From: Anton Skorup <[email protected]> Pick patch from [1] linked from [2].
[1] https://gitlab.gnome.org/GNOME/libxml2/-/commit/c2e233fc1b341685fc99621b2768b503f777a72e [2] https://gitlab.gnome.org/GNOME/libxml2/-/work_items/1124 Signed-off-by: Anton Skorup <[email protected]> --- .../libxml/libxml2/CVE-2026-11979.patch | 81 +++++++++++++++++++ meta/recipes-core/libxml/libxml2_2.15.3.bb | 1 + 2 files changed, 82 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-11979.patch diff --git a/meta/recipes-core/libxml/libxml2/CVE-2026-11979.patch b/meta/recipes-core/libxml/libxml2/CVE-2026-11979.patch new file mode 100644 index 0000000000..a14e566681 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2026-11979.patch @@ -0,0 +1,81 @@ +From dfad0660f7dab3b5f8317b703b16ad0b0d12697d Mon Sep 17 00:00:00 2001 +From: Daniel Garcia Moreno <[email protected]> +Date: Fri, 22 May 2026 12:21:20 +0200 +Subject: [PATCH] xmlcatalog: overflow check for large --shell commands + +Fix https://gitlab.gnome.org/GNOME/libxml2/-/work_items/1124 + +CVE: CVE-2026-11979 +Signed-off-by: Anton Skorup <[email protected]> +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/c2e233fc1b341685fc99621b2768b503f777a72e] +--- + test/catalogs/test.sh | 11 +++++++++++ + xmlcatalog.c | 16 ++++++++++++++++ + 2 files changed, 27 insertions(+) + +diff --git a/test/catalogs/test.sh b/test/catalogs/test.sh +index 7e5eaa76..84e8b90a 100755 +--- a/test/catalogs/test.sh ++++ b/test/catalogs/test.sh +@@ -10,6 +10,17 @@ fi + + exitcode=0 + ++# Test xmlcatalog --shell command line ++# Case 1: Really long argument (470 chars) ++input=""; for i in {1..470}; do input="${input}A"; done ++echo $input | $xmlcatalog --shell test/catalogs/dockbook.xml || exit 1 ++# Case 2: public + long argument ++input="public "; for i in {1..470}; do input="${input}A"; done ++echo $input | $xmlcatalog --shell test/catalogs/dockbook.xml || exit 1 ++# Case 3: public + lots of args ++input="public "; for i in {1..80}; do input="${input} x"; done ++echo $input | $xmlcatalog --shell test/catalogs/dockbook.xml || exit 1 ++ + for i in test/catalogs/*.script ; do + name=$(basename $i .script) + xml="./test/catalogs/$name.xml" +diff --git a/xmlcatalog.c b/xmlcatalog.c +index b400c7cb..5113e930 100644 +--- a/xmlcatalog.c ++++ b/xmlcatalog.c +@@ -135,6 +135,12 @@ static void usershell(void) { + (*cur != '\n') && (*cur != '\r')) { + if (*cur == 0) + break; ++ /* Do not read beyond the command array capacity */ ++ if (i >= (int)sizeof(command) - 2) { ++ printf("Invalid command %s\n", cur); ++ i = 0; ++ break; ++ } + command[i++] = *cur++; + } + command[i] = 0; +@@ -152,6 +158,11 @@ static void usershell(void) { + while ((*cur != '\n') && (*cur != '\r') && (*cur != 0)) { + if (*cur == 0) + break; ++ if (i >= (int)sizeof(arg) - 2) { ++ printf("Invalid arg %s\n", arg); ++ i = 0; ++ break; ++ } + arg[i++] = *cur++; + } + arg[i] = 0; +@@ -164,6 +175,11 @@ static void usershell(void) { + cur = arg; + memset(argv, 0, sizeof(argv)); + while (*cur != 0) { ++ if (i >= (int)sizeof(argv) / (int)sizeof(char*)) { ++ printf("Too much arguments\n"); ++ break; ++ } ++ + while ((*cur == ' ') || (*cur == '\t')) cur++; + if (*cur == '\'') { + cur++; +-- +2.43.0 + diff --git a/meta/recipes-core/libxml/libxml2_2.15.3.bb b/meta/recipes-core/libxml/libxml2_2.15.3.bb index 3b7a0e3cb5..abf9889b3f 100644 --- a/meta/recipes-core/libxml/libxml2_2.15.3.bb +++ b/meta/recipes-core/libxml/libxml2_2.15.3.bb @@ -18,6 +18,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt file://run-ptest \ file://install-tests.patch \ file://0001-Revert-cmake-Fix-installation-directories-in-libxml2.patch \ + file://CVE-2026-11979.patch \ " SRC_URI[archive.sha256sum] = "78262a6e7ac170d6528ebfe2efccdf220191a5af6a6cd61ea4a9a9a5042c7a07" -- 2.43.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#239878): https://lists.openembedded.org/g/openembedded-core/message/239878 Mute This Topic: https://lists.openembedded.org/mt/120044687/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
