[kirkstone] libxml2: fix CVE-2025-9714

Message ID	20251001121649.2605064-1-tgaige.opensource@witekio.com
State	Superseded
Delegated to:	Steve Sakoman
Headers	show Return-Path: <tgaige.opensource@witekio.com> ip: 52.101.66.84, mailfrom: tgaige@witekio.com) From: tgaige.opensource@witekio.com To: openembedded-core@lists.openembedded.org CC: Theo GAIGE <tgaige.opensource@witekio.com> Subject: [kirkstone][PATCH] libxml2: fix CVE-2025-9714 Date: Wed, 1 Oct 2025 14:16:49 +0200 Message-ID: <20251001121649.2605064-1-tgaige.opensource@witekio.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain MIME-Version: 1.0
Series	[kirkstone] libxml2: fix CVE-2025-9714 \| expand [kirkstone] libxml2: fix CVE-2025-9714

Message ID

20251001121649.2605064-1-tgaige.opensource@witekio.com

State

Superseded

Delegated to:

Steve Sakoman

Headers

From: tgaige.opensource@witekio.com
To: openembedded-core@lists.openembedded.org
CC: Theo GAIGE <tgaige.opensource@witekio.com>
Subject: [kirkstone][PATCH] libxml2: fix CVE-2025-9714
Date: Wed,  1 Oct 2025 14:16:49 +0200
Message-ID: <20251001121649.2605064-1-tgaige.opensource@witekio.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 x9iq9zxJxJlAE5vdBBeKQ21WV4J/oEZA+pbM/sTk3/GhHPhdvyt+0pLO9eGMDzhI9NyrwQyQie+z+MfejREAuzYb8SUrhzwyS8CdxRiUO9tR/Bhs3UID/RABGxVfkmIIGp5ooKqwUM+ZDb93xRB8ihc5FZVjjC26l6Eyxxx7NFM6LVEoSNacIlF6zPs17It3Qf5mpP1JpLkNPQl5XYxVk+vi6xsVyYUu/d+foLVszr3bmQcQRu0R7r8R75wDmN69ynK/DDjiGmPY1Iqa3LuoS9M4OcoVwUC//rQ356jWRcKpRu/2f9OnXN/2zAvsnf+jQg7uGp9q0mVFeN6stjwsTuYJExma0whkGgvRDOhxrggx0L0GcNV3qbA6ybaVuLBpXc/kISskaV8ICkyQNgIdAkoiUN8wZfIFSqG9bHzlstgPdtwHjs7MdO+Xy26ZWvowFlXuSND+acnxmMKtx4CkN8FsVihjhVmZH8OQ/xEQkD6cSdTiXnLy/oey5uZYklHiWEA8ShlK8dIHTCubUc0hx1OO+XPrgZm6/yuxB29ET85yv0xiuHKrwKxgRTz5FyweNBLNnsNGrn7IHTHV+qX03va3LTrDbQlyuXEtcK2EygYcy83s8Fv24IlHRUPFE16RGlQgYvT7m0/a1FDLqSKgVMeWVIUBuctBfKtuyaQFRpGaSkyAmUOSwUU3CSdAtn1AqJoiFE8oDzudQpyz8hgVNAuem9Z0hFnyZ6Y+6p9Z4vN644iK83ZHgwKcJcl+mkwoOFGBqEljPFe50MYk3BqLSM+TrdLy4qhWmeGXsHZW1DsI0ff/VtwUvhe84WxSdx4wk321vwT9WanpmJ+37cFreulsndGcmnsYu7Rsqkq2n9fq4XuwFHbNxfpI3vr96iGQvOXL7L72i0TTwY/gWYH4esMss4ooWzou80n2REhts/hVWaReMmdL7ShAagZnHgm3cRpjHw8PBL3+dFfmIxyBCx+xBZvDNa9G9l7l6HO1+2yhALRTsd3Fri+UR3+SfqoBEA87+zTo2UcIYIWvYUWyQT5Ctz8YErfLnxJkv17DgfPG7uO+hocXlUqrAsN0XJzkLyQXiL8TXag/jw76JyT4YG7x/8oa1KimQNhQbTmjodPSqccRXgM+bm7AzNfeDvK8Octs9sMkJZHkzDl2YdpuB8iJcCGJvezB9/CsA6Cx3njw12CkBKgd8QrhfSDY/dKPKwlq9iz76Sw7I/PCOq2X9ON4QKgGx2U33ieidNhrRerWFhKLZwjYOGqeFMdotqMPMXDP4usxdwAAtJwQsvpAYkMlTziAkzEH0JMO7cbHvGIl2+hvBc4n9iBevkk/H1RNnpZ2YH4enVQrCmlWDZymhl+Q9os4ChnI7jk3+sqS58+OuJHYW2k87UqmO6GU22wJkL5TylLXPgu2BAGYG/ylmgssxxxi+3aweJ0ctwEvhrT9jnJOG2VzfFL/ewsPGeYIW77RkxkYphIfFaBWDBGAwakBe756wejhZGgQMQXR9lUohCI7RDwNUz0JufBwlv3lfCeDOGKEGM7ROHCgR0s03z8P+Bic5vWL9J5upx0C1LqKZZU+1wpBNIJTbLYMS8tS
X-OriginatorOrg: witekio.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 de99c8f0-07d8-4e67-5e52-08de00e46fef
X-MS-Exchange-CrossTenant-AuthSource: AM9P192MB1396.EURP192.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Oct 2025 12:17:06.4772
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 X/vQWGUL2rJQISMleQVRQN3sgJxvrgAVzvzJbdfGHHSinGeGXoJaYg9g9uYcifl5yoHiQi7XX3vW4DOhpPAZjA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4P192MB3252
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Wed, 01 Oct 2025 12:32:22 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/224208

Series

[kirkstone] libxml2: fix CVE-2025-9714 | expand

Commit Message

tgaige.opensource@witekio.com Oct. 1, 2025, 12:16 p.m. UTC

From: Theo GAIGE <tgaige.opensource@witekio.com>

Upstream-Status: Backport from https://git.launchpad.net/ubuntu/+source/libxml2/commit/?id=ff48b80d7ebd968eb9d4ee2d6cb3174959ad871a

Signed-off-by: Theo GAIGE <tgaige.opensource@witekio.com>
---
 .../libxml/libxml2/CVE-2025-9714.patch        | 117 ++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.9.14.bb    |   1 +
 2 files changed, 118 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2025-9714.patch

Comments

Steve Sakoman Oct. 1, 2025, 3:56 p.m. UTC | #1

On Wed, Oct 1, 2025 at 5:32 AM Théo Gaigé via lists.openembedded.org
<tgaige.opensource=witekio.com@lists.openembedded.org> wrote:
>
> From: Theo GAIGE <tgaige.opensource@witekio.com>
>
> Upstream-Status: Backport from https://git.launchpad.net/ubuntu/+source/libxml2/commit/?id=ff48b80d7ebd968eb9d4ee2d6cb3174959ad871a
>
> Signed-off-by: Theo GAIGE <tgaige.opensource@witekio.com>
> ---
>  .../libxml/libxml2/CVE-2025-9714.patch        | 117 ++++++++++++++++++
>  meta/recipes-core/libxml/libxml2_2.9.14.bb    |   1 +
>  2 files changed, 118 insertions(+)
>  create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2025-9714.patch
>
> diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-9714.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-9714.patch
> new file mode 100644
> index 0000000000..99e0c7dfb3
> --- /dev/null
> +++ b/meta/recipes-core/libxml/libxml2/CVE-2025-9714.patch
> @@ -0,0 +1,117 @@
> +From b2c6511bd90063652ca1f8814f98ccae9dd24026 Mon Sep 17 00:00:00 2001
> +From: Octavio Galland <octavio.galland@canonical.com>
> +Date: Fri, 5 Sep 2025 12:36:12 -0300
> +Subject: [PATCH] Make XPath depth check work with recursive invocations
> +
> +EXSLT functions like dyn:map or dyn:evaluate invoke xmlXPathRunEval
> +recursively. Don't set depth to zero but keep and restore the original
> +value to avoid stack overflows when abusing these functions.
> +
> +Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/libxml2/commit/?id=ff48b80d7ebd968eb9d4ee2d6cb3174959ad871a]

launchpad.net is not the upstream for libxml2.  Please reference the
commit in the upstream libxml2 git repository.

Thanks,

Steve

> +CVE: CVE-2025-9714
> +
> +Signed-off-by: Theo GAIGE <tgaige.opensource@witekio.com>
> +---
> + xpath.c | 23 +++++++++++++++++------
> + 1 file changed, 17 insertions(+), 6 deletions(-)
> +
> +diff --git a/xpath.c b/xpath.c
> +index c2d845888..028471d53 100644
> +--- a/xpath.c
> ++++ b/xpath.c
> +@@ -13883,12 +13883,11 @@ static int
> + xmlXPathRunEval(xmlXPathParserContextPtr ctxt, int toBool)
> + {
> +     xmlXPathCompExprPtr comp;
> ++    int oldDepth;
> +
> +     if ((ctxt == NULL) || (ctxt->comp == NULL))
> +       return(-1);
> +
> +-    ctxt->context->depth = 0;
> +-
> +     if (ctxt->valueTab == NULL) {
> +       /* Allocate the value stack */
> +       ctxt->valueTab = (xmlXPathObjectPtr *)
> +@@ -13942,11 +13941,13 @@ xmlXPathRunEval(xmlXPathParserContextPtr ctxt, int toBool)
> +           "xmlXPathRunEval: last is less than zero\n");
> +       return(-1);
> +     }
> ++    oldDepth = ctxt->context->depth;
> +     if (toBool)
> +       return(xmlXPathCompOpEvalToBoolean(ctxt,
> +           &comp->steps[comp->last], 0));
> +     else
> +       xmlXPathCompOpEval(ctxt, &comp->steps[comp->last]);
> ++    ctxt->context->depth = oldDepth;
> +
> +     return(0);
> + }
> +@@ -14217,6 +14218,7 @@ xmlXPathCompExprPtr
> + xmlXPathCtxtCompile(xmlXPathContextPtr ctxt, const xmlChar *str) {
> +     xmlXPathParserContextPtr pctxt;
> +     xmlXPathCompExprPtr comp;
> ++    int oldDepth = 0;
> +
> + #ifdef XPATH_STREAMING
> +     comp = xmlXPathTryStreamCompile(ctxt, str);
> +@@ -14230,8 +14232,10 @@ xmlXPathCtxtCompile(xmlXPathContextPtr ctxt, const xmlChar *str) {
> +     if (pctxt == NULL)
> +         return NULL;
> +     if (ctxt != NULL)
> +-        ctxt->depth = 0;
> ++        oldDepth = ctxt->depth;
> +     xmlXPathCompileExpr(pctxt, 1);
> ++    if (ctxt != NULL)
> ++        ctxt->depth = oldDepth;
> +
> +     if( pctxt->error != XPATH_EXPRESSION_OK )
> +     {
> +@@ -14252,8 +14256,10 @@ xmlXPathCtxtCompile(xmlXPathContextPtr ctxt, const xmlChar *str) {
> +       comp = pctxt->comp;
> +       if ((comp->nbStep > 1) && (comp->last >= 0)) {
> +             if (ctxt != NULL)
> +-                ctxt->depth = 0;
> ++                oldDepth = ctxt->depth;
> +           xmlXPathOptimizeExpression(pctxt, &comp->steps[comp->last]);
> ++            if (ctxt != NULL)
> ++                ctxt->depth = oldDepth;
> +       }
> +       pctxt->comp = NULL;
> +     }
> +@@ -14409,6 +14415,7 @@ xmlXPathEvalExpr(xmlXPathParserContextPtr ctxt) {
> + #ifdef XPATH_STREAMING
> +     xmlXPathCompExprPtr comp;
> + #endif
> ++    int oldDepth = 0;
> +
> +     if (ctxt == NULL) return;
> +
> +@@ -14422,8 +14429,10 @@ xmlXPathEvalExpr(xmlXPathParserContextPtr ctxt) {
> + #endif
> +     {
> +         if (ctxt->context != NULL)
> +-            ctxt->context->depth = 0;
> ++            oldDepth = ctxt->context->depth;
> +       xmlXPathCompileExpr(ctxt, 1);
> ++        if (ctxt->context != NULL)
> ++            ctxt->context->depth = oldDepth;
> +         CHECK_ERROR;
> +
> +         /* Check for trailing characters. */
> +@@ -14432,9 +14441,11 @@ xmlXPathEvalExpr(xmlXPathParserContextPtr ctxt) {
> +
> +       if ((ctxt->comp->nbStep > 1) && (ctxt->comp->last >= 0)) {
> +             if (ctxt->context != NULL)
> +-                ctxt->context->depth = 0;
> ++                oldDepth = ctxt->context->depth;
> +           xmlXPathOptimizeExpression(ctxt,
> +               &ctxt->comp->steps[ctxt->comp->last]);
> ++            if (ctxt->context != NULL)
> ++                ctxt->context->depth = oldDepth;
> +         }
> +     }
> +
> +--
> +2.43.0
> +
> diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb
> index f34b0c25ca..932251da98 100644
> --- a/meta/recipes-core/libxml/libxml2_2.9.14.bb
> +++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb
> @@ -42,6 +42,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt
>             file://CVE-2025-6021.patch \
>             file://CVE-2025-49794-CVE-2025-49796.patch \
>             file://CVE-2025-6170.patch \
> +           file://CVE-2025-9714.patch \
>             "
>
>  SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"
> --
> 2.43.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#224208): https://lists.openembedded.org/g/openembedded-core/message/224208
> Mute This Topic: https://lists.openembedded.org/mt/115531861/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-9714.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-9714.patch
new file mode 100644
index 0000000000..99e0c7dfb3
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2025-9714.patch
@@ -0,0 +1,117 @@ 
+From b2c6511bd90063652ca1f8814f98ccae9dd24026 Mon Sep 17 00:00:00 2001
+From: Octavio Galland <octavio.galland@canonical.com>
+Date: Fri, 5 Sep 2025 12:36:12 -0300
+Subject: [PATCH] Make XPath depth check work with recursive invocations
+
+EXSLT functions like dyn:map or dyn:evaluate invoke xmlXPathRunEval
+recursively. Don't set depth to zero but keep and restore the original
+value to avoid stack overflows when abusing these functions.
+
+Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/libxml2/commit/?id=ff48b80d7ebd968eb9d4ee2d6cb3174959ad871a]
+CVE: CVE-2025-9714
+
+Signed-off-by: Theo GAIGE <tgaige.opensource@witekio.com>
+---
+ xpath.c | 23 +++++++++++++++++------
+ 1 file changed, 17 insertions(+), 6 deletions(-)
+
+diff --git a/xpath.c b/xpath.c
+index c2d845888..028471d53 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -13883,12 +13883,11 @@ static int
+ xmlXPathRunEval(xmlXPathParserContextPtr ctxt, int toBool)
+ {
+     xmlXPathCompExprPtr comp;
++    int oldDepth;
+ 
+     if ((ctxt == NULL) || (ctxt->comp == NULL))
+ 	return(-1);
+ 
+-    ctxt->context->depth = 0;
+-
+     if (ctxt->valueTab == NULL) {
+ 	/* Allocate the value stack */
+ 	ctxt->valueTab = (xmlXPathObjectPtr *)
+@@ -13942,11 +13941,13 @@ xmlXPathRunEval(xmlXPathParserContextPtr ctxt, int toBool)
+ 	    "xmlXPathRunEval: last is less than zero\n");
+ 	return(-1);
+     }
++    oldDepth = ctxt->context->depth;
+     if (toBool)
+ 	return(xmlXPathCompOpEvalToBoolean(ctxt,
+ 	    &comp->steps[comp->last], 0));
+     else
+ 	xmlXPathCompOpEval(ctxt, &comp->steps[comp->last]);
++    ctxt->context->depth = oldDepth;
+ 
+     return(0);
+ }
+@@ -14217,6 +14218,7 @@ xmlXPathCompExprPtr
+ xmlXPathCtxtCompile(xmlXPathContextPtr ctxt, const xmlChar *str) {
+     xmlXPathParserContextPtr pctxt;
+     xmlXPathCompExprPtr comp;
++    int oldDepth = 0;
+ 
+ #ifdef XPATH_STREAMING
+     comp = xmlXPathTryStreamCompile(ctxt, str);
+@@ -14230,8 +14232,10 @@ xmlXPathCtxtCompile(xmlXPathContextPtr ctxt, const xmlChar *str) {
+     if (pctxt == NULL)
+         return NULL;
+     if (ctxt != NULL)
+-        ctxt->depth = 0;
++        oldDepth = ctxt->depth;
+     xmlXPathCompileExpr(pctxt, 1);
++    if (ctxt != NULL)
++        ctxt->depth = oldDepth;
+ 
+     if( pctxt->error != XPATH_EXPRESSION_OK )
+     {
+@@ -14252,8 +14256,10 @@ xmlXPathCtxtCompile(xmlXPathContextPtr ctxt, const xmlChar *str) {
+ 	comp = pctxt->comp;
+ 	if ((comp->nbStep > 1) && (comp->last >= 0)) {
+             if (ctxt != NULL)
+-                ctxt->depth = 0;
++                oldDepth = ctxt->depth;
+ 	    xmlXPathOptimizeExpression(pctxt, &comp->steps[comp->last]);
++            if (ctxt != NULL)
++                ctxt->depth = oldDepth;
+ 	}
+ 	pctxt->comp = NULL;
+     }
+@@ -14409,6 +14415,7 @@ xmlXPathEvalExpr(xmlXPathParserContextPtr ctxt) {
+ #ifdef XPATH_STREAMING
+     xmlXPathCompExprPtr comp;
+ #endif
++    int oldDepth = 0;
+ 
+     if (ctxt == NULL) return;
+ 
+@@ -14422,8 +14429,10 @@ xmlXPathEvalExpr(xmlXPathParserContextPtr ctxt) {
+ #endif
+     {
+         if (ctxt->context != NULL)
+-            ctxt->context->depth = 0;
++            oldDepth = ctxt->context->depth;
+ 	xmlXPathCompileExpr(ctxt, 1);
++        if (ctxt->context != NULL)
++            ctxt->context->depth = oldDepth;
+         CHECK_ERROR;
+ 
+         /* Check for trailing characters. */
+@@ -14432,9 +14441,11 @@ xmlXPathEvalExpr(xmlXPathParserContextPtr ctxt) {
+ 
+ 	if ((ctxt->comp->nbStep > 1) && (ctxt->comp->last >= 0)) {
+             if (ctxt->context != NULL)
+-                ctxt->context->depth = 0;
++                oldDepth = ctxt->context->depth;
+ 	    xmlXPathOptimizeExpression(ctxt,
+ 		&ctxt->comp->steps[ctxt->comp->last]);
++            if (ctxt->context != NULL)
++                ctxt->context->depth = oldDepth;
+         }
+     }
+ 
+-- 
+2.43.0
+
diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb
index f34b0c25ca..932251da98 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.14.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb
@@ -42,6 +42,7 @@  SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt
            file://CVE-2025-6021.patch \
            file://CVE-2025-49794-CVE-2025-49796.patch \
            file://CVE-2025-6170.patch \
+           file://CVE-2025-9714.patch \
            "
 
 SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"

[kirkstone] libxml2: fix CVE-2025-9714

Commit Message

Comments

Patch