summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-core')
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2025-24928.patch58
-rw-r--r--meta/recipes-core/libxml/libxml2_2.9.14.bb1
2 files changed, 59 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-24928.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-24928.patch
new file mode 100644
index 0000000000..6da43f81a5
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2025-24928.patch
@@ -0,0 +1,58 @@
1From 858ca26c0689161a6b903a6682cc8a1cc10a0ea8 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Tue, 11 Feb 2025 17:30:40 +0100
4Subject: [PATCH] [CVE-2025-24928] Fix stack-buffer-overflow in
5 xmlSnprintfElements
6
7Fixes #847.
8
9CVE: CVE-2025-24928
10Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/858ca26c0689161a6b903a6682cc8a1cc10a0ea8]
11Signed-off-by: Peter Marko <peter.marko@siemens.com>
12---
13 valid.c | 25 +++++++++++++------------
14 1 file changed, 13 insertions(+), 12 deletions(-)
15
16diff --git a/valid.c b/valid.c
17index ed3c8503..36a0435b 100644
18--- a/valid.c
19+++ b/valid.c
20@@ -5259,25 +5259,26 @@ xmlSnprintfElements(char *buf, int size, xmlNodePtr node, int glob) {
21 return;
22 }
23 switch (cur->type) {
24- case XML_ELEMENT_NODE:
25+ case XML_ELEMENT_NODE: {
26+ int qnameLen = xmlStrlen(cur->name);
27+
28+ if ((cur->ns != NULL) && (cur->ns->prefix != NULL))
29+ qnameLen += xmlStrlen(cur->ns->prefix) + 1;
30+ if (size - len < qnameLen + 10) {
31+ if ((size - len > 4) && (buf[len - 1] != '.'))
32+ strcat(buf, " ...");
33+ return;
34+ }
35 if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) {
36- if (size - len < xmlStrlen(cur->ns->prefix) + 10) {
37- if ((size - len > 4) && (buf[len - 1] != '.'))
38- strcat(buf, " ...");
39- return;
40- }
41 strcat(buf, (char *) cur->ns->prefix);
42 strcat(buf, ":");
43 }
44- if (size - len < xmlStrlen(cur->name) + 10) {
45- if ((size - len > 4) && (buf[len - 1] != '.'))
46- strcat(buf, " ...");
47- return;
48- }
49- strcat(buf, (char *) cur->name);
50+ if (cur->name != NULL)
51+ strcat(buf, (char *) cur->name);
52 if (cur->next != NULL)
53 strcat(buf, " ");
54 break;
55+ }
56 case XML_TEXT_NODE:
57 if (xmlIsBlankNode(cur))
58 break;
diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb
index e9578ceb59..8f1d882505 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.14.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb
@@ -36,6 +36,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt
36 file://CVE-2022-49043.patch \ 36 file://CVE-2022-49043.patch \
37 file://0001-pattern-Fix-compilation-of-explicit-child-axis.patch \ 37 file://0001-pattern-Fix-compilation-of-explicit-child-axis.patch \
38 file://CVE-2024-56171.patch \ 38 file://CVE-2024-56171.patch \
39 file://CVE-2025-24928.patch \
39 " 40 "
40 41
41SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee" 42SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"