Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package libxml2 for openSUSE:Factory checked 
in at 2026-07-12 16:19:44
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libxml2 (Old)
 and      /work/SRC/openSUSE:Factory/.libxml2.new.1991 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "libxml2"

Sun Jul 12 16:19:44 2026 rev:143 rq:1364854 version:2.15.3

Changes:
--------
--- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes  2026-04-21 
12:41:48.154904627 +0200
+++ /work/SRC/openSUSE:Factory/.libxml2.new.1991/libxml2.changes        
2026-07-12 16:19:45.161125658 +0200
@@ -1,0 +2,6 @@
+Fri Jul 10 05:46:30 UTC 2026 - David Anes <[email protected]>
+
+- CVE-2026-11979: stack-based buffer overflows in the `xmlcatalog` utility 
when running in `--shell` mode (bsc#1269790)
+  * Add patch libxml2-CVE-2026-11979.patch 
+
+-------------------------------------------------------------------

New:
----
  libxml2-CVE-2026-11979.patch

----------(New B)----------
  New:- CVE-2026-11979: stack-based buffer overflows in the `xmlcatalog` 
utility when running in `--shell` mode (bsc#1269790)
  * Add patch libxml2-CVE-2026-11979.patch 
----------(New E)----------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ libxml2.spec ++++++
--- /var/tmp/diff_new_pack.hnKBXn/_old  2026-07-12 16:19:46.093156947 +0200
+++ /var/tmp/diff_new_pack.hnKBXn/_new  2026-07-12 16:19:46.093156947 +0200
@@ -28,6 +28,9 @@
 Source1:        baselibs.conf
 # W3C Conformance tests
 Source2:        https://www.w3.org/XML/Test/xmlts20080827.tar.gz
+# CVE-2026-11979: stack-based buffer overflows in the `xmlcatalog` utility 
when running in `--shell` mode (bsc#1269790)
+# - 
https://gitlab.gnome.org/GNOME/libxml2/-/commit/c2e233fc1b341685fc99621b2768b503
+Patch0:         libxml2-CVE-2026-11979.patch
 BuildRequires:  fdupes
 BuildRequires:  pkgconfig
 %if 0%{?suse_version} >= 1600

++++++ libxml2-CVE-2026-11979.patch ++++++
>From c2e233fc1b341685fc99621b2768b503f777a72e Mon Sep 17 00:00:00 2001
From: Daniel Garcia Moreno <[email protected]>
Date: Fri, 22 May 2026 12:21:20 +0200
Subject: [PATCH] xmlcatalog: overflow check for large --shell commands

Fix https://gitlab.gnome.org/GNOME/libxml2/-/work_items/1124
---
 test/catalogs/test.sh | 11 +++++++++++
 xmlcatalog.c          | 16 ++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/test/catalogs/test.sh b/test/catalogs/test.sh
index 7e5eaa760..84e8b90a2 100755
--- a/test/catalogs/test.sh
+++ b/test/catalogs/test.sh
@@ -10,6 +10,17 @@ fi
 
 exitcode=0
 
+# Test xmlcatalog --shell command line
+# Case 1: Really long argument (470 chars)
+input=""; for i in {1..470}; do input="${input}A"; done
+echo $input | $xmlcatalog --shell test/catalogs/dockbook.xml || exit 1
+# Case 2: public + long argument
+input="public "; for i in {1..470}; do input="${input}A"; done
+echo $input | $xmlcatalog --shell test/catalogs/dockbook.xml || exit 1
+# Case 3: public + lots of args
+input="public "; for i in {1..80}; do input="${input} x"; done
+echo $input | $xmlcatalog --shell test/catalogs/dockbook.xml || exit 1
+
 for i in test/catalogs/*.script ; do
     name=$(basename $i .script)
     xml="./test/catalogs/$name.xml"
diff --git a/xmlcatalog.c b/xmlcatalog.c
index 1e7380431..f8d84ac9c 100644
--- a/xmlcatalog.c
+++ b/xmlcatalog.c
@@ -135,6 +135,12 @@ static void usershell(void) {
               (*cur != '\n') && (*cur != '\r')) {
            if (*cur == 0)
                break;
+            /* Do not read beyond the command array capacity */
+            if (i >= (int)sizeof(command) - 2) {
+                printf("Invalid command %s\n", cur);
+                i = 0;
+                break;
+            }
            command[i++] = *cur++;
        }
        command[i] = 0;
@@ -152,6 +158,11 @@ static void usershell(void) {
        while ((*cur != '\n') && (*cur != '\r') && (*cur != 0)) {
            if (*cur == 0)
                break;
+            if (i >= (int)sizeof(arg) - 2) {
+                printf("Invalid arg %s\n", arg);
+                i = 0;
+                break;
+            }
            arg[i++] = *cur++;
        }
        arg[i] = 0;
@@ -164,6 +175,11 @@ static void usershell(void) {
        cur = arg;
        memset(argv, 0, sizeof(argv));
        while (*cur != 0) {
+            if (i >= (int)sizeof(argv) / (int)sizeof(char*)) {
+                printf("Too much arguments\n");
+                break;
+            }
+
            while ((*cur == ' ') || (*cur == '\t')) cur++;
            if (*cur == '\'') {
                cur++;
-- 
GitLab

Reply via email to