Skip to content

Commit 29227c6

Browse files
Ratiranjan5Ratiranjan5
authored
[Low] Patch libxml2 for CVE-2025-8732 (#15690)
1 parent 696c708 commit 29227c6

6 files changed

Lines changed: 161 additions & 13 deletions

File tree

SPECS/libxml2/CVE-2025-8732.patch

Lines changed: 144 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,144 @@
1+
From eae9291aa73907694dd3a4274d306e31217e746e Mon Sep 17 00:00:00 2001
2+
From: Nathan <nathan.shain@echohq.com>
3+
Date: Wed, 10 Sep 2025 18:11:50 +0300
4+
Subject: [PATCH] fix: Prevent infinite recursion in xmlCatalogListXMLResolve
5+
6+
Upstream patch reference:
7+
https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/337.patch
8+
---
9+
catalog.c | 28 ++++++++++++++++++++--------
10+
result/catalogs/recursive | 1 +
11+
test/catalogs/recursive.script | 0
12+
test/catalogs/recursive.sgml | 1 +
13+
4 files changed, 22 insertions(+), 8 deletions(-)
14+
create mode 100644 result/catalogs/recursive
15+
create mode 100644 test/catalogs/recursive.script
16+
create mode 100644 test/catalogs/recursive.sgml
17+
18+
diff --git a/catalog.c b/catalog.c
19+
index 8e96f4b..e8e0a0d 100644
20+
--- a/catalog.c
21+
+++ b/catalog.c
22+
@@ -84,7 +84,7 @@ unsigned long __stdcall GetModuleFileNameA(void*, char*, unsigned long);
23+
#endif
24+
25+
static xmlChar *xmlCatalogNormalizePublic(const xmlChar *pubID);
26+
-static int xmlExpandCatalog(xmlCatalogPtr catal, const char *filename);
27+
+static int xmlExpandCatalog(xmlCatalogPtr catal, const char *filename, int depth);
28+
29+
/************************************************************************
30+
* *
31+
@@ -2357,17 +2357,24 @@ xmlGetSGMLCatalogEntryType(const xmlChar *name) {
32+
* Parse an SGML catalog content and fill up the @catal hash table with
33+
* the new entries found.
34+
*
35+
+ * @param depth the current depth of the catalog
36+
* Returns 0 in case of success, -1 in case of error.
37+
*/
38+
static int
39+
xmlParseSGMLCatalog(xmlCatalogPtr catal, const xmlChar *value,
40+
- const char *file, int super) {
41+
+ const char *file, int super, int depth) {
42+
const xmlChar *cur = value;
43+
xmlChar *base = NULL;
44+
int res;
45+
46+
if ((cur == NULL) || (file == NULL))
47+
return(-1);
48+
+
49+
+ /* Check recursion depth */
50+
+ if (depth > MAX_CATAL_DEPTH) {
51+
+ return(-1);
52+
+ }
53+
+
54+
base = xmlStrdup((const xmlChar *) file);
55+
56+
while ((cur != NULL) && (cur[0] != 0)) {
57+
@@ -2545,7 +2552,7 @@ xmlParseSGMLCatalog(xmlCatalogPtr catal, const xmlChar *value,
58+
59+
filename = xmlBuildURI(sysid, base);
60+
if (filename != NULL) {
61+
- xmlExpandCatalog(catal, (const char *)filename);
62+
+ xmlExpandCatalog(catal, (const char *)filename, depth);
63+
xmlFree(filename);
64+
}
65+
}
66+
@@ -2695,7 +2702,7 @@ xmlLoadSGMLSuperCatalog(const char *filename)
67+
return(NULL);
68+
}
69+
70+
- ret = xmlParseSGMLCatalog(catal, content, filename, 1);
71+
+ ret = xmlParseSGMLCatalog(catal, content, filename, 1, 0);
72+
xmlFree(content);
73+
if (ret < 0) {
74+
xmlFreeCatalog(catal);
75+
@@ -2741,7 +2748,7 @@ xmlLoadACatalog(const char *filename)
76+
xmlFree(content);
77+
return(NULL);
78+
}
79+
- ret = xmlParseSGMLCatalog(catal, content, filename, 0);
80+
+ ret = xmlParseSGMLCatalog(catal, content, filename, 0, 0);
81+
if (ret < 0) {
82+
xmlFreeCatalog(catal);
83+
xmlFree(content);
84+
@@ -2768,16 +2775,21 @@ xmlLoadACatalog(const char *filename)
85+
* Load the catalog and expand the existing catal structure.
86+
* This can be either an XML Catalog or an SGML Catalog
87+
*
88+
+ * @param depth the current depth of the catalog
89+
* Returns 0 in case of success, -1 in case of error
90+
*/
91+
static int
92+
-xmlExpandCatalog(xmlCatalogPtr catal, const char *filename)
93+
+xmlExpandCatalog(xmlCatalogPtr catal, const char *filename, int depth)
94+
{
95+
int ret;
96+
97+
if ((catal == NULL) || (filename == NULL))
98+
return(-1);
99+
100+
+ /* Check recursion depth */
101+
+ if (depth > MAX_CATAL_DEPTH) {
102+
+ return(-1);
103+
+ }
104+
105+
if (catal->type == XML_SGML_CATALOG_TYPE) {
106+
xmlChar *content;
107+
@@ -2786,7 +2798,7 @@ xmlExpandCatalog(xmlCatalogPtr catal, const char *filename)
108+
if (content == NULL)
109+
return(-1);
110+
111+
- ret = xmlParseSGMLCatalog(catal, content, filename, 0);
112+
+ ret = xmlParseSGMLCatalog(catal, content, filename, 0, depth + 1);
113+
if (ret < 0) {
114+
xmlFree(content);
115+
return(-1);
116+
@@ -3254,7 +3266,7 @@ xmlLoadCatalog(const char *filename)
117+
return(0);
118+
}
119+
120+
- ret = xmlExpandCatalog(xmlDefaultCatalog, filename);
121+
+ ret = xmlExpandCatalog(xmlDefaultCatalog, filename, 0);
122+
xmlRMutexUnlock(xmlCatalogMutex);
123+
return(ret);
124+
}
125+
diff --git a/result/catalogs/recursive b/result/catalogs/recursive
126+
new file mode 100644
127+
index 0000000..d9e80f6
128+
--- /dev/null
129+
+++ b/result/catalogs/recursive
130+
@@ -0,0 +1 @@
131+
+>
132+
diff --git a/test/catalogs/recursive.script b/test/catalogs/recursive.script
133+
new file mode 100644
134+
index 0000000..e69de29
135+
diff --git a/test/catalogs/recursive.sgml b/test/catalogs/recursive.sgml
136+
new file mode 100644
137+
index 0000000..ac2148b
138+
--- /dev/null
139+
+++ b/test/catalogs/recursive.sgml
140+
@@ -0,0 +1 @@
141+
+CATALOG recursive.sgml
142+
--
143+
2.45.4
144+

SPECS/libxml2/libxml2.spec

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
Summary: Libxml2
22
Name: libxml2
33
Version: 2.10.4
4-
Release: 10%{?dist}
4+
Release: 11%{?dist}
55
License: MIT
66
Vendor: Microsoft Corporation
77
Distribution: Mariner
@@ -24,6 +24,7 @@ Patch12: CVE-2025-49795.patch
2424
Patch13: CVE-2025-7425.patch
2525
Patch14: CVE-2026-0990.patch
2626
Patch15: CVE-2026-0992.patch
27+
Patch16: CVE-2025-8732.patch
2728
BuildRequires: python3-devel
2829
BuildRequires: python3-xml
2930
Provides: %{name}-tools = %{version}-%{release}
@@ -94,6 +95,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
9495
%{_libdir}/cmake/libxml2/libxml2-config.cmake
9596

9697
%changelog
98+
* Tue Feb 03 2026 Ratiranjan Behera <v-ratbehera@microsoft.com> - 2.10.4-11
99+
- Patch for CVE-2025-8732
100+
97101
* Tue Jan 27 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.10.4-10
98102
- Patch for CVE-2026-0992, CVE-2026-0990, CVE-2025-7425
99103

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -194,8 +194,8 @@ curl-8.8.0-8.cm2.aarch64.rpm
194194
curl-devel-8.8.0-8.cm2.aarch64.rpm
195195
curl-libs-8.8.0-8.cm2.aarch64.rpm
196196
createrepo_c-0.17.5-1.cm2.aarch64.rpm
197-
libxml2-2.10.4-10.cm2.aarch64.rpm
198-
libxml2-devel-2.10.4-10.cm2.aarch64.rpm
197+
libxml2-2.10.4-11.cm2.aarch64.rpm
198+
libxml2-devel-2.10.4-11.cm2.aarch64.rpm
199199
docbook-dtd-xml-4.5-11.cm2.noarch.rpm
200200
docbook-style-xsl-1.79.1-14.cm2.noarch.rpm
201201
libsepol-3.2-2.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -194,8 +194,8 @@ curl-8.8.0-8.cm2.x86_64.rpm
194194
curl-devel-8.8.0-8.cm2.x86_64.rpm
195195
curl-libs-8.8.0-8.cm2.x86_64.rpm
196196
createrepo_c-0.17.5-1.cm2.x86_64.rpm
197-
libxml2-2.10.4-10.cm2.x86_64.rpm
198-
libxml2-devel-2.10.4-10.cm2.x86_64.rpm
197+
libxml2-2.10.4-11.cm2.x86_64.rpm
198+
libxml2-devel-2.10.4-11.cm2.x86_64.rpm
199199
docbook-dtd-xml-4.5-11.cm2.noarch.rpm
200200
docbook-style-xsl-1.79.1-14.cm2.noarch.rpm
201201
libsepol-3.2-2.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -209,9 +209,9 @@ libtasn1-debuginfo-4.19.0-3.cm2.aarch64.rpm
209209
libtasn1-devel-4.19.0-3.cm2.aarch64.rpm
210210
libtool-2.4.6-8.cm2.aarch64.rpm
211211
libtool-debuginfo-2.4.6-8.cm2.aarch64.rpm
212-
libxml2-2.10.4-10.cm2.aarch64.rpm
213-
libxml2-debuginfo-2.10.4-10.cm2.aarch64.rpm
214-
libxml2-devel-2.10.4-10.cm2.aarch64.rpm
212+
libxml2-2.10.4-11.cm2.aarch64.rpm
213+
libxml2-debuginfo-2.10.4-11.cm2.aarch64.rpm
214+
libxml2-devel-2.10.4-11.cm2.aarch64.rpm
215215
libxslt-1.1.34-10.cm2.aarch64.rpm
216216
libxslt-debuginfo-1.1.34-10.cm2.aarch64.rpm
217217
libxslt-devel-1.1.34-10.cm2.aarch64.rpm
@@ -521,7 +521,7 @@ python3-gpg-1.16.0-2.cm2.aarch64.rpm
521521
python3-jinja2-3.0.3-7.cm2.noarch.rpm
522522
python3-libcap-ng-0.8.2-2.cm2.aarch64.rpm
523523
python3-libs-3.9.19-19.cm2.aarch64.rpm
524-
python3-libxml2-2.10.4-10.cm2.aarch64.rpm
524+
python3-libxml2-2.10.4-11.cm2.aarch64.rpm
525525
python3-lxml-4.9.1-1.cm2.aarch64.rpm
526526
python3-magic-5.40-3.cm2.noarch.rpm
527527
python3-markupsafe-2.1.0-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -215,9 +215,9 @@ libtasn1-debuginfo-4.19.0-3.cm2.x86_64.rpm
215215
libtasn1-devel-4.19.0-3.cm2.x86_64.rpm
216216
libtool-2.4.6-8.cm2.x86_64.rpm
217217
libtool-debuginfo-2.4.6-8.cm2.x86_64.rpm
218-
libxml2-2.10.4-10.cm2.x86_64.rpm
219-
libxml2-debuginfo-2.10.4-10.cm2.x86_64.rpm
220-
libxml2-devel-2.10.4-10.cm2.x86_64.rpm
218+
libxml2-2.10.4-11.cm2.x86_64.rpm
219+
libxml2-debuginfo-2.10.4-11.cm2.x86_64.rpm
220+
libxml2-devel-2.10.4-11.cm2.x86_64.rpm
221221
libxslt-1.1.34-10.cm2.x86_64.rpm
222222
libxslt-debuginfo-1.1.34-10.cm2.x86_64.rpm
223223
libxslt-devel-1.1.34-10.cm2.x86_64.rpm
@@ -527,7 +527,7 @@ python3-gpg-1.16.0-2.cm2.x86_64.rpm
527527
python3-jinja2-3.0.3-7.cm2.noarch.rpm
528528
python3-libcap-ng-0.8.2-2.cm2.x86_64.rpm
529529
python3-libs-3.9.19-19.cm2.x86_64.rpm
530-
python3-libxml2-2.10.4-10.cm2.x86_64.rpm
530+
python3-libxml2-2.10.4-11.cm2.x86_64.rpm
531531
python3-lxml-4.9.1-1.cm2.x86_64.rpm
532532
python3-magic-5.40-3.cm2.noarch.rpm
533533
python3-markupsafe-2.1.0-1.cm2.x86_64.rpm

0 commit comments

Comments
 (0)