From patchwork Sun Jan 25 18:35:05 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 79611 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 46420E63CBF for ; Sun, 25 Jan 2026 18:42:10 +0000 (UTC) Received: from mta-65-226.siemens.flowmailer.net (mta-65-226.siemens.flowmailer.net [185.136.65.226]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.2010.1769366526995287693 for ; Sun, 25 Jan 2026 10:42:07 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=FRqi2jez; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226, mailfrom: fm-256628-202601251842046acda2a0a4000207da-nzhezo@rts-flowmailer.siemens.com) Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id 202601251842046acda2a0a4000207da for ; Sun, 25 Jan 2026 19:42:04 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=/ot1WhHSe3NoAHgEBJnuQJfKrXknm/bNRxfCLOSQne4=; b=FRqi2jezu7CssAB4aIYt5f35t4e+mQNQ8/Wvt4EX0/gAAHKx3wci9MkgQRuBZYI4MCFW3J 2e3BNtFOZ3VJOn1YPsihQkMym+HUX6IWrMMrA1EtcfagWnXRqsPbTsKyGUjUbTeAbkA4thkT hDcsIDdFILOqspx0kmxdCrLvd1BxyFmlAxpYXIS3gTcIj0S1ydxzke3btCWb2XFrOpK2v/rH hFIgYja2nb98tWq/e0voAz9e1+VHR597pIA5TCUZx0EP7emfBF2NbYMsJ7q/alPikNd853dq 5sfQEguFJLzLWf1Rh08p9m9uaP6+OUsFUSHajynqGwIZE1OlNOuIS9XQ==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 2/3] libxml2: patch CVE-2026-0990 Date: Sun, 25 Jan 2026 19:35:05 +0100 Message-Id: <20260125183506.1621113-2-peter.marko@siemens.com> In-Reply-To: <20260125183506.1621113-1-peter.marko@siemens.com> References: <20260125183506.1621113-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 25 Jan 2026 18:42:10 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/229945 From: Peter Marko Pick patch which closed [1]. [1] https://gitlab.gnome.org/GNOME/libxml2/-/issues/1018 Signed-off-by: Peter Marko --- .../libxml/libxml2/CVE-2026-0990.patch | 76 +++++++++++++++++++ meta/recipes-core/libxml/libxml2_2.12.10.bb | 1 + 2 files changed, 77 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0990.patch diff --git a/meta/recipes-core/libxml/libxml2/CVE-2026-0990.patch b/meta/recipes-core/libxml/libxml2/CVE-2026-0990.patch new file mode 100644 index 00000000000..d001da19bcc --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2026-0990.patch @@ -0,0 +1,76 @@ +From 1961208e958ca22f80a0b4e4c9d71cfa050aa982 Mon Sep 17 00:00:00 2001 +From: Daniel Garcia Moreno +Date: Wed, 17 Dec 2025 15:24:08 +0100 +Subject: [PATCH] catalog: prevent inf recursion in xmlCatalogXMLResolveURI + +Fix https://gitlab.gnome.org/GNOME/libxml2/-/issues/1018 + +CVE: CVE-2026-0989 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1961208e958ca22f80a0b4e4c9d71cfa050aa982] +Signed-off-by: Peter Marko +--- + catalog.c | 31 +++++++++++++++++++++++-------- + 1 file changed, 23 insertions(+), 8 deletions(-) + +diff --git a/catalog.c b/catalog.c +index 76c063a8..46b877e6 100644 +--- a/catalog.c ++++ b/catalog.c +@@ -2086,12 +2086,21 @@ static xmlChar * + xmlCatalogListXMLResolveURI(xmlCatalogEntryPtr catal, const xmlChar *URI) { + xmlChar *ret = NULL; + xmlChar *urnID = NULL; ++ xmlCatalogEntryPtr cur = NULL; + + if (catal == NULL) + return(NULL); + if (URI == NULL) + return(NULL); + ++ if (catal->depth > MAX_CATAL_DEPTH) { ++ xmlCatalogErr(catal, NULL, XML_CATALOG_RECURSION, ++ "Detected recursion in catalog %s\n", ++ catal->name, NULL, NULL); ++ return(NULL); ++ } ++ catal->depth++; ++ + if (!xmlStrncmp(URI, BAD_CAST XML_URN_PUBID, sizeof(XML_URN_PUBID) - 1)) { + urnID = xmlCatalogUnWrapURN(URI); + if (xmlDebugCatalogs) { +@@ -2105,21 +2114,27 @@ xmlCatalogListXMLResolveURI(xmlCatalogEntryPtr catal, const xmlChar *URI) { + ret = xmlCatalogListXMLResolve(catal, urnID, NULL); + if (urnID != NULL) + xmlFree(urnID); ++ catal->depth--; + return(ret); + } +- while (catal != NULL) { +- if (catal->type == XML_CATA_CATALOG) { +- if (catal->children == NULL) { +- xmlFetchXMLCatalogFile(catal); ++ cur = catal; ++ while (cur != NULL) { ++ if (cur->type == XML_CATA_CATALOG) { ++ if (cur->children == NULL) { ++ xmlFetchXMLCatalogFile(cur); + } +- if (catal->children != NULL) { +- ret = xmlCatalogXMLResolveURI(catal->children, URI); +- if (ret != NULL) ++ if (cur->children != NULL) { ++ ret = xmlCatalogXMLResolveURI(cur->children, URI); ++ if (ret != NULL) { ++ catal->depth--; + return(ret); ++ } + } + } +- catal = catal->next; ++ cur = cur->next; + } ++ ++ catal->depth--; + return(ret); + } + diff --git a/meta/recipes-core/libxml/libxml2_2.12.10.bb b/meta/recipes-core/libxml/libxml2_2.12.10.bb index 396be51d994..6a03fc3f6c7 100644 --- a/meta/recipes-core/libxml/libxml2_2.12.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.12.10.bb @@ -26,6 +26,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt file://CVE-2025-6170.patch \ file://CVE-2025-7425.patch \ file://CVE-2026-0989.patch \ + file://CVE-2026-0990.patch \ " SRC_URI[archive.sha256sum] = "c3d8c0c34aa39098f66576fe51969db12a5100b956233dc56506f7a8679be995"