libxml2: patch CVE-2025-6170

Pick commit referencing this CVE from 2.13 branch. (From OE-Core rev: 1dab0ba31fd09911d4fa707c1318bb0e83f46cdd) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Peter Marko <peter.marko@siemens.com> 2025-07-28 22:21:27 +0200
committer: Steve Sakoman <steve@sakoman.com> 2025-08-04 09:12:23 -0700
commit: b0b4503cb8c5fc6e6da460377590b8c064184cb5 (patch)
tree: a1c668fdd79edec47690841091d58d08a4050854
parent: 762f845d3d1423e7a865c4d2eacb67fd1dc59bf0 (diff)
download: poky-b0b4503cb8c5fc6e6da460377590b8c064184cb5.tar.gz
2 files changed, 104 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-6170.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-6170.patch
new file mode 100644
index 0000000000..29c82f8baf
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2025-6170.patch
@@ -0,0 +1,103 @@
+From 5e9ec5c107d3f5b5179c3dbc19df43df041cd55b Mon Sep 17 00:00:00 2001
+From: Michael Mann <mmann78@netscape.net>
+Date: Fri, 20 Jun 2025 23:05:00 -0400
+Subject: [PATCH] [CVE-2025-6170] Fix potential buffer overflows of interactive
+ shell
+Fixes #941
+CVE: CVE-2025-6170
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/5e9ec5c107d3f5b5179c3dbc19df43df041cd55b]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ debugXML.c                       | 15 ++++++++++-----
+ result/scripts/long_command      |  8 ++++++++
+ test/scripts/long_command.script |  6 ++++++
+ test/scripts/long_command.xml    |  1 +
+ 4 files changed, 25 insertions(+), 5 deletions(-)
+ create mode 100644 result/scripts/long_command
+ create mode 100644 test/scripts/long_command.script
+ create mode 100644 test/scripts/long_command.xml
+diff --git a/debugXML.c b/debugXML.c
+index ed56b0f8..452b9573 100644
+--- a/debugXML.c
+++ b/debugXML.c
+@@ -1033,6 +1033,10 @@ xmlCtxtDumpOneNode(xmlDebugCtxtPtr ctxt, xmlNodePtr node)
+     xmlCtxtGenericNodeCheck(ctxt, node);
+ }
+ 
+#define MAX_PROMPT_SIZE     500
+#define MAX_ARG_SIZE        400
+#define MAX_COMMAND_SIZE    100
+
+ /**
+  * xmlCtxtDumpNode:
+  * @output:  the FILE * for the output
+@@ -2795,10 +2799,10 @@ void
+ xmlShell(xmlDocPtr doc, const char *filename, xmlShellReadlineFunc input,
+          FILE * output)
+ {
+-    char prompt[500] = "/ > ";
+    char prompt[MAX_PROMPT_SIZE] = "/ > ";
+     char *cmdline = NULL, *cur;
+-    char command[100];
+-    char arg[400];
+    char command[MAX_COMMAND_SIZE];
+    char arg[MAX_ARG_SIZE];
+     int i;
+     xmlShellCtxtPtr ctxt;
+     xmlXPathObjectPtr list;
+@@ -2856,7 +2860,8 @@ xmlShell(xmlDocPtr doc, const char *filename, xmlShellReadlineFunc input,
+             cur++;
+         i = 0;
+         while ((*cur != ' ') && (*cur != '\t') &&
+-               (*cur != '\n') && (*cur != '\r')) {
+               (*cur != '\n') && (*cur != '\r') &&
+               (i < (MAX_COMMAND_SIZE - 1))) {
+             if (*cur == 0)
+                 break;
+             command[i++] = *cur++;
+@@ -2871,7 +2876,7 @@ xmlShell(xmlDocPtr doc, const char *filename, xmlShellReadlineFunc input,
+         while ((*cur == ' ') || (*cur == '\t'))
+             cur++;
+         i = 0;
+-        while ((*cur != '\n') && (*cur != '\r') && (*cur != 0)) {
+        while ((*cur != '\n') && (*cur != '\r') && (*cur != 0) && (i < (MAX_ARG_SIZE-1))) {
+             if (*cur == 0)
+                 break;
+             arg[i++] = *cur++;
+diff --git a/result/scripts/long_command b/result/scripts/long_command
+new file mode 100644
+index 00000000..e6f00708
+--- /dev/null
+++ b/result/scripts/long_command
+@@ -0,0 +1,8 @@
+/ > b > b > Object is a Node Set :
+Set contains 1 nodes:
+1  ELEMENT a:c
+b > Unknown command This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_comm
+b > b > Unknown command ess_currents_of_time_and_existence
+b > <?xml version="1.0"?>
+<a xmlns:a="bar"><b xmlns:a="foo">Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_prof</b></a>
+b > 
+\ No newline at end of file
+diff --git a/test/scripts/long_command.script b/test/scripts/long_command.script
+new file mode 100644
+index 00000000..00f6df09
+--- /dev/null
+++ b/test/scripts/long_command.script
+@@ -0,0 +1,6 @@
+cd a/b
+set <a:c/>
+xpath //*[namespace-uri()="foo"]
+This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_command_please_dont_crash foo
+set Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_profound_emotion_and_every_grand_aspiration_that_propels_our_species_ever_onward_through_the_relentless_currents_of_time_and_existence
+save -
+diff --git a/test/scripts/long_command.xml b/test/scripts/long_command.xml
+new file mode 100644
+index 00000000..1ba44016
+--- /dev/null
+++ b/test/scripts/long_command.xml
+@@ -0,0 +1 @@
+<a xmlns:a="bar"><b xmlns:a="foo"/></a>
diff --git a/meta/recipes-core/libxml/libxml2_2.13.8.bb b/meta/recipes-core/libxml/libxml2_2.13.8.bb
index fd042c311d..4bd2a0d38f 100644
--- a/meta/recipes-core/libxml/libxml2_2.13.8.bb
+++ b/meta/recipes-core/libxml/libxml2_2.13.8.bb
@@ -20,6 +20,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt
           file://CVE-2025-6021.patch \
           file://CVE-2025-49794_CVE-2025-49796.patch \
           file://CVE-2025-49795.patch \
+           file://CVE-2025-6170.patch \
           "
 SRC_URI[archive.sha256sum] = "277294cb33119ab71b2bc81f2f445e9bc9435b893ad15bb2cd2b0e859a0ee84a"
author	Peter Marko <peter.marko@siemens.com>	2025-07-28 22:21:27 +0200
committer	Steve Sakoman <steve@sakoman.com>	2025-08-04 09:12:23 -0700
commit	b0b4503cb8c5fc6e6da460377590b8c064184cb5 (patch)
tree	a1c668fdd79edec47690841091d58d08a4050854
parent	762f845d3d1423e7a865c4d2eacb67fd1dc59bf0 (diff)
download	poky-b0b4503cb8c5fc6e6da460377590b8c064184cb5.tar.gz

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-6170.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-6170.patch new file mode 100644 index 0000000000..29c82f8baf --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2025-6170.patch
@@ -0,0 +1,103 @@
		1	From 5e9ec5c107d3f5b5179c3dbc19df43df041cd55b Mon Sep 17 00:00:00 2001
		2	From: Michael Mann <mmann78@netscape.net>
		3	Date: Fri, 20 Jun 2025 23:05:00 -0400
		4	Subject: [PATCH] [CVE-2025-6170] Fix potential buffer overflows of interactive
		5	shell
		6
		7	Fixes #941
		8
		9	CVE: CVE-2025-6170
		10	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/5e9ec5c107d3f5b5179c3dbc19df43df041cd55b]
		11	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		12	---
		13	debugXML.c \| 15 ++++++++++-----
		14	result/scripts/long_command \| 8 ++++++++
		15	test/scripts/long_command.script \| 6 ++++++
		16	test/scripts/long_command.xml \| 1 +
		17	4 files changed, 25 insertions(+), 5 deletions(-)
		18	create mode 100644 result/scripts/long_command
		19	create mode 100644 test/scripts/long_command.script
		20	create mode 100644 test/scripts/long_command.xml
		21
		22	diff --git a/debugXML.c b/debugXML.c
		23	index ed56b0f8..452b9573 100644
		24	--- a/debugXML.c
		25	+++ b/debugXML.c
		26	@@ -1033,6 +1033,10 @@ xmlCtxtDumpOneNode(xmlDebugCtxtPtr ctxt, xmlNodePtr node)
		27	xmlCtxtGenericNodeCheck(ctxt, node);
		28	}
		29
		30	+#define MAX_PROMPT_SIZE 500
		31	+#define MAX_ARG_SIZE 400
		32	+#define MAX_COMMAND_SIZE 100
		33	+
		34	/**
		35	* xmlCtxtDumpNode:
		36	* @output: the FILE * for the output
		37	@@ -2795,10 +2799,10 @@ void
		38	xmlShell(xmlDocPtr doc, const char *filename, xmlShellReadlineFunc input,
		39	FILE * output)
		40	{
		41	- char prompt[500] = "/ > ";
		42	+ char prompt[MAX_PROMPT_SIZE] = "/ > ";
		43	char cmdline = NULL, cur;
		44	- char command[100];
		45	- char arg[400];
		46	+ char command[MAX_COMMAND_SIZE];
		47	+ char arg[MAX_ARG_SIZE];
		48	int i;
		49	xmlShellCtxtPtr ctxt;
		50	xmlXPathObjectPtr list;
		51	@@ -2856,7 +2860,8 @@ xmlShell(xmlDocPtr doc, const char *filename, xmlShellReadlineFunc input,
		52	cur++;
		53	i = 0;
		54	while ((cur != ' ') && (cur != '\t') &&
		55	- (cur != '\n') && (cur != '\r')) {
		56	+ (cur != '\n') && (cur != '\r') &&
		57	+ (i < (MAX_COMMAND_SIZE - 1))) {
		58	if (*cur == 0)
		59	break;
		60	command[i++] = *cur++;
		61	@@ -2871,7 +2876,7 @@ xmlShell(xmlDocPtr doc, const char *filename, xmlShellReadlineFunc input,
		62	while ((cur == ' ') \|\| (cur == '\t'))
		63	cur++;
		64	i = 0;
		65	- while ((cur != '\n') && (cur != '\r') && (*cur != 0)) {
		66	+ while ((cur != '\n') && (cur != '\r') && (*cur != 0) && (i < (MAX_ARG_SIZE-1))) {
		67	if (*cur == 0)
		68	break;
		69	arg[i++] = *cur++;
		70	diff --git a/result/scripts/long_command b/result/scripts/long_command
		71	new file mode 100644
		72	index 00000000..e6f00708
		73	--- /dev/null
		74	+++ b/result/scripts/long_command
		75	@@ -0,0 +1,8 @@
		76	+/ > b > b > Object is a Node Set :
		77	+Set contains 1 nodes:
		78	+1 ELEMENT a:c
		79	+b > Unknown command This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_comm
		80	+b > b > Unknown command ess_currents_of_time_and_existence
		81	+b > <?xml version="1.0"?>
		82	+<a xmlns:a="bar"><b xmlns:a="foo">Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_prof</b></a>
		83	+b >
		84	\ No newline at end of file
		85	diff --git a/test/scripts/long_command.script b/test/scripts/long_command.script
		86	new file mode 100644
		87	index 00000000..00f6df09
		88	--- /dev/null
		89	+++ b/test/scripts/long_command.script
		90	@@ -0,0 +1,6 @@
		91	+cd a/b
		92	+set <a:c/>
		93	+xpath //*[namespace-uri()="foo"]
		94	+This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_command_please_dont_crash foo
		95	+set Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_profound_emotion_and_every_grand_aspiration_that_propels_our_species_ever_onward_through_the_relentless_currents_of_time_and_existence
		96	+save -
		97	diff --git a/test/scripts/long_command.xml b/test/scripts/long_command.xml
		98	new file mode 100644
		99	index 00000000..1ba44016
		100	--- /dev/null
		101	+++ b/test/scripts/long_command.xml
		102	@@ -0,0 +1 @@
		103	+<a xmlns:a="bar"><b xmlns:a="foo"/></a>


diff --git a/meta/recipes-core/libxml/libxml2_2.13.8.bb b/meta/recipes-core/libxml/libxml2_2.13.8.bb index fd042c311d..4bd2a0d38f 100644 --- a/meta/recipes-core/libxml/libxml2_2.13.8.bb +++ b/meta/recipes-core/libxml/libxml2_2.13.8.bb
@@ -20,6 +20,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt
20	file://CVE-2025-6021.patch \	20	file://CVE-2025-6021.patch \
21	file://CVE-2025-49794_CVE-2025-49796.patch \	21	file://CVE-2025-49794_CVE-2025-49796.patch \
22	file://CVE-2025-49795.patch \	22	file://CVE-2025-49795.patch \
		23	file://CVE-2025-6170.patch \
23	"	24	"
24		25
25	SRC_URI[archive.sha256sum] = "277294cb33119ab71b2bc81f2f445e9bc9435b893ad15bb2cd2b0e859a0ee84a"	26	SRC_URI[archive.sha256sum] = "277294cb33119ab71b2bc81f2f445e9bc9435b893ad15bb2cd2b0e859a0ee84a"