Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2026-07-12 16:19:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.1991 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libxml2" Sun Jul 12 16:19:44 2026 rev:143 rq:1364854 version:2.15.3 Changes: -------- --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2026-04-21 12:41:48.154904627 +0200 +++ /work/SRC/openSUSE:Factory/.libxml2.new.1991/libxml2.changes 2026-07-12 16:19:45.161125658 +0200 @@ -1,0 +2,6 @@ +Fri Jul 10 05:46:30 UTC 2026 - David Anes <[email protected]> + +- CVE-2026-11979: stack-based buffer overflows in the `xmlcatalog` utility when running in `--shell` mode (bsc#1269790) + * Add patch libxml2-CVE-2026-11979.patch + +------------------------------------------------------------------- New: ---- libxml2-CVE-2026-11979.patch ----------(New B)---------- New:- CVE-2026-11979: stack-based buffer overflows in the `xmlcatalog` utility when running in `--shell` mode (bsc#1269790) * Add patch libxml2-CVE-2026-11979.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libxml2.spec ++++++ --- /var/tmp/diff_new_pack.hnKBXn/_old 2026-07-12 16:19:46.093156947 +0200 +++ /var/tmp/diff_new_pack.hnKBXn/_new 2026-07-12 16:19:46.093156947 +0200 @@ -28,6 +28,9 @@ Source1: baselibs.conf # W3C Conformance tests Source2: https://www.w3.org/XML/Test/xmlts20080827.tar.gz +# CVE-2026-11979: stack-based buffer overflows in the `xmlcatalog` utility when running in `--shell` mode (bsc#1269790) +# - https://gitlab.gnome.org/GNOME/libxml2/-/commit/c2e233fc1b341685fc99621b2768b503 +Patch0: libxml2-CVE-2026-11979.patch BuildRequires: fdupes BuildRequires: pkgconfig %if 0%{?suse_version} >= 1600 ++++++ libxml2-CVE-2026-11979.patch ++++++ >From c2e233fc1b341685fc99621b2768b503f777a72e Mon Sep 17 00:00:00 2001 From: Daniel Garcia Moreno <[email protected]> Date: Fri, 22 May 2026 12:21:20 +0200 Subject: [PATCH] xmlcatalog: overflow check for large --shell commands Fix https://gitlab.gnome.org/GNOME/libxml2/-/work_items/1124 --- test/catalogs/test.sh | 11 +++++++++++ xmlcatalog.c | 16 ++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/test/catalogs/test.sh b/test/catalogs/test.sh index 7e5eaa760..84e8b90a2 100755 --- a/test/catalogs/test.sh +++ b/test/catalogs/test.sh @@ -10,6 +10,17 @@ fi exitcode=0 +# Test xmlcatalog --shell command line +# Case 1: Really long argument (470 chars) +input=""; for i in {1..470}; do input="${input}A"; done +echo $input | $xmlcatalog --shell test/catalogs/dockbook.xml || exit 1 +# Case 2: public + long argument +input="public "; for i in {1..470}; do input="${input}A"; done +echo $input | $xmlcatalog --shell test/catalogs/dockbook.xml || exit 1 +# Case 3: public + lots of args +input="public "; for i in {1..80}; do input="${input} x"; done +echo $input | $xmlcatalog --shell test/catalogs/dockbook.xml || exit 1 + for i in test/catalogs/*.script ; do name=$(basename $i .script) xml="./test/catalogs/$name.xml" diff --git a/xmlcatalog.c b/xmlcatalog.c index 1e7380431..f8d84ac9c 100644 --- a/xmlcatalog.c +++ b/xmlcatalog.c @@ -135,6 +135,12 @@ static void usershell(void) { (*cur != '\n') && (*cur != '\r')) { if (*cur == 0) break; + /* Do not read beyond the command array capacity */ + if (i >= (int)sizeof(command) - 2) { + printf("Invalid command %s\n", cur); + i = 0; + break; + } command[i++] = *cur++; } command[i] = 0; @@ -152,6 +158,11 @@ static void usershell(void) { while ((*cur != '\n') && (*cur != '\r') && (*cur != 0)) { if (*cur == 0) break; + if (i >= (int)sizeof(arg) - 2) { + printf("Invalid arg %s\n", arg); + i = 0; + break; + } arg[i++] = *cur++; } arg[i] = 0; @@ -164,6 +175,11 @@ static void usershell(void) { cur = arg; memset(argv, 0, sizeof(argv)); while (*cur != 0) { + if (i >= (int)sizeof(argv) / (int)sizeof(char*)) { + printf("Too much arguments\n"); + break; + } + while ((*cur == ' ') || (*cur == '\t')) cur++; if (*cur == '\'') { cur++; -- GitLab
