[AutoPR- Security] Patch libxml2 for CVE-2026-0992, CVE-2026-0990, CVE-2025-7425 [HIGH] (#15583)

azurelinux-security · akhila-guruju · web-flow · commit 871dde8b81f7 · 2026-01-29T12:33:40.000-05:00
Co-authored-by: akhila-guruju &lt;v-guakhila@microsoft.com&gt;
diff --git a/SPECS/libxml2/CVE-2025-7425.patch b/SPECS/libxml2/CVE-2025-7425.patch
diff --git a/SPECS/libxml2/CVE-2026-0990.patch b/SPECS/libxml2/CVE-2026-0990.patch
@@ -0,0 +1,78 @@
+From 9f4c3269fbe63615c4f9df620f734399ae04e307 Mon Sep 17 00:00:00 2001
+From: Daniel Garcia Moreno <daniel.garcia@suse.com>
+Date: Wed, 17 Dec 2025 15:24:08 +0100
+Subject: [PATCH] catalog: prevent inf recursion in xmlCatalogXMLResolveURI
+
+Fix https://gitlab.gnome.org/GNOME/libxml2/-/issues/1018
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1961208e958ca22f80a0b4e4c9d71cfa050aa982.patch
+---
+ catalog.c | 31 +++++++++++++++++++++++--------
+ 1 file changed, 23 insertions(+), 8 deletions(-)
+
+diff --git a/catalog.c b/catalog.c
+index b7837e3..d66ee45 100644
+--- a/catalog.c
++++ b/catalog.c
+@@ -2091,12 +2091,21 @@ static xmlChar *
+ xmlCatalogListXMLResolveURI(xmlCatalogEntryPtr catal, const xmlChar *URI) {
+     xmlChar *ret = NULL;
+     xmlChar *urnID = NULL;
++    xmlCatalogEntryPtr cur = NULL;
+ 
+     if (catal == NULL)
+         return(NULL);
+     if (URI == NULL)
+ 	return(NULL);
+ 
++    if (catal->depth > MAX_CATAL_DEPTH) {
++	xmlCatalogErr(catal, NULL, XML_CATALOG_RECURSION,
++		      "Detected recursion in catalog %s\n",
++		      catal->name, NULL, NULL);
++	return(NULL);
++    }
++    catal->depth++;
++
+     if (!xmlStrncmp(URI, BAD_CAST XML_URN_PUBID, sizeof(XML_URN_PUBID) - 1)) {
+ 	urnID = xmlCatalogUnWrapURN(URI);
+ 	if (xmlDebugCatalogs) {
+@@ -2110,21 +2119,27 @@ xmlCatalogListXMLResolveURI(xmlCatalogEntryPtr catal, const xmlChar *URI) {
+ 	ret = xmlCatalogListXMLResolve(catal, urnID, NULL);
+ 	if (urnID != NULL)
+ 	    xmlFree(urnID);
++	catal->depth--;
+ 	return(ret);
+     }
+-    while (catal != NULL) {
+-	if (catal->type == XML_CATA_CATALOG) {
+-	    if (catal->children == NULL) {
+-		xmlFetchXMLCatalogFile(catal);
++    cur = catal;
++    while (cur != NULL) {
++	if (cur->type == XML_CATA_CATALOG) {
++	    if (cur->children == NULL) {
++		xmlFetchXMLCatalogFile(cur);
+ 	    }
+-	    if (catal->children != NULL) {
+-		ret = xmlCatalogXMLResolveURI(catal->children, URI);
+-		if (ret != NULL)
++	    if (cur->children != NULL) {
++		ret = xmlCatalogXMLResolveURI(cur->children, URI);
++		if (ret != NULL) {
++		    catal->depth--;
+ 		    return(ret);
++		}
+ 	    }
+ 	}
+-	catal = catal->next;
++	cur = cur->next;
+     }
++
++    catal->depth--;
+     return(ret);
+ }
+ 
+-- 
+2.45.4
+
diff --git a/SPECS/libxml2/CVE-2026-0992.patch b/SPECS/libxml2/CVE-2026-0992.patch
@@ -0,0 +1,85 @@
+rom f75abfcaa419a740a3191e56c60400f3ff18988d Mon Sep 17 00:00:00 2001
+From: Daniel Garcia Moreno <daniel.garcia@suse.com>
+Date: Fri, 19 Dec 2025 11:02:18 +0100
+Subject: [PATCH] catalog: Ignore repeated nextCatalog entries
+
+This patch makes the catalog parsing to ignore repeated entries of
+nextCatalog with the same value.
+
+Fix https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019
+
+Upstream Patch reference: https://gitlab.gnome.org/GNOME/libxml2/-/commit/f75abfcaa419a740a3191e56c60400f3ff18988d.patch
+---
+ catalog.c | 26 ++++++++++++++++++++++++++
+ error.c   | 11 +++++++++++
+ 2 files changed, 37 insertions(+)
+
+diff --git a/catalog.c b/catalog.c
+index 20e9576..3886d84 100644
+--- a/catalog.c
++++ b/catalog.c
+@@ -242,6 +242,14 @@ xmlCatalogErr(xmlCatalogEntryPtr catal, xmlNodePtr node, int error,
+ 		    msg, str1, str2, str3);
+ }
+ 
++static void
++xmlCatalogPrintDebug(const char *fmt, ...) {
++    va_list ap;
++
++    va_start(ap, fmt);
++    xmlVPrintErrorMessage(fmt, ap);
++    va_end(ap);
++}
+ 
+ /************************************************************************
+  *									*
+@@ -1267,9 +1275,27 @@ xmlParseXMLCatalogNode(xmlNodePtr cur, xmlCatalogPrefer prefer,
+ 		BAD_CAST "delegateURI", BAD_CAST "uriStartString",
+ 		BAD_CAST "catalog", prefer, cgroup);
+     } else if (xmlStrEqual(cur->name, BAD_CAST "nextCatalog")) {
++	xmlCatalogEntryPtr prev = parent->children;
++
+ 	entry = xmlParseXMLCatalogOneNode(cur, XML_CATA_NEXT_CATALOG,
+ 		BAD_CAST "nextCatalog", NULL,
+ 		BAD_CAST "catalog", prefer, cgroup);
++	/* Avoid duplication of nextCatalog */
++	while (prev != NULL) {
++	    if ((prev->type == XML_CATA_NEXT_CATALOG) &&
++		(xmlStrEqual (prev->URL, entry->URL)) &&
++		(xmlStrEqual (prev->value, entry->value)) &&
++		(prev->prefer == entry->prefer) &&
++		(prev->group == entry->group)) {
++		    if (xmlDebugCatalogs)
++			xmlCatalogPrintDebug(
++			    "Ignoring repeated nextCatalog %s\n", entry->URL);
++		    xmlFreeCatalogEntry(entry, NULL);
++		    entry = NULL;
++		    break;
++	    }
++	    prev = prev->next;
++	}
+     }
+     if (entry != NULL) {
+         if (parent != NULL) {
+diff --git a/error.c b/error.c
+index 4de1418..a77e2da 100644
+--- a/error.c
++++ b/error.c
+@@ -1022,3 +1022,14 @@ xmlCopyError(xmlErrorPtr from, xmlErrorPtr to) {
+     return 0;
+ }
+ 
++/**
++ * Prints to stderr.
++ *
++ * @param fmt  printf-like format string
++ * @param ap  arguments
++ */
++void
++xmlVPrintErrorMessage(const char *fmt, va_list ap) {
++    vfprintf(stderr, fmt, ap);
++}
++
+-- 
+2.43.0
+
diff --git a/SPECS/libxml2/libxml2.spec b/SPECS/libxml2/libxml2.spec
@@ -1,7 +1,7 @@
 Summary:        Libxml2
 Name:           libxml2
 Version:        2.10.4
-Release:        9%{?dist}
+Release:        10%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -21,6 +21,9 @@ Patch9:         CVE-2025-6170.patch
 Patch10:        CVE-2025-6021.patch
 Patch11:        CVE-2025-49794_CVE-2025-49796.patch
 Patch12:        CVE-2025-49795.patch
+Patch13:        CVE-2025-7425.patch
+Patch14:        CVE-2026-0990.patch
+Patch15:        CVE-2026-0992.patch
 BuildRequires:  python3-devel
 BuildRequires:  python3-xml
 Provides:       %{name}-tools = %{version}-%{release}
@@ -91,6 +94,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_libdir}/cmake/libxml2/libxml2-config.cmake
 
 %changelog
+* Tue Jan 27 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.10.4-10
+- Patch for CVE-2026-0992, CVE-2026-0990, CVE-2025-7425
+
 * Wed Oct 29 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.10.4-9
 - Patch for CVE-2025-49795
 
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -194,8 +194,8 @@ curl-8.8.0-7.cm2.aarch64.rpm
 curl-devel-8.8.0-7.cm2.aarch64.rpm
 curl-libs-8.8.0-7.cm2.aarch64.rpm
 createrepo_c-0.17.5-1.cm2.aarch64.rpm
-libxml2-2.10.4-9.cm2.aarch64.rpm
-libxml2-devel-2.10.4-9.cm2.aarch64.rpm
+libxml2-2.10.4-10.cm2.aarch64.rpm
+libxml2-devel-2.10.4-10.cm2.aarch64.rpm
 docbook-dtd-xml-4.5-11.cm2.noarch.rpm
 docbook-style-xsl-1.79.1-14.cm2.noarch.rpm
 libsepol-3.2-2.cm2.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -194,8 +194,8 @@ curl-8.8.0-7.cm2.x86_64.rpm
 curl-devel-8.8.0-7.cm2.x86_64.rpm
 curl-libs-8.8.0-7.cm2.x86_64.rpm
 createrepo_c-0.17.5-1.cm2.x86_64.rpm
-libxml2-2.10.4-9.cm2.x86_64.rpm
-libxml2-devel-2.10.4-9.cm2.x86_64.rpm
+libxml2-2.10.4-10.cm2.x86_64.rpm
+libxml2-devel-2.10.4-10.cm2.x86_64.rpm
 docbook-dtd-xml-4.5-11.cm2.noarch.rpm
 docbook-style-xsl-1.79.1-14.cm2.noarch.rpm
 libsepol-3.2-2.cm2.x86_64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -209,9 +209,9 @@ libtasn1-debuginfo-4.19.0-2.cm2.aarch64.rpm
 libtasn1-devel-4.19.0-2.cm2.aarch64.rpm
 libtool-2.4.6-8.cm2.aarch64.rpm
 libtool-debuginfo-2.4.6-8.cm2.aarch64.rpm
-libxml2-2.10.4-9.cm2.aarch64.rpm
-libxml2-debuginfo-2.10.4-9.cm2.aarch64.rpm
-libxml2-devel-2.10.4-9.cm2.aarch64.rpm
+libxml2-2.10.4-10.cm2.aarch64.rpm
+libxml2-debuginfo-2.10.4-10.cm2.aarch64.rpm
+libxml2-devel-2.10.4-10.cm2.aarch64.rpm
 libxslt-1.1.34-10.cm2.aarch64.rpm
 libxslt-debuginfo-1.1.34-10.cm2.aarch64.rpm
 libxslt-devel-1.1.34-10.cm2.aarch64.rpm
@@ -521,7 +521,7 @@ python3-gpg-1.16.0-2.cm2.aarch64.rpm
 python3-jinja2-3.0.3-7.cm2.noarch.rpm
 python3-libcap-ng-0.8.2-2.cm2.aarch64.rpm
 python3-libs-3.9.19-17.cm2.aarch64.rpm
-python3-libxml2-2.10.4-9.cm2.aarch64.rpm
+python3-libxml2-2.10.4-10.cm2.aarch64.rpm
 python3-lxml-4.9.1-1.cm2.aarch64.rpm
 python3-magic-5.40-3.cm2.noarch.rpm
 python3-markupsafe-2.1.0-1.cm2.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -215,9 +215,9 @@ libtasn1-debuginfo-4.19.0-2.cm2.x86_64.rpm
 libtasn1-devel-4.19.0-2.cm2.x86_64.rpm
 libtool-2.4.6-8.cm2.x86_64.rpm
 libtool-debuginfo-2.4.6-8.cm2.x86_64.rpm
-libxml2-2.10.4-9.cm2.x86_64.rpm
-libxml2-debuginfo-2.10.4-9.cm2.x86_64.rpm
-libxml2-devel-2.10.4-9.cm2.x86_64.rpm
+libxml2-2.10.4-10.cm2.x86_64.rpm
+libxml2-debuginfo-2.10.4-10.cm2.x86_64.rpm
+libxml2-devel-2.10.4-10.cm2.x86_64.rpm
 libxslt-1.1.34-10.cm2.x86_64.rpm
 libxslt-debuginfo-1.1.34-10.cm2.x86_64.rpm
 libxslt-devel-1.1.34-10.cm2.x86_64.rpm
@@ -527,7 +527,7 @@ python3-gpg-1.16.0-2.cm2.x86_64.rpm
 python3-jinja2-3.0.3-7.cm2.noarch.rpm
 python3-libcap-ng-0.8.2-2.cm2.x86_64.rpm
 python3-libs-3.9.19-17.cm2.x86_64.rpm
-python3-libxml2-2.10.4-9.cm2.x86_64.rpm
+python3-libxml2-2.10.4-10.cm2.x86_64.rpm
 python3-lxml-4.9.1-1.cm2.x86_64.rpm
 python3-magic-5.40-3.cm2.noarch.rpm
 python3-markupsafe-2.1.0-1.cm2.x86_64.rpm
