[AutoPR- Security] Patch libxml2 for CVE-2026-0990, CVE-2026-0992, CVE-2025-8732 [MEDIUM] (#15529)

Co-authored-by: akhila-guruju <v-guakhila@microsoft.com>
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>

Author: 3 people

SPECS/libxml2/CVE-2025-8732.patch

@@ -0,0 +1,144 @@
+From c8e11a7d05946bf69d835adafa8ad98dad0c5e74 Mon Sep 17 00:00:00 2001
+From: Nathan <nathan.shain@echohq.com>
+Date: Wed, 10 Sep 2025 18:11:50 +0300
+Subject: [PATCH] fix: Prevent infinite recursion in xmlCatalogListXMLResolve
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/337.patch
+---
+ catalog.c                      | 28 ++++++++++++++++++++--------
+ result/catalogs/recursive      |  1 +
+ test/catalogs/recursive.script |  0
+ test/catalogs/recursive.sgml   |  1 +
+ 4 files changed, 22 insertions(+), 8 deletions(-)
+ create mode 100644 result/catalogs/recursive
+ create mode 100644 test/catalogs/recursive.script
+ create mode 100644 test/catalogs/recursive.sgml
+
+diff --git a/catalog.c b/catalog.c
+index 3886d84..eaa2a5f 100644
+--- a/catalog.c
++++ b/catalog.c
+@@ -84,7 +84,7 @@ unsigned long __stdcall GetModuleFileNameA(void*, char*, unsigned long);
+ #endif
+ 
+ static xmlChar *xmlCatalogNormalizePublic(const xmlChar *pubID);
+-static int xmlExpandCatalog(xmlCatalogPtr catal, const char *filename);
++static int xmlExpandCatalog(xmlCatalogPtr catal, const char *filename, int depth);
+ 
+ /************************************************************************
+  *									*
+@@ -2351,17 +2351,24 @@ xmlGetSGMLCatalogEntryType(const xmlChar *name) {
+  * Parse an SGML catalog content and fill up the @catal hash table with
+  * the new entries found.
+  *
++ * @param depth  the current depth of the catalog
+  * Returns 0 in case of success, -1 in case of error.
+  */
+ static int
+ xmlParseSGMLCatalog(xmlCatalogPtr catal, const xmlChar *value,
+-	            const char *file, int super) {
++                   const char *file, int super, int depth) {
+     const xmlChar *cur = value;
+     xmlChar *base = NULL;
+     int res;
+ 
+     if ((cur == NULL) || (file == NULL))
+         return(-1);
++
++    /* Check recursion depth */
++    if (depth > MAX_CATAL_DEPTH) {
++        return(-1);
++    }
++
+     base = xmlStrdup((const xmlChar *) file);
+ 
+     while ((cur != NULL) && (cur[0] != 0)) {
+@@ -2539,7 +2546,7 @@ xmlParseSGMLCatalog(xmlCatalogPtr catal, const xmlChar *value,
+ 
+ 		    filename = xmlBuildURI(sysid, base);
+ 		    if (filename != NULL) {
+-			xmlExpandCatalog(catal, (const char *)filename);
++			xmlExpandCatalog(catal, (const char *)filename, depth);
+ 			xmlFree(filename);
+ 		    }
+ 		}
+@@ -2689,7 +2696,7 @@ xmlLoadSGMLSuperCatalog(const char *filename)
+ 	return(NULL);
+     }
+ 
+-    ret = xmlParseSGMLCatalog(catal, content, filename, 1);
++    ret = xmlParseSGMLCatalog(catal, content, filename, 1, 0);
+     xmlFree(content);
+     if (ret < 0) {
+ 	xmlFreeCatalog(catal);
+@@ -2735,7 +2742,7 @@ xmlLoadACatalog(const char *filename)
+ 	    xmlFree(content);
+ 	    return(NULL);
+ 	}
+-        ret = xmlParseSGMLCatalog(catal, content, filename, 0);
++        ret = xmlParseSGMLCatalog(catal, content, filename, 0, 0);
+ 	if (ret < 0) {
+ 	    xmlFreeCatalog(catal);
+ 	    xmlFree(content);
+@@ -2762,16 +2769,21 @@ xmlLoadACatalog(const char *filename)
+  * Load the catalog and expand the existing catal structure.
+  * This can be either an XML Catalog or an SGML Catalog
+  *
++ * @param depth  the current depth of the catalog
+  * Returns 0 in case of success, -1 in case of error
+  */
+ static int
+-xmlExpandCatalog(xmlCatalogPtr catal, const char *filename)
++xmlExpandCatalog(xmlCatalogPtr catal, const char *filename, int depth)
+ {
+     int ret;
+ 
+     if ((catal == NULL) || (filename == NULL))
+ 	return(-1);
+ 
++    /* Check recursion depth */
++    if (depth > MAX_CATAL_DEPTH) {
++       return(-1);
++    }
+ 
+     if (catal->type == XML_SGML_CATALOG_TYPE) {
+ 	xmlChar *content;
+@@ -2780,7 +2792,7 @@ xmlExpandCatalog(xmlCatalogPtr catal, const char *filename)
+ 	if (content == NULL)
+ 	    return(-1);
+ 
+-        ret = xmlParseSGMLCatalog(catal, content, filename, 0);
++        ret = xmlParseSGMLCatalog(catal, content, filename, 0, depth + 1);
+ 	if (ret < 0) {
+ 	    xmlFree(content);
+ 	    return(-1);
+@@ -3250,7 +3262,7 @@ xmlLoadCatalog(const char *filename)
+ 	return(0);
+     }
+ 
+-    ret = xmlExpandCatalog(xmlDefaultCatalog, filename);
++    ret = xmlExpandCatalog(xmlDefaultCatalog, filename, 0);
+     xmlRMutexUnlock(xmlCatalogMutex);
+     return(ret);
+ }
+diff --git a/result/catalogs/recursive b/result/catalogs/recursive
+new file mode 100644
+index 0000000..d9e80f6
+--- /dev/null
++++ b/result/catalogs/recursive
+@@ -0,0 +1 @@
++>
+diff --git a/test/catalogs/recursive.script b/test/catalogs/recursive.script
+new file mode 100644
+index 0000000..e69de29
+diff --git a/test/catalogs/recursive.sgml b/test/catalogs/recursive.sgml
+new file mode 100644
+index 0000000..ac2148b
+--- /dev/null
++++ b/test/catalogs/recursive.sgml
+@@ -0,0 +1 @@
++CATALOG recursive.sgml
+-- 
+2.45.4
+

SPECS/libxml2/CVE-2026-0990.patch

@@ -0,0 +1,77 @@
+From 1961208e958ca22f80a0b4e4c9d71cfa050aa982 Mon Sep 17 00:00:00 2001
+From: Daniel Garcia Moreno <daniel.garcia@suse.com>
+Date: Wed, 17 Dec 2025 15:24:08 +0100
+Subject: [PATCH] catalog: prevent inf recursion in xmlCatalogXMLResolveURI
+
+Fix https://gitlab.gnome.org/GNOME/libxml2/-/issues/1018
+
+Upstream Patch reference: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1961208e958ca22f80a0b4e4c9d71cfa050aa982.patch
+---
+ catalog.c | 31 +++++++++++++++++++++++--------
+ 1 file changed, 23 insertions(+), 8 deletions(-)
+
+diff --git a/catalog.c b/catalog.c
+index 24a49f3..20e9576 100644
+--- a/catalog.c
++++ b/catalog.c
+@@ -2087,12 +2087,21 @@ static xmlChar *
+ xmlCatalogListXMLResolveURI(xmlCatalogEntryPtr catal, const xmlChar *URI) {
+     xmlChar *ret = NULL;
+     xmlChar *urnID = NULL;
++    xmlCatalogEntryPtr cur = NULL;
+ 
+     if (catal == NULL)
+         return(NULL);
+     if (URI == NULL)
+ 	return(NULL);
+ 
++    if (catal->depth > MAX_CATAL_DEPTH) {
++	xmlCatalogErr(catal, NULL, XML_CATALOG_RECURSION,
++		      "Detected recursion in catalog %s\n",
++		      catal->name, NULL, NULL);
++	return(NULL);
++    }
++    catal->depth++;
++
+     if (!xmlStrncmp(URI, BAD_CAST XML_URN_PUBID, sizeof(XML_URN_PUBID) - 1)) {
+ 	urnID = xmlCatalogUnWrapURN(URI);
+ 	if (xmlDebugCatalogs) {
+@@ -2106,21 +2115,27 @@ xmlCatalogListXMLResolveURI(xmlCatalogEntryPtr catal, const xmlChar *URI) {
+ 	ret = xmlCatalogListXMLResolve(catal, urnID, NULL);
+ 	if (urnID != NULL)
+ 	    xmlFree(urnID);
++	catal->depth--;
+ 	return(ret);
+     }
+-    while (catal != NULL) {
+-	if (catal->type == XML_CATA_CATALOG) {
+-	    if (catal->children == NULL) {
+-		xmlFetchXMLCatalogFile(catal);
++    cur = catal;
++    while (cur != NULL) {
++	if (cur->type == XML_CATA_CATALOG) {
++	    if (cur->children == NULL) {
++		xmlFetchXMLCatalogFile(cur);
+ 	    }
+-	    if (catal->children != NULL) {
+-		ret = xmlCatalogXMLResolveURI(catal->children, URI);
+-		if (ret != NULL)
++	    if (cur->children != NULL) {
++		ret = xmlCatalogXMLResolveURI(cur->children, URI);
++		if (ret != NULL) {
++		    catal->depth--;
+ 		    return(ret);
++		}
+ 	    }
+ 	}
+-	catal = catal->next;
++	cur = cur->next;
+     }
++
++    catal->depth--;
+     return(ret);
+ }
+ 
+-- 
+2.43.0
+

SPECS/libxml2/CVE-2026-0992.patch

@@ -0,0 +1,85 @@
+From f75abfcaa419a740a3191e56c60400f3ff18988d Mon Sep 17 00:00:00 2001
+From: Daniel Garcia Moreno <daniel.garcia@suse.com>
+Date: Fri, 19 Dec 2025 11:02:18 +0100
+Subject: [PATCH] catalog: Ignore repeated nextCatalog entries
+
+This patch makes the catalog parsing to ignore repeated entries of
+nextCatalog with the same value.
+
+Fix https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019
+
+Upstream Patch reference: https://gitlab.gnome.org/GNOME/libxml2/-/commit/f75abfcaa419a740a3191e56c60400f3ff18988d.patch
+---
+ catalog.c | 26 ++++++++++++++++++++++++++
+ error.c   | 11 +++++++++++
+ 2 files changed, 37 insertions(+)
+
+diff --git a/catalog.c b/catalog.c
+index 20e9576..3886d84 100644
+--- a/catalog.c
++++ b/catalog.c
+@@ -242,6 +242,14 @@ xmlCatalogErr(xmlCatalogEntryPtr catal, xmlNodePtr node, int error,
+ 		    msg, str1, str2, str3);
+ }
+ 
++static void
++xmlCatalogPrintDebug(const char *fmt, ...) {
++    va_list ap;
++
++    va_start(ap, fmt);
++    xmlVPrintErrorMessage(fmt, ap);
++    va_end(ap);
++}
+ 
+ /************************************************************************
+  *									*
+@@ -1267,9 +1275,27 @@ xmlParseXMLCatalogNode(xmlNodePtr cur, xmlCatalogPrefer prefer,
+ 		BAD_CAST "delegateURI", BAD_CAST "uriStartString",
+ 		BAD_CAST "catalog", prefer, cgroup);
+     } else if (xmlStrEqual(cur->name, BAD_CAST "nextCatalog")) {
++	xmlCatalogEntryPtr prev = parent->children;
++
+ 	entry = xmlParseXMLCatalogOneNode(cur, XML_CATA_NEXT_CATALOG,
+ 		BAD_CAST "nextCatalog", NULL,
+ 		BAD_CAST "catalog", prefer, cgroup);
++	/* Avoid duplication of nextCatalog */
++	while (prev != NULL) {
++	    if ((prev->type == XML_CATA_NEXT_CATALOG) &&
++		(xmlStrEqual (prev->URL, entry->URL)) &&
++		(xmlStrEqual (prev->value, entry->value)) &&
++		(prev->prefer == entry->prefer) &&
++		(prev->group == entry->group)) {
++		    if (xmlDebugCatalogs)
++			xmlCatalogPrintDebug(
++			    "Ignoring repeated nextCatalog %s\n", entry->URL);
++		    xmlFreeCatalogEntry(entry, NULL);
++		    entry = NULL;
++		    break;
++	    }
++	    prev = prev->next;
++	}
+     }
+     if (entry != NULL) {
+         if (parent != NULL) {
+diff --git a/error.c b/error.c
+index 4de1418..a77e2da 100644
+--- a/error.c
++++ b/error.c
+@@ -1022,3 +1022,14 @@ xmlCopyError(xmlErrorPtr from, xmlErrorPtr to) {
+     return 0;
+ }
+ 
++/**
++ * Prints to stderr.
++ *
++ * @param fmt  printf-like format string
++ * @param ap  arguments
++ */
++void
++xmlVPrintErrorMessage(const char *fmt, va_list ap) {
++    vfprintf(stderr, fmt, ap);
++}
++
+-- 
+2.43.0
+

SPECS/libxml2/libxml2.spec

@@ -1,7 +1,7 @@
 Summary:        Libxml2
 Name:           libxml2
 Version:        2.11.5
-Release:        8%{?dist}
+Release:        9%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -22,6 +22,9 @@ Patch10:        CVE-2025-6170.patch
 Patch11:        CVE-2025-49794_CVE-2025-49796.patch
 Patch12:        CVE-2025-49795.patch
 Patch13:        CVE-2025-7425.patch
+Patch14:        CVE-2026-0990.patch
+Patch15:        CVE-2026-0992.patch
+Patch16:        CVE-2025-8732.patch
 
 BuildRequires:  python3-devel
 BuildRequires:  python3-xml
@@ -93,6 +96,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_libdir}/cmake/libxml2/libxml2-config.cmake
 
 %changelog
+* Mon Jan 19 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.11.5-9
+- Patch for CVE-2026-0990, CVE-2026-0992, CVE-2025-8732
+
 * Mon Jan 12 2026 Akhila Guruju <v-guakhila@microsoft.com> - 2.11.5-8
 - Patch CVE-2025-7525
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -203,8 +203,8 @@ curl-8.11.1-5.azl3.aarch64.rpm
 curl-devel-8.11.1-5.azl3.aarch64.rpm
 curl-libs-8.11.1-5.azl3.aarch64.rpm
 createrepo_c-1.0.3-1.azl3.aarch64.rpm
-libxml2-2.11.5-8.azl3.aarch64.rpm
-libxml2-devel-2.11.5-8.azl3.aarch64.rpm
+libxml2-2.11.5-9.azl3.aarch64.rpm
+libxml2-devel-2.11.5-9.azl3.aarch64.rpm
 docbook-dtd-xml-4.5-11.azl3.noarch.rpm
 docbook-style-xsl-1.79.1-14.azl3.noarch.rpm
 libsepol-3.6-2.azl3.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -203,8 +203,8 @@ curl-8.11.1-5.azl3.x86_64.rpm
 curl-devel-8.11.1-5.azl3.x86_64.rpm
 curl-libs-8.11.1-5.azl3.x86_64.rpm
 createrepo_c-1.0.3-1.azl3.x86_64.rpm
-libxml2-2.11.5-8.azl3.x86_64.rpm
-libxml2-devel-2.11.5-8.azl3.x86_64.rpm
+libxml2-2.11.5-9.azl3.x86_64.rpm
+libxml2-devel-2.11.5-9.azl3.x86_64.rpm
 docbook-dtd-xml-4.5-11.azl3.noarch.rpm
 docbook-style-xsl-1.79.1-14.azl3.noarch.rpm
 libsepol-3.6-2.azl3.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -242,9 +242,9 @@ libtool-debuginfo-2.4.7-1.azl3.aarch64.rpm
 libxcrypt-4.4.36-2.azl3.aarch64.rpm
 libxcrypt-debuginfo-4.4.36-2.azl3.aarch64.rpm
 libxcrypt-devel-4.4.36-2.azl3.aarch64.rpm
-libxml2-2.11.5-8.azl3.aarch64.rpm
-libxml2-debuginfo-2.11.5-8.azl3.aarch64.rpm
-libxml2-devel-2.11.5-8.azl3.aarch64.rpm
+libxml2-2.11.5-9.azl3.aarch64.rpm
+libxml2-debuginfo-2.11.5-9.azl3.aarch64.rpm
+libxml2-devel-2.11.5-9.azl3.aarch64.rpm
 libxslt-1.1.43-3.azl3.aarch64.rpm
 libxslt-debuginfo-1.1.43-3.azl3.aarch64.rpm
 libxslt-devel-1.1.43-3.azl3.aarch64.rpm
@@ -544,7 +544,7 @@ python3-jinja2-3.1.2-3.azl3.noarch.rpm
 python3-libcap-ng-0.8.4-1.azl3.aarch64.rpm
 python3-libmount-2.40.2-3.azl3.aarch64.rpm
 python3-libs-3.12.9-9.azl3.aarch64.rpm
-python3-libxml2-2.11.5-8.azl3.aarch64.rpm
+python3-libxml2-2.11.5-9.azl3.aarch64.rpm
 python3-lxml-4.9.3-1.azl3.aarch64.rpm
 python3-magic-5.45-1.azl3.noarch.rpm
 python3-markupsafe-2.1.3-1.azl3.aarch64.rpm