libxml2: fix CVE-2025-49794 & CVE-2025-49796

Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libxml2/-/commit/71e1e8af5ee46dad1b57bb96cfbf1c3ad21fbd7b (From OE-Core rev: 691b74a5d019752428adc81b114fb4458ece1ebe) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2025-07-09 15:13:27 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-07-18 08:32:26 -0700
commit: c0623fde1f90f718c0c1abded88f387a055808fa (patch)
tree: d19b6711564a7e9e571be537da5e8621c8d88298
parent: 7def40e0b15ea45ea46c1981024ee040f81e34c3 (diff)
download: poky-c0623fde1f90f718c0c1abded88f387a055808fa.tar.gz
2 files changed, 182 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-49794-CVE-2025-49796.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-49794-CVE-2025-49796.patch
new file mode 100644
index 0000000000..3ec8b4173f
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2025-49794-CVE-2025-49796.patch
@@ -0,0 +1,181 @@
+From 71e1e8af5ee46dad1b57bb96cfbf1c3ad21fbd7b Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 4 Jul 2025 14:28:26 +0200
+Subject: [PATCH] schematron: Fix memory safety issues in
+ xmlSchematronReportOutput
+Fix use-after-free (CVE-2025-49794) and type confusion (CVE-2025-49796)
+in xmlSchematronReportOutput.
+Fixes #931.
+Fixes #933.
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/71e1e8af5ee46dad1b57bb96cfbf1c3ad21fbd7b]
+CVE: CVE-2025-49794 CVE-2025-49796
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ result/schematron/cve-2025-49794_0.err |  2 ++
+ result/schematron/cve-2025-49796_0.err |  2 ++
+ schematron.c                           | 37 +++++++++++++++-----------
+ test/schematron/cve-2025-49794.sct     | 10 +++++++
+ test/schematron/cve-2025-49794_0.xml   |  6 +++++
+ test/schematron/cve-2025-49796.sct     |  9 +++++++
+ test/schematron/cve-2025-49796_0.xml   |  3 +++
+ 7 files changed, 53 insertions(+), 16 deletions(-)
+ create mode 100644 result/schematron/cve-2025-49794_0.err
+ create mode 100644 result/schematron/cve-2025-49796_0.err
+ create mode 100644 test/schematron/cve-2025-49794.sct
+ create mode 100644 test/schematron/cve-2025-49794_0.xml
+ create mode 100644 test/schematron/cve-2025-49796.sct
+ create mode 100644 test/schematron/cve-2025-49796_0.xml
+diff --git a/result/schematron/cve-2025-49794_0.err b/result/schematron/cve-2025-49794_0.err
+new file mode 100644
+index 0000000..5775231
+--- /dev/null
+++ b/result/schematron/cve-2025-49794_0.err
+@@ -0,0 +1,2 @@
+./test/schematron/cve-2025-49794_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2:  
+./test/schematron/cve-2025-49794_0.xml fails to validate
+diff --git a/result/schematron/cve-2025-49796_0.err b/result/schematron/cve-2025-49796_0.err
+new file mode 100644
+index 0000000..bf875ee
+--- /dev/null
+++ b/result/schematron/cve-2025-49796_0.err
+@@ -0,0 +1,2 @@
+./test/schematron/cve-2025-49796_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2:  
+./test/schematron/cve-2025-49796_0.xml fails to validate
+diff --git a/schematron.c b/schematron.c
+index ddbb069..5ebca64 100644
+--- a/schematron.c
+++ b/schematron.c
+@@ -1239,27 +1239,16 @@ exit:
+  *                                                                     *
+  ************************************************************************/
+ 
+-static xmlNodePtr
+static xmlXPathObjectPtr
+ xmlSchematronGetNode(xmlSchematronValidCtxtPtr ctxt,
+                      xmlNodePtr cur, const xmlChar *xpath) {
+-    xmlNodePtr node = NULL;
+-    xmlXPathObjectPtr ret;
+ 
+     if ((ctxt == NULL) || (cur == NULL) || (xpath == NULL))
+         return(NULL);
+ 
+     ctxt->xctxt->doc = cur->doc;
+     ctxt->xctxt->node = cur;
+-    ret = xmlXPathEval(xpath, ctxt->xctxt);
+-    if (ret == NULL)
+-        return(NULL);
+-
+-    if ((ret->type == XPATH_NODESET) &&
+-        (ret->nodesetval != NULL) && (ret->nodesetval->nodeNr > 0))
+-       node = ret->nodesetval->nodeTab[0];
+-
+-    xmlXPathFreeObject(ret);
+-    return(node);
+    return(xmlXPathEval(xpath, ctxt->xctxt));
+ }
+ 
+ /**
+@@ -1304,18 +1293,26 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt,
+            (child->type == XML_CDATA_SECTION_NODE))
+            ret = xmlStrcat(ret, child->content);
+        else if (IS_SCHEMATRON(child, "name")) {
+            xmlXPathObject *obj = NULL;
+            xmlChar *path;
+ 
+            path = xmlGetNoNsProp(child, BAD_CAST "path");
+ 
+             node = cur;
+            if (path != NULL) {
+-               node = xmlSchematronGetNode(ctxt, cur, path);
+-               if (node == NULL)
+-                   node = cur;
+                obj = xmlSchematronGetNode(ctxt, cur, path);
+                if ((obj != NULL) &&
+                    (obj->type == XPATH_NODESET) &&
+                    (obj->nodesetval != NULL) &&
+                    (obj->nodesetval->nodeNr > 0))
+                    node = obj->nodesetval->nodeTab[0];
+                xmlFree(path);
+            }
+ 
+            switch (node->type) {
+                case XML_ELEMENT_NODE:
+                case XML_ATTRIBUTE_NODE:
+
+            if ((node->ns == NULL) || (node->ns->prefix == NULL))
+                ret = xmlStrcat(ret, node->name);
+            else {
+@@ -1323,6 +1320,14 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt,
+                ret = xmlStrcat(ret, BAD_CAST ":");
+                ret = xmlStrcat(ret, node->name);
+            }
+           break;
+
+               /* TODO: handle other node types */
+               default:
+           break;
+            }
+
+            xmlXPathFreeObject(obj);
+        } else {
+            child = child->next;
+            continue;
+diff --git a/test/schematron/cve-2025-49794.sct b/test/schematron/cve-2025-49794.sct
+new file mode 100644
+index 0000000..7fc9ee3
+--- /dev/null
+++ b/test/schematron/cve-2025-49794.sct
+@@ -0,0 +1,10 @@
+<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron">
+    <sch:pattern id="">
+        <sch:rule context="boo0">
+            <sch:report test="not(0)">
+                <sch:name path="&#9;e|namespace::*|e"/>
+            </sch:report>
+            <sch:report test="0"></sch:report>
+        </sch:rule>
+    </sch:pattern>
+</sch:schema>
+diff --git a/test/schematron/cve-2025-49794_0.xml b/test/schematron/cve-2025-49794_0.xml
+new file mode 100644
+index 0000000..debc64b
+--- /dev/null
+++ b/test/schematron/cve-2025-49794_0.xml
+@@ -0,0 +1,6 @@
+<librar0>
+    <boo0 t="">
+        <author></author>
+    </boo0>
+    <ins></ins>
+</librar0>
+diff --git a/test/schematron/cve-2025-49796.sct b/test/schematron/cve-2025-49796.sct
+new file mode 100644
+index 0000000..e9702d7
+--- /dev/null
+++ b/test/schematron/cve-2025-49796.sct
+@@ -0,0 +1,9 @@
+<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron">
+    <sch:pattern id="">
+        <sch:rule context="boo0">
+            <sch:report test="not(0)">
+                <sch:name path="/"/>
+            </sch:report>
+        </sch:rule>
+    </sch:pattern>
+</sch:schema>
+diff --git a/test/schematron/cve-2025-49796_0.xml b/test/schematron/cve-2025-49796_0.xml
+new file mode 100644
+index 0000000..be33c4e
+--- /dev/null
+++ b/test/schematron/cve-2025-49796_0.xml
+@@ -0,0 +1,3 @@
+<librar0>
+    <boo0/>
+</librar0>
+-- 
+2.49.0
diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb
index 45424e59ff..baac155270 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.14.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb
@@ -40,6 +40,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt
           file://CVE-2025-32414.patch \
           file://CVE-2025-32415.patch \
           file://CVE-2025-6021.patch \
+           file://CVE-2025-49794-CVE-2025-49796.patch \
           "
 SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"
author	Hitendra Prajapati <hprajapati@mvista.com>	2025-07-09 15:13:27 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-07-18 08:32:26 -0700
commit	c0623fde1f90f718c0c1abded88f387a055808fa (patch)
tree	d19b6711564a7e9e571be537da5e8621c8d88298
parent	7def40e0b15ea45ea46c1981024ee040f81e34c3 (diff)
download	poky-c0623fde1f90f718c0c1abded88f387a055808fa.tar.gz

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-49794-CVE-2025-49796.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-49794-CVE-2025-49796.patch new file mode 100644 index 0000000000..3ec8b4173f --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2025-49794-CVE-2025-49796.patch
@@ -0,0 +1,181 @@
		1	From 71e1e8af5ee46dad1b57bb96cfbf1c3ad21fbd7b Mon Sep 17 00:00:00 2001
		2	From: Nick Wellnhofer <wellnhofer@aevum.de>
		3	Date: Fri, 4 Jul 2025 14:28:26 +0200
		4	Subject: [PATCH] schematron: Fix memory safety issues in
		5	xmlSchematronReportOutput
		6
		7	Fix use-after-free (CVE-2025-49794) and type confusion (CVE-2025-49796)
		8	in xmlSchematronReportOutput.
		9
		10	Fixes #931.
		11	Fixes #933.
		12
		13	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/71e1e8af5ee46dad1b57bb96cfbf1c3ad21fbd7b]
		14	CVE: CVE-2025-49794 CVE-2025-49796
		15	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		16	---
		17	result/schematron/cve-2025-49794_0.err \| 2 ++
		18	result/schematron/cve-2025-49796_0.err \| 2 ++
		19	schematron.c \| 37 +++++++++++++++-----------
		20	test/schematron/cve-2025-49794.sct \| 10 +++++++
		21	test/schematron/cve-2025-49794_0.xml \| 6 +++++
		22	test/schematron/cve-2025-49796.sct \| 9 +++++++
		23	test/schematron/cve-2025-49796_0.xml \| 3 +++
		24	7 files changed, 53 insertions(+), 16 deletions(-)
		25	create mode 100644 result/schematron/cve-2025-49794_0.err
		26	create mode 100644 result/schematron/cve-2025-49796_0.err
		27	create mode 100644 test/schematron/cve-2025-49794.sct
		28	create mode 100644 test/schematron/cve-2025-49794_0.xml
		29	create mode 100644 test/schematron/cve-2025-49796.sct
		30	create mode 100644 test/schematron/cve-2025-49796_0.xml
		31
		32	diff --git a/result/schematron/cve-2025-49794_0.err b/result/schematron/cve-2025-49794_0.err
		33	new file mode 100644
		34	index 0000000..5775231
		35	--- /dev/null
		36	+++ b/result/schematron/cve-2025-49794_0.err
		37	@@ -0,0 +1,2 @@
		38	+./test/schematron/cve-2025-49794_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2:
		39	+./test/schematron/cve-2025-49794_0.xml fails to validate
		40	diff --git a/result/schematron/cve-2025-49796_0.err b/result/schematron/cve-2025-49796_0.err
		41	new file mode 100644
		42	index 0000000..bf875ee
		43	--- /dev/null
		44	+++ b/result/schematron/cve-2025-49796_0.err
		45	@@ -0,0 +1,2 @@
		46	+./test/schematron/cve-2025-49796_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2:
		47	+./test/schematron/cve-2025-49796_0.xml fails to validate
		48	diff --git a/schematron.c b/schematron.c
		49	index ddbb069..5ebca64 100644
		50	--- a/schematron.c
		51	+++ b/schematron.c
		52	@@ -1239,27 +1239,16 @@ exit:
		53	* *
		54	************************************************************************/
		55
		56	-static xmlNodePtr
		57	+static xmlXPathObjectPtr
		58	xmlSchematronGetNode(xmlSchematronValidCtxtPtr ctxt,
		59	xmlNodePtr cur, const xmlChar *xpath) {
		60	- xmlNodePtr node = NULL;
		61	- xmlXPathObjectPtr ret;
		62
		63	if ((ctxt == NULL) \|\| (cur == NULL) \|\| (xpath == NULL))
		64	return(NULL);
		65
		66	ctxt->xctxt->doc = cur->doc;
		67	ctxt->xctxt->node = cur;
		68	- ret = xmlXPathEval(xpath, ctxt->xctxt);
		69	- if (ret == NULL)
		70	- return(NULL);
		71	-
		72	- if ((ret->type == XPATH_NODESET) &&
		73	- (ret->nodesetval != NULL) && (ret->nodesetval->nodeNr > 0))
		74	- node = ret->nodesetval->nodeTab[0];
		75	-
		76	- xmlXPathFreeObject(ret);
		77	- return(node);
		78	+ return(xmlXPathEval(xpath, ctxt->xctxt));
		79	}
		80
		81	/**
		82	@@ -1304,18 +1293,26 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt,
		83	(child->type == XML_CDATA_SECTION_NODE))
		84	ret = xmlStrcat(ret, child->content);
		85	else if (IS_SCHEMATRON(child, "name")) {
		86	+ xmlXPathObject *obj = NULL;
		87	xmlChar *path;
		88
		89	path = xmlGetNoNsProp(child, BAD_CAST "path");
		90
		91	node = cur;
		92	if (path != NULL) {
		93	- node = xmlSchematronGetNode(ctxt, cur, path);
		94	- if (node == NULL)
		95	- node = cur;
		96	+ obj = xmlSchematronGetNode(ctxt, cur, path);
		97	+ if ((obj != NULL) &&
		98	+ (obj->type == XPATH_NODESET) &&
		99	+ (obj->nodesetval != NULL) &&
		100	+ (obj->nodesetval->nodeNr > 0))
		101	+ node = obj->nodesetval->nodeTab[0];
		102	xmlFree(path);
		103	}
		104
		105	+ switch (node->type) {
		106	+ case XML_ELEMENT_NODE:
		107	+ case XML_ATTRIBUTE_NODE:
		108	+
		109	if ((node->ns == NULL) \|\| (node->ns->prefix == NULL))
		110	ret = xmlStrcat(ret, node->name);
		111	else {
		112	@@ -1323,6 +1320,14 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt,
		113	ret = xmlStrcat(ret, BAD_CAST ":");
		114	ret = xmlStrcat(ret, node->name);
		115	}
		116	+ break;
		117	+
		118	+ /* TODO: handle other node types */
		119	+ default:
		120	+ break;
		121	+ }
		122	+
		123	+ xmlXPathFreeObject(obj);
		124	} else {
		125	child = child->next;
		126	continue;
		127	diff --git a/test/schematron/cve-2025-49794.sct b/test/schematron/cve-2025-49794.sct
		128	new file mode 100644
		129	index 0000000..7fc9ee3
		130	--- /dev/null
		131	+++ b/test/schematron/cve-2025-49794.sct
		132	@@ -0,0 +1,10 @@
		133	+<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron">
		134	+ <sch:pattern id="">
		135	+ <sch:rule context="boo0">
		136	+ <sch:report test="not(0)">
		137	+ <sch:name path=" e\|namespace::*\|e"/>
		138	+ </sch:report>
		139	+ <sch:report test="0"></sch:report>
		140	+ </sch:rule>
		141	+ </sch:pattern>
		142	+</sch:schema>
		143	diff --git a/test/schematron/cve-2025-49794_0.xml b/test/schematron/cve-2025-49794_0.xml
		144	new file mode 100644
		145	index 0000000..debc64b
		146	--- /dev/null
		147	+++ b/test/schematron/cve-2025-49794_0.xml
		148	@@ -0,0 +1,6 @@
		149	+<librar0>
		150	+ <boo0 t="">
		151	+ <author></author>
		152	+ </boo0>
		153	+ <ins></ins>
		154	+</librar0>
		155	diff --git a/test/schematron/cve-2025-49796.sct b/test/schematron/cve-2025-49796.sct
		156	new file mode 100644
		157	index 0000000..e9702d7
		158	--- /dev/null
		159	+++ b/test/schematron/cve-2025-49796.sct
		160	@@ -0,0 +1,9 @@
		161	+<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron">
		162	+ <sch:pattern id="">
		163	+ <sch:rule context="boo0">
		164	+ <sch:report test="not(0)">
		165	+ <sch:name path="/"/>
		166	+ </sch:report>
		167	+ </sch:rule>
		168	+ </sch:pattern>
		169	+</sch:schema>
		170	diff --git a/test/schematron/cve-2025-49796_0.xml b/test/schematron/cve-2025-49796_0.xml
		171	new file mode 100644
		172	index 0000000..be33c4e
		173	--- /dev/null
		174	+++ b/test/schematron/cve-2025-49796_0.xml
		175	@@ -0,0 +1,3 @@
		176	+<librar0>
		177	+ <boo0/>
		178	+</librar0>
		179	--
		180	2.49.0
		181


diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb index 45424e59ff..baac155270 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.14.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb
@@ -40,6 +40,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt
40	file://CVE-2025-32414.patch \	40	file://CVE-2025-32414.patch \
41	file://CVE-2025-32415.patch \	41	file://CVE-2025-32415.patch \
42	file://CVE-2025-6021.patch \	42	file://CVE-2025-6021.patch \
		43	file://CVE-2025-49794-CVE-2025-49796.patch \
43	"	44	"
44		45
45	SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"	46	SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"