Strona główna Odkrywaj Pomoc
Zaloguj się
PUBLIC_REPOS
/
buildroot
kopia lustrzana git://git.buildroot.net/buildroot
2
1
Forkuj 0
Pliki
Przeglądaj źródła

package/libxml2: add patch for CVE-2025-6021

This fixes an integer overflow vulnerability [1], in libxml2 version
2.13 by backporting the commit [2] from libxml2 2.14. This commit uses
the SIZE_MAX macro, for which stdint.h was included in tree.c, as done in [3].

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-6021
[2] https://gitlab.gnome.org/GNOME/libxml2/-/commit/ad346c9a249c4b380bf73c460ad3e81135c5d781
[3] https://git.openembedded.org/openembedded-core/tree/meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch

Signed-off-by: Tim Soubry <tim.soubry@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Tim Soubry 4 tygodni temu
rodzic
cd6f2b465b
commit
a1cf6bcc06
2 zmienionych plików z 62 dodań i 0 usunięć
Widok podzielony Pokaż statystyki zmian
  1. 59 0
      package/libxml2/0001-tree-Fix-integer-overflow-in-xmlBuildQName.patch
  2. 3 0
      package/libxml2/libxml2.mk

+ 59 - 0
package/libxml2/0001-tree-Fix-integer-overflow-in-xmlBuildQName.patch
Wyświetl plik 

@@ -0,0 +1,59 @@
 
+From 719cfb3f3893c7f8fada2ad71fabb68c5fe953bf Mon Sep 17 00:00:00 2001
 
+From: Nick Wellnhofer <wellnhofer@aevum.de>
 
+Date: Tue, 27 May 2025 12:53:17 +0200
 
+Subject: [PATCH] tree: Fix integer overflow in xmlBuildQName
 
+
 
+This issue affects memory safety and might receive a CVE ID later.
 
+
 
+Fixes #926.
 
+
 
+Signed-off-by: Tim Soubry <tim.soubry@mind.be>
 
+Upstream: https://gitlab.gnome.org/GNOME/libxml2/-/commit/ad346c9a249c4b380bf73c460ad3e81135c5d781
 
+CVE: CVE-2025-6021
 
+[tim: include needed stdint header]
 
+---
 
+ tree.c | 11 +++++++----
 
+ 1 file changed, 7 insertions(+), 4 deletions(-)
 
+
 
+diff --git a/tree.c b/tree.c
 
+index f097cf87..53385568 100644
 
+--- a/tree.c
 
++++ b/tree.c
 
+@@ -23,6 +23,7 @@
 
+ #include <limits.h>
 
+ #include <ctype.h>
 
+ #include <stdlib.h>
 
++#include <stdint.h>
 
+ 
+ #ifdef LIBXML_ZLIB_ENABLED
 
+ #include <zlib.h>
 
+@@ -167,10 +168,10 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) {
 
+ xmlChar *
 
+ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
 
+ 	      xmlChar *memory, int len) {
 
+-    int lenn, lenp;
 
++    size_t lenn, lenp;
 
+     xmlChar *ret;
 
+ 
+-    if (ncname == NULL) return(NULL);
 
++    if ((ncname == NULL) || (len < 0)) return(NULL);
 
+     if (prefix == NULL) return((xmlChar *) ncname);
 
+ 
+ #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 
+@@ -181,9 +182,11 @@ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
 
+ 
+     lenn = strlen((char *) ncname);
 
+     lenp = strlen((char *) prefix);
 
++    if (lenn >= SIZE_MAX - lenp - 1)
 
++        return(NULL);
 
+ 
+-    if ((memory == NULL) || (len < lenn + lenp + 2)) {
 
+-	ret = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2);
 
++    if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) {
 
++	ret = xmlMalloc(lenn + lenp + 2);
 
+ 	if (ret == NULL)
 
+ 	    return(NULL);
 
+     } else {
 
+-- 
+2.39.5
 
+

+ 3 - 0
package/libxml2/libxml2.mk
Wyświetl plik 

@@ -15,6 +15,9 @@ LIBXML2_LICENSE_FILES = Copyright
 
 LIBXML2_CPE_ID_VENDOR = xmlsoft
 
 LIBXML2_CONFIG_SCRIPTS = xml2-config
 
 
+#0001-tree-Fix-integer-overflow-in-xmlBuildQName.patch
 
+LIBXML2_IGNORE_CVES += CVE-2025-6021
 
+
 
 # relocation truncated to fit: R_68K_GOT16O
 
 ifeq ($(BR2_m68k_cf),y)
 
 LIBXML2_CONF_ENV += CFLAGS="$(TARGET_CFLAGS) -mxgot"