From 9e878719044162580dd6c12e95687f7f17816ecd Mon Sep 17 00:00:00 2001 From: Funda Wang Date: Mon, 15 Dec 2025 17:36:25 +0800 Subject: [PATCH] init package --- .gitattributes | 1 + .lfsconfig | 2 + CVE-2025-32414.patch | 73 +++++++ CVE-2025-32415.patch | 38 ++++ CVE-2025-49794,CVE-2025-49796.patch | 182 ++++++++++++++++++ CVE-2025-49795.patch | 119 ++++++++++++ CVE-2025-6021.patch | 47 +++++ backport-CVE-2025-6170.patch | 107 ++++++++++ ...arsed-to-an-infinite-attrs-next-loop.patch | 81 ++++++++ libxml2-2.12.10.tar.xz | 3 + libxml2-compat.spec | 77 ++++++++ libxml2-compat.yaml | 4 + libxml2-multilib.patch | 18 ++ 13 files changed, 752 insertions(+) create mode 100644 .gitattributes create mode 100644 .lfsconfig create mode 100644 CVE-2025-32414.patch create mode 100644 CVE-2025-32415.patch create mode 100644 CVE-2025-49794,CVE-2025-49796.patch create mode 100644 CVE-2025-49795.patch create mode 100644 CVE-2025-6021.patch create mode 100644 backport-CVE-2025-6170.patch create mode 100644 backport-Fix-relaxng-is-parsed-to-an-infinite-attrs-next-loop.patch create mode 100644 libxml2-2.12.10.tar.xz create mode 100644 libxml2-compat.spec create mode 100644 libxml2-compat.yaml create mode 100644 libxml2-multilib.patch diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..05a0e94 --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +*.xz filter=lfs diff=lfs merge=lfs -text diff --git a/.lfsconfig b/.lfsconfig new file mode 100644 index 0000000..a224717 --- /dev/null +++ b/.lfsconfig @@ -0,0 +1,2 @@ +[lfs] + url = https://artlfs.openeuler.openatom.cn/src-openEuler/libxml2-compat diff --git a/CVE-2025-32414.patch b/CVE-2025-32414.patch new file mode 100644 index 0000000..f34c8d2 --- /dev/null +++ b/CVE-2025-32414.patch @@ -0,0 +1,73 @@ +From d7657811964eac1cb9743bb98649278ad948f0d2 Mon Sep 17 00:00:00 2001 +From: Maks Verver +Date: Tue, 8 Apr 2025 13:13:55 +0200 +Subject: [PATCH] [CVE-2025-32414] python: Read at most len/4 characters. + +Fixes #889 by reserving space in the buffer for UTF-8 encoding of text. +--- + python/libxml.c | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +diff --git a/python/libxml.c b/python/libxml.c +index 1fe8d6850..2bf140786 100644 +--- a/python/libxml.c ++++ b/python/libxml.c +@@ -248,7 +248,9 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) { + + file = (PyObject *) context; + if (file == NULL) return(-1); +- ret = PyObject_CallMethod(file, (char *) "read", (char *) "(i)", len); ++ /* When read() returns a string, the length is in characters not bytes, so ++ request at most len / 4 characters to leave space for UTF-8 encoding. */ ++ ret = PyObject_CallMethod(file, (char *) "read", (char *) "(i)", len / 4); + if (ret == NULL) { + printf("xmlPythonFileReadRaw: result is NULL\n"); + return(-1); +@@ -283,10 +285,12 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) { + Py_DECREF(ret); + return(-1); + } +- if (lenread > len) +- memcpy(buffer, data, len); +- else +- memcpy(buffer, data, lenread); ++ if (lenread < 0 || lenread > len) { ++ printf("xmlPythonFileReadRaw: invalid lenread\n"); ++ Py_DECREF(ret); ++ return(-1); ++ } ++ memcpy(buffer, data, lenread); + Py_DECREF(ret); + return(lenread); + } +@@ -310,7 +314,9 @@ xmlPythonFileRead (void * context, char * buffer, int len) { + + file = (PyObject *) context; + if (file == NULL) return(-1); +- ret = PyObject_CallMethod(file, (char *) "io_read", (char *) "(i)", len); ++ /* When io_read() returns a string, the length is in characters not bytes, so ++ request at most len / 4 characters to leave space for UTF-8 encoding. */ ++ ret = PyObject_CallMethod(file, (char *) "io_read", (char *) "(i)", len / 4); + if (ret == NULL) { + printf("xmlPythonFileRead: result is NULL\n"); + return(-1); +@@ -345,10 +351,12 @@ xmlPythonFileRead (void * context, char * buffer, int len) { + Py_DECREF(ret); + return(-1); + } +- if (lenread > len) +- memcpy(buffer, data, len); +- else +- memcpy(buffer, data, lenread); ++ if (lenread < 0 || lenread > len) { ++ printf("xmlPythonFileRead: invalid lenread\n"); ++ Py_DECREF(ret); ++ return(-1); ++ } ++ memcpy(buffer, data, lenread); + Py_DECREF(ret); + return(lenread); + } +-- +GitLab + diff --git a/CVE-2025-32415.patch b/CVE-2025-32415.patch new file mode 100644 index 0000000..295dbb4 --- /dev/null +++ b/CVE-2025-32415.patch @@ -0,0 +1,38 @@ +From 384cc7c182fc00c6d5e2ab4b5e3671b2e3f93c84 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 6 Apr 2025 12:41:11 +0200 +Subject: [PATCH] [CVE-2025-32415] schemas: Fix heap buffer overflow in + xmlSchemaIDCFillNodeTables + +Don't use local variable which could contain a stale value. + +Fixes #890. +--- + xmlschemas.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/xmlschemas.c b/xmlschemas.c +index e35c117ef..4bdabd129 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -23324,7 +23324,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaValidCtxtPtr vctxt, + j++; + } while (j < nbDupls); + } +- if (nbNodeTable) { ++ if (bind->nbNodes) { + j = 0; + do { + if (nbFields == 1) { +@@ -23375,7 +23375,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaValidCtxtPtr vctxt, + + next_node_table_entry: + j++; +- } while (j < nbNodeTable); ++ } while (j < bind->nbNodes); + } + /* + * If everything is fine, then add the IDC target-node to +-- +GitLab + diff --git a/CVE-2025-49794,CVE-2025-49796.patch b/CVE-2025-49794,CVE-2025-49796.patch new file mode 100644 index 0000000..1fe07ea --- /dev/null +++ b/CVE-2025-49794,CVE-2025-49796.patch @@ -0,0 +1,182 @@ +From 71e1e8af5ee46dad1b57bb96cfbf1c3ad21fbd7b Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 4 Jul 2025 14:28:26 +0200 +Subject: [PATCH] schematron: Fix memory safety issues in + xmlSchematronReportOutput + +Fix use-after-free (CVE-2025-49794) and type confusion (CVE-2025-49796) +in xmlSchematronReportOutput. + +Fixes #931. +Fixes #933. +--- + result/schematron/cve-2025-49794_0.err | 2 ++ + result/schematron/cve-2025-49796_0.err | 2 ++ + schematron.c | 49 ++++++++++++++------------ + test/schematron/cve-2025-49794.sct | 10 ++++++ + test/schematron/cve-2025-49794_0.xml | 6 ++++ + test/schematron/cve-2025-49796.sct | 9 +++++ + test/schematron/cve-2025-49796_0.xml | 3 ++ + 7 files changed, 58 insertions(+), 23 deletions(-) + create mode 100644 result/schematron/cve-2025-49794_0.err + create mode 100644 result/schematron/cve-2025-49796_0.err + create mode 100644 test/schematron/cve-2025-49794.sct + create mode 100644 test/schematron/cve-2025-49794_0.xml + create mode 100644 test/schematron/cve-2025-49796.sct + create mode 100644 test/schematron/cve-2025-49796_0.xml + +diff --git a/result/schematron/cve-2025-49794_0.err b/result/schematron/cve-2025-49794_0.err +new file mode 100644 +index 000000000..57752310e +--- /dev/null ++++ b/result/schematron/cve-2025-49794_0.err +@@ -0,0 +1,2 @@ ++./test/schematron/cve-2025-49794_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2: ++./test/schematron/cve-2025-49794_0.xml fails to validate +diff --git a/result/schematron/cve-2025-49796_0.err b/result/schematron/cve-2025-49796_0.err +new file mode 100644 +index 000000000..bf875ee0c +--- /dev/null ++++ b/result/schematron/cve-2025-49796_0.err +@@ -0,0 +1,2 @@ ++./test/schematron/cve-2025-49796_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2: ++./test/schematron/cve-2025-49796_0.xml fails to validate +diff --git a/schematron.c b/schematron.c +index 85b462827..0fd374617 100644 +--- a/schematron.c ++++ b/schematron.c +@@ -1364,27 +1364,15 @@ exit: + * * + ************************************************************************/ + +-static xmlNodePtr ++static xmlXPathObjectPtr + xmlSchematronGetNode(xmlSchematronValidCtxtPtr ctxt, + xmlNodePtr cur, const xmlChar *xpath) { +- xmlNodePtr node = NULL; +- xmlXPathObjectPtr ret; +- + if ((ctxt == NULL) || (cur == NULL) || (xpath == NULL)) + return(NULL); + + ctxt->xctxt->doc = cur->doc; + ctxt->xctxt->node = cur; +- ret = xmlXPathEval(xpath, ctxt->xctxt); +- if (ret == NULL) +- return(NULL); +- +- if ((ret->type == XPATH_NODESET) && +- (ret->nodesetval != NULL) && (ret->nodesetval->nodeNr > 0)) +- node = ret->nodesetval->nodeTab[0]; +- +- xmlXPathFreeObject(ret); +- return(node); ++ return(xmlXPathEval(xpath, ctxt->xctxt)); + } + + /** +@@ -1427,25 +1415,40 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt, + (child->type == XML_CDATA_SECTION_NODE)) + ret = xmlStrcat(ret, child->content); + else if (IS_SCHEMATRON(child, "name")) { ++ xmlXPathObject *obj = NULL; + xmlChar *path; + + path = xmlGetNoNsProp(child, BAD_CAST "path"); + + node = cur; + if (path != NULL) { +- node = xmlSchematronGetNode(ctxt, cur, path); +- if (node == NULL) +- node = cur; ++ obj = xmlSchematronGetNode(ctxt, cur, path); ++ if ((obj != NULL) && ++ (obj->type == XPATH_NODESET) && ++ (obj->nodesetval != NULL) && ++ (obj->nodesetval->nodeNr > 0)) ++ node = obj->nodesetval->nodeTab[0]; + xmlFree(path); + } + +- if ((node->ns == NULL) || (node->ns->prefix == NULL)) +- ret = xmlStrcat(ret, node->name); +- else { +- ret = xmlStrcat(ret, node->ns->prefix); +- ret = xmlStrcat(ret, BAD_CAST ":"); +- ret = xmlStrcat(ret, node->name); ++ switch (node->type) { ++ case XML_ELEMENT_NODE: ++ case XML_ATTRIBUTE_NODE: ++ if ((node->ns == NULL) || (node->ns->prefix == NULL)) ++ ret = xmlStrcat(ret, node->name); ++ else { ++ ret = xmlStrcat(ret, node->ns->prefix); ++ ret = xmlStrcat(ret, BAD_CAST ":"); ++ ret = xmlStrcat(ret, node->name); ++ } ++ break; ++ ++ /* TODO: handle other node types */ ++ default: ++ break; + } ++ ++ xmlXPathFreeObject(obj); + } else if (IS_SCHEMATRON(child, "value-of")) { + xmlChar *select; + xmlXPathObjectPtr eval; +diff --git a/test/schematron/cve-2025-49794.sct b/test/schematron/cve-2025-49794.sct +new file mode 100644 +index 000000000..7fc9ee3db +--- /dev/null ++++ b/test/schematron/cve-2025-49794.sct +@@ -0,0 +1,10 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ +diff --git a/test/schematron/cve-2025-49794_0.xml b/test/schematron/cve-2025-49794_0.xml +new file mode 100644 +index 000000000..debc64ba6 +--- /dev/null ++++ b/test/schematron/cve-2025-49794_0.xml +@@ -0,0 +1,6 @@ ++ ++ ++ ++ ++ ++ +diff --git a/test/schematron/cve-2025-49796.sct b/test/schematron/cve-2025-49796.sct +new file mode 100644 +index 000000000..e9702d752 +--- /dev/null ++++ b/test/schematron/cve-2025-49796.sct +@@ -0,0 +1,9 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ +diff --git a/test/schematron/cve-2025-49796_0.xml b/test/schematron/cve-2025-49796_0.xml +new file mode 100644 +index 000000000..be33c4ec5 +--- /dev/null ++++ b/test/schematron/cve-2025-49796_0.xml +@@ -0,0 +1,3 @@ ++ ++ ++ +-- +GitLab + diff --git a/CVE-2025-49795.patch b/CVE-2025-49795.patch new file mode 100644 index 0000000..a7b494d --- /dev/null +++ b/CVE-2025-49795.patch @@ -0,0 +1,119 @@ +From 499bcb78ab389f60c2fd634ce410d4bb85c18765 Mon Sep 17 00:00:00 2001 +From: Michael Mann +Date: Sat, 21 Jun 2025 12:11:30 -0400 +Subject: [PATCH] Schematron: Fix null pointer dereference leading to DoS + +(CVE-2025-49795) + +Fixes #932 +--- + result/schematron/zvon16_0.err | 1 + + schematron.c | 2 ++ + test/schematron/zvon16.sct | 7 +++++++ + test/schematron/zvon16_0.xml | 5 +++++ + 4 files changed, 15 insertions(+) + create mode 100644 result/schematron/zvon16_0.err + create mode 100644 test/schematron/zvon16.sct + create mode 100644 test/schematron/zvon16_0.xml + +diff --git a/result/schematron/zvon16_0.err b/result/schematron/zvon16_0.err +new file mode 100644 +index 000000000..465cf2eb4 +--- /dev/null ++++ b/result/schematron/zvon16_0.err +@@ -0,0 +1 @@ ++xmlSchematronParse: could not load './test/schematron/zvon16.sct' +\ No newline at end of file +diff --git a/schematron.c b/schematron.c +index 5c1a27bf1..d33755e6d 100644 +--- a/schematron.c ++++ b/schematron.c +@@ -1453,6 +1453,8 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt, + select = xmlGetNoNsProp(child, BAD_CAST "select"); + comp = xmlXPathCtxtCompile(ctxt->xctxt, select); + eval = xmlXPathCompiledEval(comp, ctxt->xctxt); ++ if (eval == NULL) ++ return ret; + + switch (eval->type) { + case XPATH_NODESET: { +diff --git a/test/schematron/zvon16.sct b/test/schematron/zvon16.sct +new file mode 100644 +index 000000000..4d24c0541 +--- /dev/null ++++ b/test/schematron/zvon16.sct +@@ -0,0 +1,7 @@ ++ ++ ++ Book test ++ ++ ++ +diff --git a/test/schematron/zvon16_0.xml b/test/schematron/zvon16_0.xml +new file mode 100644 +index 000000000..551e2d654 +--- /dev/null ++++ b/test/schematron/zvon16_0.xml +@@ -0,0 +1,5 @@ ++ ++ ++ Test Author ++ ++ +-- +GitLab + +From 24d7e15914588cb45e7fb41cbe4fcf785e1a4861 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 4 Jul 2025 12:19:20 +0200 +Subject: [PATCH] schematron: Complete fix for CVE-2025-49795 + +- Fix memory leaks +- Fix tests +--- + result/schematron/zvon16_0.err | 4 +++- + schematron.c | 5 ++++- + test/schematron/zvon16.sct | 2 +- + 3 files changed, 16 insertions(+), 6 deletions(-) + +diff --git a/result/schematron/zvon16_0.err b/result/schematron/zvon16_0.err +index 465cf2eb4..452bcc139 100644 +--- a/result/schematron/zvon16_0.err ++++ b/result/schematron/zvon16_0.err +@@ -1 +1,3 @@ +-xmlSchematronParse: could not load './test/schematron/zvon16.sct' +\ No newline at end of file ++XPath error : Unregistered function: falae ++./test/schematron/zvon16_0.xml:2: element book: schematron error : /library/book line 2: Book ++./test/schematron/zvon16_0.xml fails to validate +diff --git a/schematron.c b/schematron.c +index d33755e6d..85b462827 100644 +--- a/schematron.c ++++ b/schematron.c +@@ -1453,8 +1453,11 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt, + select = xmlGetNoNsProp(child, BAD_CAST "select"); + comp = xmlXPathCtxtCompile(ctxt->xctxt, select); + eval = xmlXPathCompiledEval(comp, ctxt->xctxt); +- if (eval == NULL) ++ if (eval == NULL) { ++ xmlXPathFreeCompExpr(comp); ++ xmlFree(select); + return ret; ++ } + + switch (eval->type) { + case XPATH_NODESET: { +diff --git a/test/schematron/zvon16.sct b/test/schematron/zvon16.sct +index 4d24c0541..f03848aae 100644 +--- a/test/schematron/zvon16.sct ++++ b/test/schematron/zvon16.sct +@@ -1,4 +1,4 @@ +- + + + Book test +-- +GitLab + diff --git a/CVE-2025-6021.patch b/CVE-2025-6021.patch new file mode 100644 index 0000000..91d7b56 --- /dev/null +++ b/CVE-2025-6021.patch @@ -0,0 +1,47 @@ +From acbbeef9f5dcdcc901c5f3fa14d583ef8cfd22f0 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 27 May 2025 12:53:17 +0200 +Subject: [PATCH] tree: Fix integer overflow in xmlBuildQName + +This issue affects memory safety and might receive a CVE ID later. + +Fixes #926. +--- + tree.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/tree.c b/tree.c +index 8910dd8..e207f12 100644 +--- a/tree.c ++++ b/tree.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + + #ifdef LIBXML_ZLIB_ENABLED + #include +@@ -221,16 +222,18 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) { + xmlChar * + xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix, + xmlChar *memory, int len) { +- int lenn, lenp; ++ size_t lenn, lenp; + xmlChar *ret; + +- if (ncname == NULL) return(NULL); ++ if ((ncname == NULL) || (len < 0)) return(NULL); + if (prefix == NULL) return((xmlChar *) ncname); + + lenn = strlen((char *) ncname); + lenp = strlen((char *) prefix); ++ if (lenn >= SIZE_MAX - lenp - 1) ++ return(NULL); + +- if ((memory == NULL) || (len < lenn + lenp + 2)) { ++ if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) { + ret = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2); + if (ret == NULL) { + xmlTreeErrMemory("building QName"); + diff --git a/backport-CVE-2025-6170.patch b/backport-CVE-2025-6170.patch new file mode 100644 index 0000000..5a7c22e --- /dev/null +++ b/backport-CVE-2025-6170.patch @@ -0,0 +1,107 @@ +From 069bcda17d8194e9582c64dd4bc9dac99b015810 Mon Sep 17 00:00:00 2001 +From: Michael Mann +Date: Fri, 20 Jun 2025 23:05:00 -0400 +Subject: [PATCH] Fix potential buffer overflows of interactive shell + +CVE-2025-6170 + +Fixes #941 + +Reference: https://github.com/GNOME/libxml2/commit/069bcda17d8194e9582c64dd4bc9dac99b015810 +Conflict: rename shell.c to debugXML.c, no need xmllintShellReadline + +--- + debugXML.c | 15 ++++++++++----- + result/scripts/long_command | 8 ++++++++ + test/scripts/long_command.script | 6 ++++++ + test/scripts/long_command.xml | 1 + + 4 files changed, 25 insertions(+), 5 deletions(-) + create mode 100644 result/scripts/long_command + create mode 100644 test/scripts/long_command.script + create mode 100644 test/scripts/long_command.xml + +diff --git a/debugXML.c b/debugXML.c +index 3bb1930..c84c382 100644 +--- a/debugXML.c ++++ b/debugXML.c +@@ -2781,6 +2781,10 @@ xmlShellPwd(xmlShellCtxtPtr ctxt ATTRIBUTE_UNUSED, char *buffer, + return (0); + } + ++#define MAX_PROMPT_SIZE 500 ++#define MAX_ARG_SIZE 400 ++#define MAX_COMMAND_SIZE 100 ++ + /** + * xmlShell: + * @doc: the initial document +@@ -2796,10 +2800,10 @@ void + xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input, + FILE * output) + { +- char prompt[500] = "/ > "; ++ char prompt[MAX_PROMPT_SIZE] = "/ > "; + char *cmdline = NULL, *cur; +- char command[100]; +- char arg[400]; ++ char command[MAX_COMMAND_SIZE]; ++ char arg[MAX_ARG_SIZE]; + int i; + xmlShellCtxtPtr ctxt; + xmlXPathObjectPtr list; +@@ -2857,7 +2861,8 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input, + cur++; + i = 0; + while ((*cur != ' ') && (*cur != '\t') && +- (*cur != '\n') && (*cur != '\r')) { ++ (*cur != '\n') && (*cur != '\r') && ++ (i < (MAX_COMMAND_SIZE - 1))) { + if (*cur == 0) + break; + command[i++] = *cur++; +@@ -2872,7 +2877,7 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input, + while ((*cur == ' ') || (*cur == '\t')) + cur++; + i = 0; +- while ((*cur != '\n') && (*cur != '\r') && (*cur != 0)) { ++ while ((*cur != '\n') && (*cur != '\r') && (*cur != 0) && (i < (MAX_ARG_SIZE-1))) { + if (*cur == 0) + break; + arg[i++] = *cur++; +diff --git a/result/scripts/long_command b/result/scripts/long_command +new file mode 100644 +index 0000000..e6f0070 +--- /dev/null ++++ b/result/scripts/long_command +@@ -0,0 +1,8 @@ ++/ > b > b > Object is a Node Set : ++Set contains 1 nodes: ++1 ELEMENT a:c ++b > Unknown command This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_comm ++b > b > Unknown command ess_currents_of_time_and_existence ++b > ++Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_prof ++b > +\ No newline at end of file +diff --git a/test/scripts/long_command.script b/test/scripts/long_command.script +new file mode 100644 +index 0000000..00f6df0 +--- /dev/null ++++ b/test/scripts/long_command.script +@@ -0,0 +1,6 @@ ++cd a/b ++set ++xpath //*[namespace-uri()="foo"] ++This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_command_please_dont_crash foo ++set Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_profound_emotion_and_every_grand_aspiration_that_propels_our_species_ever_onward_through_the_relentless_currents_of_time_and_existence ++save - +diff --git a/test/scripts/long_command.xml b/test/scripts/long_command.xml +new file mode 100644 +index 0000000..1ba4401 +--- /dev/null ++++ b/test/scripts/long_command.xml +@@ -0,0 +1 @@ ++ +-- +2.43.0 + diff --git a/backport-Fix-relaxng-is-parsed-to-an-infinite-attrs-next-loop.patch b/backport-Fix-relaxng-is-parsed-to-an-infinite-attrs-next-loop.patch new file mode 100644 index 0000000..cbeda9a --- /dev/null +++ b/backport-Fix-relaxng-is-parsed-to-an-infinite-attrs-next-loop.patch @@ -0,0 +1,81 @@ +From bb7169b5ad77209989a7e60b530976618a7f0339 Mon Sep 17 00:00:00 2001 +From: Omar Siam +Date: Tue, 10 Jun 2025 18:34:44 +0200 +Subject: [PATCH] Fix relaxng is parsed to an infinite attrs->next loop + +Test data for the bug. +--- + relaxng.c | 11 ++++++++--- + test/relaxng/useless_group.rng | 21 +++++++++++++++++++++ + test/relaxng/useless_group.xml | 3 +++ + 3 files changed, 32 insertions(+), 3 deletions(-) + create mode 100644 test/relaxng/useless_group.rng + create mode 100644 test/relaxng/useless_group.xml + +diff --git a/relaxng.c b/relaxng.c +index 8132fe8fec..afd416f546 100644 +--- a/relaxng.c ++++ b/relaxng.c +@@ -5856,6 +5856,7 @@ xmlRelaxNGSimplify(xmlRelaxNGParserCtxtPtr ctxt, + if (attronly == 1) { + /* + * migrate tmp to attrs ++ * if this runs twice an infinite attrs->next loop can be created + */ + pre->next = tmp->next; + tmp->next = cur->attrs; +@@ -5876,9 +5877,13 @@ xmlRelaxNGSimplify(xmlRelaxNGParserCtxtPtr ctxt, + if ((parent == NULL) && (prev == NULL)) { + cur->type = XML_RELAXNG_NOOP; + } else if (prev == NULL) { +- parent->content = cur->content; +- cur->content->next = cur->next; +- cur = cur->content; ++ // this simplification may already have happened ++ // if this is done twice this leads to an infinite loop of attrs->next ++ if (parent->content != cur->content) { ++ parent->content = cur->content; ++ cur->content->next = cur->next; ++ cur = cur->content; ++ } + } else { + cur->content->next = cur->next; + prev->next = cur->content; +diff --git a/test/relaxng/useless_group.rng b/test/relaxng/useless_group.rng +new file mode 100644 +index 0000000000..2a44336d30 +--- /dev/null ++++ b/test/relaxng/useless_group.rng +@@ -0,0 +1,21 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ +\ No newline at end of file +diff --git a/test/relaxng/useless_group.xml b/test/relaxng/useless_group.xml +new file mode 100644 +index 0000000000..5b81c6db0b +--- /dev/null ++++ b/test/relaxng/useless_group.xml +@@ -0,0 +1,3 @@ ++ ++ ++ +\ No newline at end of file diff --git a/libxml2-2.12.10.tar.xz b/libxml2-2.12.10.tar.xz new file mode 100644 index 0000000..49b42b5 --- /dev/null +++ b/libxml2-2.12.10.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c3d8c0c34aa39098f66576fe51969db12a5100b956233dc56506f7a8679be995 +size 2483708 diff --git a/libxml2-compat.spec b/libxml2-compat.spec new file mode 100644 index 0000000..6f40386 --- /dev/null +++ b/libxml2-compat.spec @@ -0,0 +1,77 @@ +Summary: Library providing XML and HTML support +Name: libxml2-compat +Version: 2.12.10 +Release: 8 +License: MIT +Group: Development/Libraries +Source: https://download.gnome.org/sources/libxml2/2.12/libxml2-%{version}.tar.xz + +Patch0: libxml2-multilib.patch +Patch6001: CVE-2025-32414.patch +Patch6002: CVE-2025-32415.patch +Patch6003: CVE-2025-6021.patch +Patch6004: CVE-2025-49795.patch +Patch6005: CVE-2025-49794,CVE-2025-49796.patch +Patch6006: backport-CVE-2025-6170.patch +Patch6007: backport-Fix-relaxng-is-parsed-to-an-infinite-attrs-next-loop.patch + +BuildRequires: pkgconfig(zlib) +URL: http://xmlsoft.org/ +Conflicts: libxml2%{_isa} < 2.15 + +%description +This library allows to manipulate XML files. It includes support +to read, modify and write XML and HTML files. There is DTDs support +this includes parsing and validation even with complex DtDs, either +at parse time or later once the document has been modified. The output +can be a simple SAX stream or and in-memory DOM like representations. +In this case one can use the built-in XPath and XPointer implementation +to select sub nodes or ranges. A flexible Input/Output mechanism is +available, with existing HTTP and FTP modules and combined to an +URI library. + +%package devel +Summary: Libraries, includes, etc. to develop XML and HTML applications +Group: Development/Libraries +Requires: %{name} = %{version}-%{release} +Conflicts: libxml2-devel + +%description devel +Libraries, include files, etc you can use to develop XML applications. +This library allows to manipulate XML files. It includes support +to read, modify and write XML and HTML files. There is DTDs support +this includes parsing and validation even with complex DtDs, either +at parse time or later once the document has been modified. The output +can be a simple SAX stream or and in-memory DOM like representations. +In this case one can use the built-in XPath and XPointer implementation +to select sub nodes or ranges. A flexible Input/Output mechanism is +available, with existing HTTP and FTP modules and combined to an +URI library. + +%prep +%autosetup -n libxml2-%{version} -p1 + +%build +%configure --enable-static \ + --without-http \ + --without-ftp \ + --without-lzma \ + --without-python +%make_build + +find doc -type f -exec chmod 0644 \{\} \; + +%install +mkdir -p %{buildroot}%{_libdir} +install .libs/libxml2.so.* %{buildroot}%{_libdir} + +%check +%make_build check + +%files +%license Copyright +%{_libdir}/lib*.so.* + +%changelog +* Mon Dec 15 2025 Funda Wang - 2.12.10-8 +- import from older libxml2 diff --git a/libxml2-compat.yaml b/libxml2-compat.yaml new file mode 100644 index 0000000..56b42d5 --- /dev/null +++ b/libxml2-compat.yaml @@ -0,0 +1,4 @@ +version_control: github +src_repo: GNOME/libxml2 +tag_prefix: ^v +seperator: . diff --git a/libxml2-multilib.patch b/libxml2-multilib.patch new file mode 100644 index 0000000..be907f6 --- /dev/null +++ b/libxml2-multilib.patch @@ -0,0 +1,18 @@ +diff --git a/xml2-config.in b/xml2-config.in +index 5863ffa..47f205e 100644 +--- a/xml2-config.in ++++ b/xml2-config.in +@@ -3,7 +3,12 @@ + prefix=@prefix@ + exec_prefix=@exec_prefix@ + includedir=@includedir@ +-libdir=@libdir@ ++if [ "`ldd /bin/sh | grep lib64`" = "" ] ++then ++ libdir=${exec_prefix}/lib ++else ++ libdir=${exec_prefix}/lib64 ++fi + cflags= + libs= + -- Gitee