libxml2: fix CVE-2025-6021

A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-6021 Upstream-patch: https://gitlab.gnome.org/GNOME/libxml2/-/commit/17d950ae33c23f87692aa179bacedb6743f3188a (From OE-Core rev: 99a239d9146c5ecf158cd9db7823ec1aff45fd48) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Divya Chellam <divya.chellam@windriver.com> 2025-07-14 15:49:57 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-07-21 09:17:59 -0700
commit: 58aa4f3e1befbf1a1143501cacb24d1ad4d9c629 (patch)
tree: b93646a164e91118c6d8d9621c90e8c7b05f34d7
parent: 76e0206da09bd9478c22db534b4b75f810b46fe0 (diff)
download: poky-58aa4f3e1befbf1a1143501cacb24d1ad4d9c629.tar.gz
2 files changed, 60 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch
new file mode 100644
index 0000000000..8461e0f715
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch
@@ -0,0 +1,59 @@
+From 17d950ae33c23f87692aa179bacedb6743f3188a Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 27 May 2025 12:53:17 +0200
+Subject: [PATCH] [CVE-2025-6021] tree: Fix integer overflow in xmlBuildQName
+Fixes #926.
+CVE: CVE-2025-6021
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/17d950ae33c23f87692aa179bacedb6743f3188a]
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ tree.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+diff --git a/tree.c b/tree.c
+index f097cf8..5bc95b8 100644
+--- a/tree.c
+++ b/tree.c
+@@ -47,6 +47,10 @@
+ #include "private/error.h"
+ #include "private/tree.h"
+ 
+#ifndef SIZE_MAX
+  #define SIZE_MAX ((size_t)-1)
+#endif
+
+ int __xmlRegisterCallbacks = 0;
+ 
+ /************************************************************************
+@@ -167,10 +171,10 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) {
+ xmlChar *
+ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
+              xmlChar *memory, int len) {
+-    int lenn, lenp;
+    size_t lenn, lenp;
+     xmlChar *ret;
+ 
+-    if (ncname == NULL) return(NULL);
+    if ((ncname == NULL) || (len < 0)) return(NULL);
+     if (prefix == NULL) return((xmlChar *) ncname);
+ 
+ #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+@@ -181,8 +185,10 @@ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
+ 
+     lenn = strlen((char *) ncname);
+     lenp = strlen((char *) prefix);
+    if (lenn >= SIZE_MAX - lenp - 1)
+        return(NULL);
+ 
+-    if ((memory == NULL) || (len < lenn + lenp + 2)) {
+    if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) {
+        ret = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2);
+        if (ret == NULL)
+            return(NULL);
+-- 
+2.40.0
diff --git a/meta/recipes-core/libxml/libxml2_2.13.8.bb b/meta/recipes-core/libxml/libxml2_2.13.8.bb
index e82e0e8ec3..ea7aa9c41d 100644
--- a/meta/recipes-core/libxml/libxml2_2.13.8.bb
+++ b/meta/recipes-core/libxml/libxml2_2.13.8.bb
@@ -17,6 +17,7 @@ inherit gnomebase
 SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testtar \
           file://run-ptest \
           file://install-tests.patch \
+           file://CVE-2025-6021.patch \
           "
 SRC_URI[archive.sha256sum] = "277294cb33119ab71b2bc81f2f445e9bc9435b893ad15bb2cd2b0e859a0ee84a"
author	Divya Chellam <divya.chellam@windriver.com>	2025-07-14 15:49:57 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-07-21 09:17:59 -0700
commit	58aa4f3e1befbf1a1143501cacb24d1ad4d9c629 (patch)
tree	b93646a164e91118c6d8d9621c90e8c7b05f34d7
parent	76e0206da09bd9478c22db534b4b75f810b46fe0 (diff)
download	poky-58aa4f3e1befbf1a1143501cacb24d1ad4d9c629.tar.gz

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch new file mode 100644 index 0000000000..8461e0f715 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch
@@ -0,0 +1,59 @@
		1	From 17d950ae33c23f87692aa179bacedb6743f3188a Mon Sep 17 00:00:00 2001
		2	From: Nick Wellnhofer <wellnhofer@aevum.de>
		3	Date: Tue, 27 May 2025 12:53:17 +0200
		4	Subject: [PATCH] [CVE-2025-6021] tree: Fix integer overflow in xmlBuildQName
		5
		6	Fixes #926.
		7
		8	CVE: CVE-2025-6021
		9
		10	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/17d950ae33c23f87692aa179bacedb6743f3188a]
		11
		12	Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
		13	---
		14	tree.c \| 12 +++++++++---
		15	1 file changed, 9 insertions(+), 3 deletions(-)
		16
		17	diff --git a/tree.c b/tree.c
		18	index f097cf8..5bc95b8 100644
		19	--- a/tree.c
		20	+++ b/tree.c
		21	@@ -47,6 +47,10 @@
		22	#include "private/error.h"
		23	#include "private/tree.h"
		24
		25	+#ifndef SIZE_MAX
		26	+ #define SIZE_MAX ((size_t)-1)
		27	+#endif
		28	+
		29	int __xmlRegisterCallbacks = 0;
		30
		31	/************************************************************************
		32	@@ -167,10 +171,10 @@ xmlGetParameterEntityFromDtd(const xmlDtd dtd, const xmlChar name) {
		33	xmlChar *
		34	xmlBuildQName(const xmlChar ncname, const xmlChar prefix,
		35	xmlChar *memory, int len) {
		36	- int lenn, lenp;
		37	+ size_t lenn, lenp;
		38	xmlChar *ret;
		39
		40	- if (ncname == NULL) return(NULL);
		41	+ if ((ncname == NULL) \|\| (len < 0)) return(NULL);
		42	if (prefix == NULL) return((xmlChar *) ncname);
		43
		44	#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
		45	@@ -181,8 +185,10 @@ xmlBuildQName(const xmlChar ncname, const xmlChar prefix,
		46
		47	lenn = strlen((char *) ncname);
		48	lenp = strlen((char *) prefix);
		49	+ if (lenn >= SIZE_MAX - lenp - 1)
		50	+ return(NULL);
		51
		52	- if ((memory == NULL) \|\| (len < lenn + lenp + 2)) {
		53	+ if ((memory == NULL) \|\| ((size_t) len < lenn + lenp + 2)) {
		54	ret = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2);
		55	if (ret == NULL)
		56	return(NULL);
		57	--
		58	2.40.0
		59


diff --git a/meta/recipes-core/libxml/libxml2_2.13.8.bb b/meta/recipes-core/libxml/libxml2_2.13.8.bb index e82e0e8ec3..ea7aa9c41d 100644 --- a/meta/recipes-core/libxml/libxml2_2.13.8.bb +++ b/meta/recipes-core/libxml/libxml2_2.13.8.bb
@@ -17,6 +17,7 @@ inherit gnomebase
17	SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testtar \	17	SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testtar \
18	file://run-ptest \	18	file://run-ptest \
19	file://install-tests.patch \	19	file://install-tests.patch \
		20	file://CVE-2025-6021.patch \
20	"	21	"
21		22
22	SRC_URI[archive.sha256sum] = "277294cb33119ab71b2bc81f2f445e9bc9435b893ad15bb2cd2b0e859a0ee84a"	23	SRC_URI[archive.sha256sum] = "277294cb33119ab71b2bc81f2f445e9bc9435b893ad15bb2cd2b0e859a0ee84a"