2 files changed, 60 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch
new file mode 100644
index 0000000000..157486848b
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch
@@ -0,0 +1,59 @@
+From 33d7969baf541326a35e2fbe31943c46af8c71db Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 27 May 2025 12:53:17 +0200
+Subject: [PATCH] tree: Fix integer overflow in xmlBuildQName
+This issue affects memory safety and might receive a CVE ID later.
+Fixes #926.
+Signed-off-by: Nick Wellnhofer <wellnhofer@aevum.de>
+Add '#include <stdint.h>' to assure the definition of SIZE_MAX
+CVE: CVE-2025-6021
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/acbbeef9f5dcdcc901c5f3fa14d583ef8cfd22f0]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ tree.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+diff --git a/tree.c b/tree.c
+index 7454b07..22ec11c 100644
+--- a/tree.c
+++ b/tree.c
+@@ -23,6 +23,7 @@
+ #include <limits.h>
+ #include <ctype.h>
+ #include <stdlib.h>
+#include <stdint.h>
+ 
+ #ifdef LIBXML_ZLIB_ENABLED
+ #include <zlib.h>
+@@ -168,10 +169,10 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) {
+ xmlChar *
+ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
+              xmlChar *memory, int len) {
+-    int lenn, lenp;
+    size_t lenn, lenp;
+     xmlChar *ret;
+ 
+-    if (ncname == NULL) return(NULL);
+    if ((ncname == NULL) || (len < 0)) return(NULL);
+     if (prefix == NULL) return((xmlChar *) ncname);
+ 
+ #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+@@ -182,8 +183,10 @@ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
+ 
+     lenn = strlen((char *) ncname);
+     lenp = strlen((char *) prefix);
+    if (lenn >= SIZE_MAX - lenp - 1)
+        return(NULL);
+ 
+-    if ((memory == NULL) || (len < lenn + lenp + 2)) {
+    if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) {
+        ret = xmlMalloc(lenn + lenp + 2);
+        if (ret == NULL)
+            return(NULL);
+-- 
+2.34.1
diff --git a/meta/recipes-core/libxml/libxml2_2.14.3.bb b/meta/recipes-core/libxml/libxml2_2.14.3.bb
index da75cbe450..4baab59186 100644
--- a/meta/recipes-core/libxml/libxml2_2.14.3.bb
+++ b/meta/recipes-core/libxml/libxml2_2.14.3.bb
@@ -18,6 +18,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt
           file://run-ptest \
           file://install-tests.patch \
           file://0001-Revert-cmake-Fix-installation-directories-in-libxml2.patch \
+           file://CVE-2025-6021.patch \
           "
 SRC_URI[archive.sha256sum] = "6de55cacc8c2bc758f2ef6f93c313cb30e4dd5d84ac5d3c7ccbd9344d8cc6833"

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch new file mode 100644 index 0000000000..157486848b --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch
@@ -0,0 +1,59 @@
		1	From 33d7969baf541326a35e2fbe31943c46af8c71db Mon Sep 17 00:00:00 2001
		2	From: Nick Wellnhofer <wellnhofer@aevum.de>
		3	Date: Tue, 27 May 2025 12:53:17 +0200
		4	Subject: [PATCH] tree: Fix integer overflow in xmlBuildQName
		5
		6	This issue affects memory safety and might receive a CVE ID later.
		7
		8	Fixes #926.
		9
		10	Signed-off-by: Nick Wellnhofer <wellnhofer@aevum.de>
		11
		12	Add '#include <stdint.h>' to assure the definition of SIZE_MAX
		13	CVE: CVE-2025-6021
		14	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/acbbeef9f5dcdcc901c5f3fa14d583ef8cfd22f0]
		15	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
		16	---
		17	tree.c \| 9 ++++++---
		18	1 file changed, 6 insertions(+), 3 deletions(-)
		19
		20	diff --git a/tree.c b/tree.c
		21	index 7454b07..22ec11c 100644
		22	--- a/tree.c
		23	+++ b/tree.c
		24	@@ -23,6 +23,7 @@
		25	#include <limits.h>
		26	#include <ctype.h>
		27	#include <stdlib.h>
		28	+#include <stdint.h>
		29
		30	#ifdef LIBXML_ZLIB_ENABLED
		31	#include <zlib.h>
		32	@@ -168,10 +169,10 @@ xmlGetParameterEntityFromDtd(const xmlDtd dtd, const xmlChar name) {
		33	xmlChar *
		34	xmlBuildQName(const xmlChar ncname, const xmlChar prefix,
		35	xmlChar *memory, int len) {
		36	- int lenn, lenp;
		37	+ size_t lenn, lenp;
		38	xmlChar *ret;
		39
		40	- if (ncname == NULL) return(NULL);
		41	+ if ((ncname == NULL) \|\| (len < 0)) return(NULL);
		42	if (prefix == NULL) return((xmlChar *) ncname);
		43
		44	#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
		45	@@ -182,8 +183,10 @@ xmlBuildQName(const xmlChar ncname, const xmlChar prefix,
		46
		47	lenn = strlen((char *) ncname);
		48	lenp = strlen((char *) prefix);
		49	+ if (lenn >= SIZE_MAX - lenp - 1)
		50	+ return(NULL);
		51
		52	- if ((memory == NULL) \|\| (len < lenn + lenp + 2)) {
		53	+ if ((memory == NULL) \|\| ((size_t) len < lenn + lenp + 2)) {
		54	ret = xmlMalloc(lenn + lenp + 2);
		55	if (ret == NULL)
		56	return(NULL);
		57	--
		58	2.34.1
		59


diff --git a/meta/recipes-core/libxml/libxml2_2.14.3.bb b/meta/recipes-core/libxml/libxml2_2.14.3.bb index da75cbe450..4baab59186 100644 --- a/meta/recipes-core/libxml/libxml2_2.14.3.bb +++ b/meta/recipes-core/libxml/libxml2_2.14.3.bb
@@ -18,6 +18,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt
18	file://run-ptest \	18	file://run-ptest \
19	file://install-tests.patch \	19	file://install-tests.patch \
20	file://0001-Revert-cmake-Fix-installation-directories-in-libxml2.patch \	20	file://0001-Revert-cmake-Fix-installation-directories-in-libxml2.patch \
		21	file://CVE-2025-6021.patch \
21	"	22	"
22		23
23	SRC_URI[archive.sha256sum] = "6de55cacc8c2bc758f2ef6f93c313cb30e4dd5d84ac5d3c7ccbd9344d8cc6833"	24	SRC_URI[archive.sha256sum] = "6de55cacc8c2bc758f2ef6f93c313cb30e4dd5d84ac5d3c7ccbd9344d8cc6833"