* [PATCH 1/2] libxml2: Fix CVE-2026-0990
@ 2026-01-22 1:42 mingli.yu
2026-01-22 1:42 ` [PATCH 2/2] libxml2: Fix CVE-2026-0992 mingli.yu
0 siblings, 1 reply; 2+ messages in thread
From: mingli.yu @ 2026-01-22 1:42 UTC (permalink / raw)
To: openembedded-core
From: Mingli Yu <mingli.yu@windriver.com>
Backport a patch [1] to fix CVE-2026-0990.
[1] https://gitlab.gnome.org/GNOME/libxml2/-/commit/1961208e958ca22f80a0b4e4c9d71cfa050aa982
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
---
.../libxml/libxml2/CVE-2026-0990.patch | 81 +++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.15.1.bb | 1 +
2 files changed, 82 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0990.patch
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2026-0990.patch b/meta/recipes-core/libxml/libxml2/CVE-2026-0990.patch
new file mode 100644
index 0000000000..6b2b8799f5
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2026-0990.patch
@@ -0,0 +1,81 @@
+From 1961208e958ca22f80a0b4e4c9d71cfa050aa982 Mon Sep 17 00:00:00 2001
+From: Daniel Garcia Moreno <daniel.garcia@suse.com>
+Date: Wed, 17 Dec 2025 15:24:08 +0100
+Subject: [PATCH] catalog: prevent inf recursion in xmlCatalogXMLResolveURI
+
+Fix https://gitlab.gnome.org/GNOME/libxml2/-/issues/1018
+
+CVE: CVE-2026-0990
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1961208e958ca22f80a0b4e4c9d71cfa050aa982]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ catalog.c | 31 +++++++++++++++++++++++--------
+ 1 file changed, 23 insertions(+), 8 deletions(-)
+
+diff --git a/catalog.c b/catalog.c
+index 76c063a8..46b877e6 100644
+--- a/catalog.c
++++ b/catalog.c
+@@ -2025,12 +2025,21 @@ static xmlChar *
+ xmlCatalogListXMLResolveURI(xmlCatalogEntryPtr catal, const xmlChar *URI) {
+ xmlChar *ret = NULL;
+ xmlChar *urnID = NULL;
++ xmlCatalogEntryPtr cur = NULL;
+
+ if (catal == NULL)
+ return(NULL);
+ if (URI == NULL)
+ return(NULL);
+
++ if (catal->depth > MAX_CATAL_DEPTH) {
++ xmlCatalogErr(catal, NULL, XML_CATALOG_RECURSION,
++ "Detected recursion in catalog %s\n",
++ catal->name, NULL, NULL);
++ return(NULL);
++ }
++ catal->depth++;
++
+ if (!xmlStrncmp(URI, BAD_CAST XML_URN_PUBID, sizeof(XML_URN_PUBID) - 1)) {
+ urnID = xmlCatalogUnWrapURN(URI);
+ if (xmlDebugCatalogs) {
+@@ -2044,21 +2053,27 @@ xmlCatalogListXMLResolveURI(xmlCatalogEntryPtr catal, const xmlChar *URI) {
+ ret = xmlCatalogListXMLResolve(catal, urnID, NULL);
+ if (urnID != NULL)
+ xmlFree(urnID);
++ catal->depth--;
+ return(ret);
+ }
+- while (catal != NULL) {
+- if (catal->type == XML_CATA_CATALOG) {
+- if (catal->children == NULL) {
+- xmlFetchXMLCatalogFile(catal);
++ cur = catal;
++ while (cur != NULL) {
++ if (cur->type == XML_CATA_CATALOG) {
++ if (cur->children == NULL) {
++ xmlFetchXMLCatalogFile(cur);
+ }
+- if (catal->children != NULL) {
+- ret = xmlCatalogXMLResolveURI(catal->children, URI);
+- if (ret != NULL)
++ if (cur->children != NULL) {
++ ret = xmlCatalogXMLResolveURI(cur->children, URI);
++ if (ret != NULL) {
++ catal->depth--;
+ return(ret);
++ }
+ }
+ }
+- catal = catal->next;
++ cur = cur->next;
+ }
++
++ catal->depth--;
+ return(ret);
+ }
+
+--
+2.34.1
+
diff --git a/meta/recipes-core/libxml/libxml2_2.15.1.bb b/meta/recipes-core/libxml/libxml2_2.15.1.bb
index 736aaea00e..c603fb7980 100644
--- a/meta/recipes-core/libxml/libxml2_2.15.1.bb
+++ b/meta/recipes-core/libxml/libxml2_2.15.1.bb
@@ -15,6 +15,7 @@ GNOMEBASEBUILDCLASS = "autotools"
inherit gnomebase
SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testtar \
+ file://CVE-2026-0990.patch \
file://run-ptest \
file://install-tests.patch \
file://0001-Revert-cmake-Fix-installation-directories-in-libxml2.patch \
--
2.34.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [PATCH 2/2] libxml2: Fix CVE-2026-0992
2026-01-22 1:42 [PATCH 1/2] libxml2: Fix CVE-2026-0990 mingli.yu
@ 2026-01-22 1:42 ` mingli.yu
0 siblings, 0 replies; 2+ messages in thread
From: mingli.yu @ 2026-01-22 1:42 UTC (permalink / raw)
To: openembedded-core
From: Mingli Yu <mingli.yu@windriver.com>
Backport a patch [1] to fix CVE-2026-0992.
[1] https://gitlab.gnome.org/GNOME/libxml2/-/commit/f75abfcaa419a740a3191e56c60400f3ff18988d
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
---
.../libxml/libxml2/CVE-2026-0992.patch | 54 +++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.15.1.bb | 1 +
2 files changed, 55 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch b/meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch
new file mode 100644
index 0000000000..5f0602f043
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch
@@ -0,0 +1,54 @@
+From f75abfcaa419a740a3191e56c60400f3ff18988d Mon Sep 17 00:00:00 2001
+From: Daniel Garcia Moreno <daniel.garcia@suse.com>
+Date: Fri, 19 Dec 2025 11:02:18 +0100
+Subject: [PATCH] catalog: Ignore repeated nextCatalog entries
+
+This patch makes the catalog parsing to ignore repeated entries of
+nextCatalog with the same value.
+
+Fix https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019
+
+CVE: CVE-2026-0992
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/f75abfcaa419a740a3191e56c60400f3ff18988d]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ catalog.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/catalog.c b/catalog.c
+index 46b877e6..fa6d77ca 100644
+--- a/catalog.c
++++ b/catalog.c
+@@ -1223,9 +1223,27 @@ xmlParseXMLCatalogNode(xmlNodePtr cur, xmlCatalogPrefer prefer,
+ BAD_CAST "delegateURI", BAD_CAST "uriStartString",
+ BAD_CAST "catalog", prefer, cgroup);
+ } else if (xmlStrEqual(cur->name, BAD_CAST "nextCatalog")) {
++ xmlCatalogEntryPtr prev = parent->children;
++
+ entry = xmlParseXMLCatalogOneNode(cur, XML_CATA_NEXT_CATALOG,
+ BAD_CAST "nextCatalog", NULL,
+ BAD_CAST "catalog", prefer, cgroup);
++ /* Avoid duplication of nextCatalog */
++ while (prev != NULL) {
++ if ((prev->type == XML_CATA_NEXT_CATALOG) &&
++ (xmlStrEqual (prev->URL, entry->URL)) &&
++ (xmlStrEqual (prev->value, entry->value)) &&
++ (prev->prefer == entry->prefer) &&
++ (prev->group == entry->group)) {
++ if (xmlDebugCatalogs)
++ xmlCatalogPrintDebug(
++ "Ignoring repeated nextCatalog %s\n", entry->URL);
++ xmlFreeCatalogEntry(entry, NULL);
++ entry = NULL;
++ break;
++ }
++ prev = prev->next;
++ }
+ }
+ if (entry != NULL) {
+ if (parent != NULL) {
+--
+2.34.1
+
diff --git a/meta/recipes-core/libxml/libxml2_2.15.1.bb b/meta/recipes-core/libxml/libxml2_2.15.1.bb
index c603fb7980..a64ed8098e 100644
--- a/meta/recipes-core/libxml/libxml2_2.15.1.bb
+++ b/meta/recipes-core/libxml/libxml2_2.15.1.bb
@@ -16,6 +16,7 @@ inherit gnomebase
SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testtar \
file://CVE-2026-0990.patch \
+ file://CVE-2026-0992.patch \
file://run-ptest \
file://install-tests.patch \
file://0001-Revert-cmake-Fix-installation-directories-in-libxml2.patch \
--
2.34.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-01-22 1:42 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-22 1:42 [PATCH 1/2] libxml2: Fix CVE-2026-0990 mingli.yu
2026-01-22 1:42 ` [PATCH 2/2] libxml2: Fix CVE-2026-0992 mingli.yu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox