| Message ID | 20260125183438.1579158-3-peter.marko@siemens.com |
|---|---|
| State | Under Review |
| Delegated to: | Yoann Congal |
| Headers | show |
| Series | [whinlatter,1/3] libxml2: patch CVE-2026-0989 | expand |
Le dim. 25 janv. 2026 à 19:41, Peter Marko via lists.openembedded.org <peter.marko=siemens.com@lists.openembedded.org> a écrit : > From: Peter Marko <peter.marko@siemens.com> > > Pick patch which closed [1]. > > [1] https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019 Hello, Did you see Fix for CVE-2026-0992 is incomplete (#1040) · Issue · GNOME/libxml2 https://gitlab.gnome.org/GNOME/libxml2/-/issues/1040 ... and the fixing commit: catalog: Do not check value for duplication nextCatalog (deed3b78) · Commits · GNOME / libxml2 · GitLab https://gitlab.gnome.org/GNOME/libxml2/-/commit/deed3b7873dff30b7f87f7f33154c9932a772522 ? Signed-off-by: Peter Marko <peter.marko@siemens.com> > --- > .../libxml/libxml2/CVE-2026-0992.patch | 49 +++++++++++++++++++ > meta/recipes-core/libxml/libxml2_2.14.6.bb | 1 + > 2 files changed, 50 insertions(+) > create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch > > diff --git a/meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch > b/meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch > new file mode 100644 > index 0000000000..ad23498a4c > --- /dev/null > +++ b/meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch > @@ -0,0 +1,49 @@ > +From f75abfcaa419a740a3191e56c60400f3ff18988d Mon Sep 17 00:00:00 2001 > +From: Daniel Garcia Moreno <daniel.garcia@suse.com> > +Date: Fri, 19 Dec 2025 11:02:18 +0100 > +Subject: [PATCH] catalog: Ignore repeated nextCatalog entries > + > +This patch makes the catalog parsing to ignore repeated entries of > +nextCatalog with the same value. > + > +Fix https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019 > + > +CVE: CVE-2026-0992 > +Upstream-Status: Backport [ > https://gitlab.gnome.org/GNOME/libxml2/-/commit/f75abfcaa419a740a3191e56c60400f3ff18988d > ] > +Signed-off-by: Peter Marko <peter.marko@siemens.com> > +--- > + catalog.c | 18 ++++++++++++++++++ > + 1 file changed, 18 insertions(+) > + > +diff --git a/catalog.c b/catalog.c > +index 46b877e6..fa6d77ca 100644 > +--- a/catalog.c > ++++ b/catalog.c > +@@ -1227,9 +1227,27 @@ xmlParseXMLCatalogNode(xmlNodePtr cur, > xmlCatalogPrefer prefer, > + BAD_CAST "delegateURI", BAD_CAST "uriStartString", > + BAD_CAST "catalog", prefer, cgroup); > + } else if (xmlStrEqual(cur->name, BAD_CAST "nextCatalog")) { > ++ xmlCatalogEntryPtr prev = parent->children; > ++ > + entry = xmlParseXMLCatalogOneNode(cur, XML_CATA_NEXT_CATALOG, > + BAD_CAST "nextCatalog", NULL, > + BAD_CAST "catalog", prefer, cgroup); > ++ /* Avoid duplication of nextCatalog */ > ++ while (prev != NULL) { > ++ if ((prev->type == XML_CATA_NEXT_CATALOG) && > ++ (xmlStrEqual (prev->URL, entry->URL)) && > ++ (xmlStrEqual (prev->value, entry->value)) && > ++ (prev->prefer == entry->prefer) && > ++ (prev->group == entry->group)) { > ++ if (xmlDebugCatalogs) > ++ xmlCatalogPrintDebug( > ++ "Ignoring repeated nextCatalog %s\n", > entry->URL); > ++ xmlFreeCatalogEntry(entry, NULL); > ++ entry = NULL; > ++ break; > ++ } > ++ prev = prev->next; > ++ } > + } > + if (entry != NULL) { > + if (parent != NULL) { > diff --git a/meta/recipes-core/libxml/libxml2_2.14.6.bb > b/meta/recipes-core/libxml/libxml2_2.14.6.bb > index 7b47f823f9..b881a89a5f 100644 > --- a/meta/recipes-core/libxml/libxml2_2.14.6.bb > +++ b/meta/recipes-core/libxml/libxml2_2.14.6.bb > @@ -21,6 +21,7 @@ SRC_URI += " > http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt > file://CVE-2025-6021.patch \ > file://CVE-2026-0989.patch \ > file://CVE-2026-0990.patch \ > + file://CVE-2026-0992.patch \ > " > > SRC_URI[archive.sha256sum] = > "7ce458a0affeb83f0b55f1f4f9e0e55735dbfc1a9de124ee86fb4a66b597203a" > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#229943): > https://lists.openembedded.org/g/openembedded-core/message/229943 > Mute This Topic: https://lists.openembedded.org/mt/117455086/4316185 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > yoann.congal@smile.fr] > -=-=-=-=-=-=-=-=-=-=-=- > >
Thanks for finding that issue. I’ll add pick additional commit during next days. Since on master this was already merged, should I keep it as two commits also for stable branches? Peter From: Yoann Congal <yoann.congal@smile.fr> Sent: Thursday, January 29, 2026 10:39 To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com> Cc: openembedded-core@lists.openembedded.org Subject: Re: [OE-core][whinlatter][PATCH 3/3] libxml2: patch CVE-2026-0992 Le dim. 25 janv. 2026 à 19:41, Peter Marko via lists.openembedded.org<http://lists.openembedded.org> <peter.marko=siemens.com@lists.openembedded.org<mailto:siemens.com@lists.openembedded.org>> a écrit : From: Peter Marko <peter.marko@siemens.com<mailto:peter.marko@siemens.com>> Pick patch which closed [1]. [1] https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019 Hello, Did you see Fix for CVE-2026-0992 is incomplete (#1040) · Issue · GNOME/libxml2 https://gitlab.gnome.org/GNOME/libxml2/-/issues/1040 ... and the fixing commit: catalog: Do not check value for duplication nextCatalog (deed3b78) · Commits · GNOME / libxml2 · GitLab https://gitlab.gnome.org/GNOME/libxml2/-/commit/deed3b7873dff30b7f87f7f33154c9932a772522 ? Signed-off-by: Peter Marko <peter.marko@siemens.com<mailto:peter.marko@siemens.com>> --- .../libxml/libxml2/CVE-2026-0992.patch | 49 +++++++++++++++++++ meta/recipes-core/libxml/libxml2_2.14.6.bb<http://libxml2_2.14.6.bb> | 1 + 2 files changed, 50 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch diff --git a/meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch b/meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch new file mode 100644 index 0000000000..ad23498a4c --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch @@ -0,0 +1,49 @@ +From f75abfcaa419a740a3191e56c60400f3ff18988d Mon Sep 17 00:00:00 2001 +From: Daniel Garcia Moreno <daniel.garcia@suse.com<mailto:daniel.garcia@suse.com>> +Date: Fri, 19 Dec 2025 11:02:18 +0100 +Subject: [PATCH] catalog: Ignore repeated nextCatalog entries + +This patch makes the catalog parsing to ignore repeated entries of +nextCatalog with the same value. + +Fix https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019 + +CVE: CVE-2026-0992 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/f75abfcaa419a740a3191e56c60400f3ff18988d] +Signed-off-by: Peter Marko <peter.marko@siemens.com<mailto:peter.marko@siemens.com>> +--- + catalog.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/catalog.c b/catalog.c +index 46b877e6..fa6d77ca 100644 +--- a/catalog.c ++++ b/catalog.c +@@ -1227,9 +1227,27 @@ xmlParseXMLCatalogNode(xmlNodePtr cur, xmlCatalogPrefer prefer, + BAD_CAST "delegateURI", BAD_CAST "uriStartString", + BAD_CAST "catalog", prefer, cgroup); + } else if (xmlStrEqual(cur->name, BAD_CAST "nextCatalog")) { ++ xmlCatalogEntryPtr prev = parent->children; ++ + entry = xmlParseXMLCatalogOneNode(cur, XML_CATA_NEXT_CATALOG, + BAD_CAST "nextCatalog", NULL, + BAD_CAST "catalog", prefer, cgroup); ++ /* Avoid duplication of nextCatalog */ ++ while (prev != NULL) { ++ if ((prev->type == XML_CATA_NEXT_CATALOG) && ++ (xmlStrEqual (prev->URL, entry->URL)) && ++ (xmlStrEqual (prev->value, entry->value)) && ++ (prev->prefer == entry->prefer) && ++ (prev->group == entry->group)) { ++ if (xmlDebugCatalogs) ++ xmlCatalogPrintDebug( ++ "Ignoring repeated nextCatalog %s\n", entry->URL); ++ xmlFreeCatalogEntry(entry, NULL); ++ entry = NULL; ++ break; ++ } ++ prev = prev->next; ++ } + } + if (entry != NULL) { + if (parent != NULL) { diff --git a/meta/recipes-core/libxml/libxml2_2.14.6.bb<http://libxml2_2.14.6.bb> b/meta/recipes-core/libxml/libxml2_2.14.6.bb<http://libxml2_2.14.6.bb> index 7b47f823f9..b881a89a5f 100644 --- a/meta/recipes-core/libxml/libxml2_2.14.6.bb<http://libxml2_2.14.6.bb> +++ b/meta/recipes-core/libxml/libxml2_2.14.6.bb<http://libxml2_2.14.6.bb> @@ -21,6 +21,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt<http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=$%7BBP%7D;name=testt> file://CVE-2025-6021.patch \ file://CVE-2026-0989.patch \ file://CVE-2026-0990.patch \ + file://CVE-2026-0992.patch \ " SRC_URI[archive.sha256sum] = "7ce458a0affeb83f0b55f1f4f9e0e55735dbfc1a9de124ee86fb4a66b597203a" -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#229943): https://lists.openembedded.org/g/openembedded-core/message/229943 Mute This Topic: https://lists.openembedded.org/mt/117455086/4316185 Group Owner: openembedded-core+owner@lists.openembedded.org<mailto:openembedded-core%2Bowner@lists.openembedded.org> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [yoann.congal@smile.fr<mailto:yoann.congal@smile.fr>] -=-=-=-=-=-=-=-=-=-=-=- -- Yoann Congal Smile ECS
Le jeu. 29 janv. 2026 à 17:32, Marko, Peter <Peter.Marko@siemens.com> a écrit : > Thanks for finding that issue. > > I’ll add pick additional commit during next days. > > > > Since on master this was already merged, should I keep it as two commits > also for stable branches? > I'm fine taking a single commit on the stable branch as long as the followup is merged on master. Thanks! > > > Peter > > > > *From:* Yoann Congal <yoann.congal@smile.fr> > *Sent:* Thursday, January 29, 2026 10:39 > *To:* Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com> > *Cc:* openembedded-core@lists.openembedded.org > *Subject:* Re: [OE-core][whinlatter][PATCH 3/3] libxml2: patch > CVE-2026-0992 > > > > > > > > Le dim. 25 janv. 2026 à 19:41, Peter Marko via lists.openembedded.org > <peter.marko=siemens.com@lists.openembedded.org> a écrit : > > From: Peter Marko <peter.marko@siemens.com> > > Pick patch which closed [1]. > > [1] https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019 > > > > Hello, > > > > Did you see > > Fix for CVE-2026-0992 is incomplete (#1040) · Issue · GNOME/libxml2 > https://gitlab.gnome.org/GNOME/libxml2/-/issues/1040 > > ... and the fixing commit: > > catalog: Do not check value for duplication nextCatalog (deed3b78) · > Commits · GNOME / libxml2 · GitLab > > https://gitlab.gnome.org/GNOME/libxml2/-/commit/deed3b7873dff30b7f87f7f33154c9932a772522 > > ? > > > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > --- > .../libxml/libxml2/CVE-2026-0992.patch | 49 +++++++++++++++++++ > meta/recipes-core/libxml/libxml2_2.14.6.bb | 1 + > 2 files changed, 50 insertions(+) > create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch > > diff --git a/meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch > b/meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch > new file mode 100644 > index 0000000000..ad23498a4c > --- /dev/null > +++ b/meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch > @@ -0,0 +1,49 @@ > +From f75abfcaa419a740a3191e56c60400f3ff18988d Mon Sep 17 00:00:00 2001 > +From: Daniel Garcia Moreno <daniel.garcia@suse.com> > +Date: Fri, 19 Dec 2025 11:02:18 +0100 > +Subject: [PATCH] catalog: Ignore repeated nextCatalog entries > + > +This patch makes the catalog parsing to ignore repeated entries of > +nextCatalog with the same value. > + > +Fix https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019 > + > +CVE: CVE-2026-0992 > +Upstream-Status: Backport [ > https://gitlab.gnome.org/GNOME/libxml2/-/commit/f75abfcaa419a740a3191e56c60400f3ff18988d > ] > +Signed-off-by: Peter Marko <peter.marko@siemens.com> > +--- > + catalog.c | 18 ++++++++++++++++++ > + 1 file changed, 18 insertions(+) > + > +diff --git a/catalog.c b/catalog.c > +index 46b877e6..fa6d77ca 100644 > +--- a/catalog.c > ++++ b/catalog.c > +@@ -1227,9 +1227,27 @@ xmlParseXMLCatalogNode(xmlNodePtr cur, > xmlCatalogPrefer prefer, > + BAD_CAST "delegateURI", BAD_CAST "uriStartString", > + BAD_CAST "catalog", prefer, cgroup); > + } else if (xmlStrEqual(cur->name, BAD_CAST "nextCatalog")) { > ++ xmlCatalogEntryPtr prev = parent->children; > ++ > + entry = xmlParseXMLCatalogOneNode(cur, XML_CATA_NEXT_CATALOG, > + BAD_CAST "nextCatalog", NULL, > + BAD_CAST "catalog", prefer, cgroup); > ++ /* Avoid duplication of nextCatalog */ > ++ while (prev != NULL) { > ++ if ((prev->type == XML_CATA_NEXT_CATALOG) && > ++ (xmlStrEqual (prev->URL, entry->URL)) && > ++ (xmlStrEqual (prev->value, entry->value)) && > ++ (prev->prefer == entry->prefer) && > ++ (prev->group == entry->group)) { > ++ if (xmlDebugCatalogs) > ++ xmlCatalogPrintDebug( > ++ "Ignoring repeated nextCatalog %s\n", > entry->URL); > ++ xmlFreeCatalogEntry(entry, NULL); > ++ entry = NULL; > ++ break; > ++ } > ++ prev = prev->next; > ++ } > + } > + if (entry != NULL) { > + if (parent != NULL) { > diff --git a/meta/recipes-core/libxml/libxml2_2.14.6.bb > b/meta/recipes-core/libxml/libxml2_2.14.6.bb > index 7b47f823f9..b881a89a5f 100644 > --- a/meta/recipes-core/libxml/libxml2_2.14.6.bb > +++ b/meta/recipes-core/libxml/libxml2_2.14.6.bb > @@ -21,6 +21,7 @@ SRC_URI += " > http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt > file://CVE-2025-6021.patch \ > file://CVE-2026-0989.patch \ > file://CVE-2026-0990.patch \ > + file://CVE-2026-0992.patch \ > " > > SRC_URI[archive.sha256sum] = > "7ce458a0affeb83f0b55f1f4f9e0e55735dbfc1a9de124ee86fb4a66b597203a" > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#229943): > https://lists.openembedded.org/g/openembedded-core/message/229943 > Mute This Topic: https://lists.openembedded.org/mt/117455086/4316185 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > yoann.congal@smile.fr] > -=-=-=-=-=-=-=-=-=-=-=- > > > > -- > > Yoann Congal > > Smile ECS >
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch b/meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch new file mode 100644 index 0000000000..ad23498a4c --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch @@ -0,0 +1,49 @@ +From f75abfcaa419a740a3191e56c60400f3ff18988d Mon Sep 17 00:00:00 2001 +From: Daniel Garcia Moreno <daniel.garcia@suse.com> +Date: Fri, 19 Dec 2025 11:02:18 +0100 +Subject: [PATCH] catalog: Ignore repeated nextCatalog entries + +This patch makes the catalog parsing to ignore repeated entries of +nextCatalog with the same value. + +Fix https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019 + +CVE: CVE-2026-0992 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/f75abfcaa419a740a3191e56c60400f3ff18988d] +Signed-off-by: Peter Marko <peter.marko@siemens.com> +--- + catalog.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/catalog.c b/catalog.c +index 46b877e6..fa6d77ca 100644 +--- a/catalog.c ++++ b/catalog.c +@@ -1227,9 +1227,27 @@ xmlParseXMLCatalogNode(xmlNodePtr cur, xmlCatalogPrefer prefer, + BAD_CAST "delegateURI", BAD_CAST "uriStartString", + BAD_CAST "catalog", prefer, cgroup); + } else if (xmlStrEqual(cur->name, BAD_CAST "nextCatalog")) { ++ xmlCatalogEntryPtr prev = parent->children; ++ + entry = xmlParseXMLCatalogOneNode(cur, XML_CATA_NEXT_CATALOG, + BAD_CAST "nextCatalog", NULL, + BAD_CAST "catalog", prefer, cgroup); ++ /* Avoid duplication of nextCatalog */ ++ while (prev != NULL) { ++ if ((prev->type == XML_CATA_NEXT_CATALOG) && ++ (xmlStrEqual (prev->URL, entry->URL)) && ++ (xmlStrEqual (prev->value, entry->value)) && ++ (prev->prefer == entry->prefer) && ++ (prev->group == entry->group)) { ++ if (xmlDebugCatalogs) ++ xmlCatalogPrintDebug( ++ "Ignoring repeated nextCatalog %s\n", entry->URL); ++ xmlFreeCatalogEntry(entry, NULL); ++ entry = NULL; ++ break; ++ } ++ prev = prev->next; ++ } + } + if (entry != NULL) { + if (parent != NULL) { diff --git a/meta/recipes-core/libxml/libxml2_2.14.6.bb b/meta/recipes-core/libxml/libxml2_2.14.6.bb index 7b47f823f9..b881a89a5f 100644 --- a/meta/recipes-core/libxml/libxml2_2.14.6.bb +++ b/meta/recipes-core/libxml/libxml2_2.14.6.bb @@ -21,6 +21,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt file://CVE-2025-6021.patch \ file://CVE-2026-0989.patch \ file://CVE-2026-0990.patch \ + file://CVE-2026-0992.patch \ " SRC_URI[archive.sha256sum] = "7ce458a0affeb83f0b55f1f4f9e0e55735dbfc1a9de124ee86fb4a66b597203a"