All of lore.kernel.org
 help / color / mirror / Atom feed
From: Anton Skorup <antonsk@axis.com>
To: <openembedded-core@lists.openembedded.org>
Cc: Anton Skorup <anton@skorup.se>, Anton Skorup <anton.skorup@axis.com>
Subject: [PATCH] libxml2: patch CVE-2026-11979
Date: Tue, 30 Jun 2026 08:20:51 +0200	[thread overview]
Message-ID: <20260630062051.516582-1-antonsk@axis.com> (raw)

From: Anton Skorup <anton@skorup.se>

Pick patch from [1] linked from [2].

[1] https://gitlab.gnome.org/GNOME/libxml2/-/commit/c2e233fc1b341685fc99621b2768b503f777a72e
[2] https://gitlab.gnome.org/GNOME/libxml2/-/work_items/1124

Signed-off-by: Anton Skorup <anton.skorup@axis.com>
---
 .../libxml/libxml2/CVE-2026-11979.patch       | 81 +++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.15.3.bb    |  1 +
 2 files changed, 82 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-11979.patch

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2026-11979.patch b/meta/recipes-core/libxml/libxml2/CVE-2026-11979.patch
new file mode 100644
index 0000000000..a14e566681
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2026-11979.patch
@@ -0,0 +1,81 @@
+From dfad0660f7dab3b5f8317b703b16ad0b0d12697d Mon Sep 17 00:00:00 2001
+From: Daniel Garcia Moreno <daniel.garcia@suse.com>
+Date: Fri, 22 May 2026 12:21:20 +0200
+Subject: [PATCH] xmlcatalog: overflow check for large --shell commands
+
+Fix https://gitlab.gnome.org/GNOME/libxml2/-/work_items/1124
+
+CVE: CVE-2026-11979
+Signed-off-by: Anton Skorup <anton.skorup@axis.com>
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/c2e233fc1b341685fc99621b2768b503f777a72e]
+---
+ test/catalogs/test.sh | 11 +++++++++++
+ xmlcatalog.c          | 16 ++++++++++++++++
+ 2 files changed, 27 insertions(+)
+
+diff --git a/test/catalogs/test.sh b/test/catalogs/test.sh
+index 7e5eaa76..84e8b90a 100755
+--- a/test/catalogs/test.sh
++++ b/test/catalogs/test.sh
+@@ -10,6 +10,17 @@ fi
+ 
+ exitcode=0
+ 
++# Test xmlcatalog --shell command line
++# Case 1: Really long argument (470 chars)
++input=""; for i in {1..470}; do input="${input}A"; done
++echo $input | $xmlcatalog --shell test/catalogs/dockbook.xml || exit 1
++# Case 2: public + long argument
++input="public "; for i in {1..470}; do input="${input}A"; done
++echo $input | $xmlcatalog --shell test/catalogs/dockbook.xml || exit 1
++# Case 3: public + lots of args
++input="public "; for i in {1..80}; do input="${input} x"; done
++echo $input | $xmlcatalog --shell test/catalogs/dockbook.xml || exit 1
++
+ for i in test/catalogs/*.script ; do
+     name=$(basename $i .script)
+     xml="./test/catalogs/$name.xml"
+diff --git a/xmlcatalog.c b/xmlcatalog.c
+index b400c7cb..5113e930 100644
+--- a/xmlcatalog.c
++++ b/xmlcatalog.c
+@@ -135,6 +135,12 @@ static void usershell(void) {
+ 	       (*cur != '\n') && (*cur != '\r')) {
+ 	    if (*cur == 0)
+ 		break;
++            /* Do not read beyond the command array capacity */
++            if (i >= (int)sizeof(command) - 2) {
++                printf("Invalid command %s\n", cur);
++                i = 0;
++                break;
++            }
+ 	    command[i++] = *cur++;
+ 	}
+ 	command[i] = 0;
+@@ -152,6 +158,11 @@ static void usershell(void) {
+ 	while ((*cur != '\n') && (*cur != '\r') && (*cur != 0)) {
+ 	    if (*cur == 0)
+ 		break;
++            if (i >= (int)sizeof(arg) - 2) {
++                printf("Invalid arg %s\n", arg);
++                i = 0;
++                break;
++            }
+ 	    arg[i++] = *cur++;
+ 	}
+ 	arg[i] = 0;
+@@ -164,6 +175,11 @@ static void usershell(void) {
+ 	cur = arg;
+ 	memset(argv, 0, sizeof(argv));
+ 	while (*cur != 0) {
++            if (i >= (int)sizeof(argv) / (int)sizeof(char*)) {
++                printf("Too much arguments\n");
++                break;
++            }
++
+ 	    while ((*cur == ' ') || (*cur == '\t')) cur++;
+ 	    if (*cur == '\'') {
+ 		cur++;
+-- 
+2.43.0
+
diff --git a/meta/recipes-core/libxml/libxml2_2.15.3.bb b/meta/recipes-core/libxml/libxml2_2.15.3.bb
index 3b7a0e3cb5..abf9889b3f 100644
--- a/meta/recipes-core/libxml/libxml2_2.15.3.bb
+++ b/meta/recipes-core/libxml/libxml2_2.15.3.bb
@@ -18,6 +18,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt
            file://run-ptest \
            file://install-tests.patch \
            file://0001-Revert-cmake-Fix-installation-directories-in-libxml2.patch \
+           file://CVE-2026-11979.patch \
            "
 
 SRC_URI[archive.sha256sum] = "78262a6e7ac170d6528ebfe2efccdf220191a5af6a6cd61ea4a9a9a5042c7a07"
-- 
2.43.0



                 reply	other threads:[~2026-06-30 10:59 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260630062051.516582-1-antonsk@axis.com \
    --to=antonsk@axis.com \
    --cc=anton.skorup@axis.com \
    --cc=anton@skorup.se \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.