                case XML_ELEMENT_NODE:
+                case XML_ATTRIBUTE_NODE:
+                    if ((node->ns == NULL) || (node->ns->prefix == NULL))
+                        ret = xmlStrcat(ret, node->name);
+                    else {
+                        ret = xmlStrcat(ret, node->ns->prefix);
+                        ret = xmlStrcat(ret, BAD_CAST ":");
+                        ret = xmlStrcat(ret, node->name);
+                    }
+                    break;
+
+                /* TODO: handle other node types */
+                default:
+                    break;
+             }
+
+            xmlXPathFreeObject(obj);
+         } else if (IS_SCHEMATRON(child, "value-of")) {
+             xmlChar *select;
+             xmlXPathObjectPtr eval;
+diff --git a/test/schematron/cve-2025-49794.sct b/test/schematron/cve-2025-49794.sct
+new file mode 100644
+index 0000000..7fc9ee3
+--- /dev/null
+++ b/test/schematron/cve-2025-49794.sct
+@@ -0,0 +1,10 @@
+<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron">
+    <sch:pattern id="">
+        <sch:rule context="boo0">
+            <sch:report test="not(0)">
+                <sch:name path="&#9;e|namespace::*|e"/>
+            </sch:report>
+            <sch:report test="0"></sch:report>
+        </sch:rule>
+    </sch:pattern>
+</sch:schema>
+diff --git a/test/schematron/cve-2025-49794_0.xml b/test/schematron/cve-2025-49794_0.xml
+new file mode 100644
+index 0000000..debc64b
+--- /dev/null
+++ b/test/schematron/cve-2025-49794_0.xml
+@@ -0,0 +1,6 @@
+<librar0>
+    <boo0 t="">
+        <author></author>
+    </boo0>
+    <ins></ins>
+</librar0>
+diff --git a/test/schematron/cve-2025-49796.sct b/test/schematron/cve-2025-49796.sct
+new file mode 100644
+index 0000000..e9702d7
+--- /dev/null
+++ b/test/schematron/cve-2025-49796.sct
+@@ -0,0 +1,9 @@
+<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron">
+    <sch:pattern id="">
+        <sch:rule context="boo0">
+            <sch:report test="not(0)">
+                <sch:name path="/"/>
+            </sch:report>
+        </sch:rule>
+    </sch:pattern>
+</sch:schema>
+diff --git a/test/schematron/cve-2025-49796_0.xml b/test/schematron/cve-2025-49796_0.xml
+new file mode 100644
+index 0000000..be33c4e
+--- /dev/null
+++ b/test/schematron/cve-2025-49796_0.xml
+@@ -0,0 +1,3 @@
+<librar0>
+    <boo0/>
+</librar0>
+-- 
+2.40.0
diff --git a/meta/recipes-core/libxml/libxml2_2.13.8.bb b/meta/recipes-core/libxml/libxml2_2.13.8.bb
index ea7aa9c41d..3d6ecf5458 100644
--- a/meta/recipes-core/libxml/libxml2_2.13.8.bb
+++ b/meta/recipes-core/libxml/libxml2_2.13.8.bb
@@ -18,6 +18,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt
           file://run-ptest \
           file://install-tests.patch \
           file://CVE-2025-6021.patch \
+           file://CVE-2025-49794_CVE-2025-49796.patch \
           "
 SRC_URI[archive.sha256sum] = "277294cb33119ab71b2bc81f2f445e9bc9435b893ad15bb2cd2b0e859a0ee84a"
author	Divya Chellam <divya.chellam@windriver.com>	2025-07-14 15:57:11 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-07-21 09:17:59 -0700
commit	4a37001c6a4fcdfb6b8fb5627f555e6b9b8c010a (patch)
tree	fb08c21159a115e036c5a21109e7162c2e4d58a5
parent	58aa4f3e1befbf1a1143501cacb24d1ad4d9c629 (diff)
download	poky-4a37001c6a4fcdfb6b8fb5627f555e6b9b8c010a.tar.gz

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-49794_CVE-2025-49796.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-49794_CVE-2025-49796.patch new file mode 100644 index 0000000000..77b04f7147 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2025-49794_CVE-2025-49796.patch
@@ -0,0 +1,189 @@
		1	From 71e1e8af5ee46dad1b57bb96cfbf1c3ad21fbd7b Mon Sep 17 00:00:00 2001
		2	From: Nick Wellnhofer <wellnhofer@aevum.de>
		3	Date: Fri, 4 Jul 2025 14:28:26 +0200
		4	Subject: [PATCH] schematron: Fix memory safety issues in
		5	xmlSchematronReportOutput
		6
		7	Fix use-after-free (CVE-2025-49794) and type confusion (CVE-2025-49796)
		8	in xmlSchematronReportOutput.
		9
		10	Fixes #931.
		11	Fixes #933.
		12	---
		13
		14	CVE: CVE-2025-49794 CVE-2025-49796
		15
		16	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/71e1e8af5ee46dad1b57bb96cfbf1c3ad21fbd7b]
		17
		18	Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
		19	---
		20	result/schematron/cve-2025-49794_0.err \| 2 ++
		21	result/schematron/cve-2025-49796_0.err \| 2 ++
		22	schematron.c \| 49 ++++++++++++++------------
		23	test/schematron/cve-2025-49794.sct \| 10 ++++++
		24	test/schematron/cve-2025-49794_0.xml \| 6 ++++
		25	test/schematron/cve-2025-49796.sct \| 9 +++++
		26	test/schematron/cve-2025-49796_0.xml \| 3 ++
		27	7 files changed, 58 insertions(+), 23 deletions(-)
		28	create mode 100644 result/schematron/cve-2025-49794_0.err
		29	create mode 100644 result/schematron/cve-2025-49796_0.err
		30	create mode 100644 test/schematron/cve-2025-49794.sct
		31	create mode 100644 test/schematron/cve-2025-49794_0.xml
		32	create mode 100644 test/schematron/cve-2025-49796.sct
		33	create mode 100644 test/schematron/cve-2025-49796_0.xml
		34
		35	diff --git a/result/schematron/cve-2025-49794_0.err b/result/schematron/cve-2025-49794_0.err
		36	new file mode 100644
		37	index 0000000..5775231
		38	--- /dev/null
		39	+++ b/result/schematron/cve-2025-49794_0.err
		40	@@ -0,0 +1,2 @@
		41	+./test/schematron/cve-2025-49794_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2:
		42	+./test/schematron/cve-2025-49794_0.xml fails to validate
		43	diff --git a/result/schematron/cve-2025-49796_0.err b/result/schematron/cve-2025-49796_0.err
		44	new file mode 100644
		45	index 0000000..bf875ee
		46	--- /dev/null
		47	+++ b/result/schematron/cve-2025-49796_0.err
		48	@@ -0,0 +1,2 @@
		49	+./test/schematron/cve-2025-49796_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2:
		50	+./test/schematron/cve-2025-49796_0.xml fails to validate
		51	diff --git a/schematron.c b/schematron.c
		52	index 1de25de..426300c 100644
		53	--- a/schematron.c
		54	+++ b/schematron.c
		55	@@ -1414,27 +1414,15 @@ exit:
		56	* *
		57	************************************************************************/
		58
		59	-static xmlNodePtr
		60	+static xmlXPathObjectPtr
		61	xmlSchematronGetNode(xmlSchematronValidCtxtPtr ctxt,
		62	xmlNodePtr cur, const xmlChar *xpath) {
		63	- xmlNodePtr node = NULL;
		64	- xmlXPathObjectPtr ret;
		65	-
		66	if ((ctxt == NULL) \|\| (cur == NULL) \|\| (xpath == NULL))
		67	return(NULL);
		68
		69	ctxt->xctxt->doc = cur->doc;
		70	ctxt->xctxt->node = cur;
		71	- ret = xmlXPathEval(xpath, ctxt->xctxt);
		72	- if (ret == NULL)
		73	- return(NULL);
		74	-
		75	- if ((ret->type == XPATH_NODESET) &&
		76	- (ret->nodesetval != NULL) && (ret->nodesetval->nodeNr > 0))
		77	- node = ret->nodesetval->nodeTab[0];
		78	-
		79	- xmlXPathFreeObject(ret);
		80	- return(node);
		81	+ return(xmlXPathEval(xpath, ctxt->xctxt));
		82	}
		83
		84	/**
		85	@@ -1480,25 +1468,40 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt,
		86	(child->type == XML_CDATA_SECTION_NODE))
		87	ret = xmlStrcat(ret, child->content);
		88	else if (IS_SCHEMATRON(child, "name")) {
		89	+ xmlXPathObject *obj = NULL;
		90	xmlChar *path;
		91
		92	path = xmlGetNoNsProp(child, BAD_CAST "path");
		93
		94	node = cur;
		95	if (path != NULL) {
		96	- node = xmlSchematronGetNode(ctxt, cur, path);
		97	- if (node == NULL)
		98	- node = cur;
		99	+ obj = xmlSchematronGetNode(ctxt, cur, path);
		100	+ if ((obj != NULL) &&
		101	+ (obj->type == XPATH_NODESET) &&
		102	+ (obj->nodesetval != NULL) &&
		103	+ (obj->nodesetval->nodeNr > 0))
		104	+ node = obj->nodesetval->nodeTab[0];
		105	xmlFree(path);
		106	}
		107
		108	- if ((node->ns == NULL) \|\| (node->ns->prefix == NULL))
		109	- ret = xmlStrcat(ret, node->name);
		110	- else {
		111	- ret = xmlStrcat(ret, node->ns->prefix);
		112	- ret = xmlStrcat(ret, BAD_CAST ":");
		113	- ret = xmlStrcat(ret, node->name);
		114	+ switch (node->type) {
		115	+ case XML_ELEMENT_NODE:
		116	+ case XML_ATTRIBUTE_NODE:
		117	+ if ((node->ns == NULL) \|\| (node->ns->prefix == NULL))
		118	+ ret = xmlStrcat(ret, node->name);
		119	+ else {
		120	+ ret = xmlStrcat(ret, node->ns->prefix);
		121	+ ret = xmlStrcat(ret, BAD_CAST ":");
		122	+ ret = xmlStrcat(ret, node->name);
		123	+ }
		124	+ break;
		125	+
		126	+ /* TODO: handle other node types */
		127	+ default:
		128	+ break;
		129	}
		130	+
		131	+ xmlXPathFreeObject(obj);
		132	} else if (IS_SCHEMATRON(child, "value-of")) {
		133	xmlChar *select;
		134	xmlXPathObjectPtr eval;
		135	diff --git a/test/schematron/cve-2025-49794.sct b/test/schematron/cve-2025-49794.sct
		136	new file mode 100644
		137	index 0000000..7fc9ee3
		138	--- /dev/null
		139	+++ b/test/schematron/cve-2025-49794.sct
		140	@@ -0,0 +1,10 @@
		141	+<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron">
		142	+ <sch:pattern id="">
		143	+ <sch:rule context="boo0">
		144	+ <sch:report test="not(0)">
		145	+ <sch:name path=" e\|namespace::*\|e"/>
		146	+ </sch:report>
		147	+ <sch:report test="0"></sch:report>
		148	+ </sch:rule>
		149	+ </sch:pattern>
		150	+</sch:schema>
		151	diff --git a/test/schematron/cve-2025-49794_0.xml b/test/schematron/cve-2025-49794_0.xml
		152	new file mode 100644
		153	index 0000000..debc64b
		154	--- /dev/null
		155	+++ b/test/schematron/cve-2025-49794_0.xml
		156	@@ -0,0 +1,6 @@
		157	+<librar0>
		158	+ <boo0 t="">
		159	+ <author></author>
		160	+ </boo0>
		161	+ <ins></ins>
		162	+</librar0>
		163	diff --git a/test/schematron/cve-2025-49796.sct b/test/schematron/cve-2025-49796.sct
		164	new file mode 100644
		165	index 0000000..e9702d7
		166	--- /dev/null
		167	+++ b/test/schematron/cve-2025-49796.sct
		168	@@ -0,0 +1,9 @@
		169	+<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron">
		170	+ <sch:pattern id="">
		171	+ <sch:rule context="boo0">
		172	+ <sch:report test="not(0)">
		173	+ <sch:name path="/"/>
		174	+ </sch:report>
		175	+ </sch:rule>
		176	+ </sch:pattern>
		177	+</sch:schema>
		178	diff --git a/test/schematron/cve-2025-49796_0.xml b/test/schematron/cve-2025-49796_0.xml
		179	new file mode 100644
		180	index 0000000..be33c4e
		181	--- /dev/null
		182	+++ b/test/schematron/cve-2025-49796_0.xml
		183	@@ -0,0 +1,3 @@
		184	+<librar0>
		185	+ <boo0/>
		186	+</librar0>
		187	--
		188	2.40.0
		189


diff --git a/meta/recipes-core/libxml/libxml2_2.13.8.bb b/meta/recipes-core/libxml/libxml2_2.13.8.bb index ea7aa9c41d..3d6ecf5458 100644 --- a/meta/recipes-core/libxml/libxml2_2.13.8.bb +++ b/meta/recipes-core/libxml/libxml2_2.13.8.bb
@@ -18,6 +18,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt
18	file://run-ptest \	18	file://run-ptest \
19	file://install-tests.patch \	19	file://install-tests.patch \
20	file://CVE-2025-6021.patch \	20	file://CVE-2025-6021.patch \
		21	file://CVE-2025-49794_CVE-2025-49796.patch \
21	"	22	"
22		23
23	SRC_URI[archive.sha256sum] = "277294cb33119ab71b2bc81f2f445e9bc9435b893ad15bb2cd2b0e859a0ee84a"	24	SRC_URI[archive.sha256sum] = "277294cb33119ab71b2bc81f2f445e9bc9435b893ad15bb2cd2b0e859a0ee84a"