libxml2: patch CVE-2026-11979

Message ID	20260630062051.516582-1-antonsk@axis.com
State	New
Headers	show Return-Path: <philip@balister.org> ip: 52.101.70.55, mailfrom: anton.skorup@axis.com) Received-SPF: Pass (protection.outlook.com: domain of axis.com designates 195.60.68.100 as permitted sender) receiver=protection.outlook.com; client-ip=195.60.68.100; helo=mail.axis.com; pr=C From: Anton Skorup <antonsk@axis.com> To: <openembedded-core@lists.openembedded.org> CC: Anton Skorup <anton@skorup.se>, Anton Skorup <anton.skorup@axis.com> Subject: [PATCH] libxml2: patch CVE-2026-11979 Date: Tue, 30 Jun 2026 08:20:51 +0200 Message-ID: <20260630062051.516582-1-antonsk@axis.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain
Series	libxml2: patch CVE-2026-11979 \| expand libxml2: patch CVE-2026-11979

Message ID

20260630062051.516582-1-antonsk@axis.com

State

New

Headers

Received-SPF: Pass (protection.outlook.com: domain of axis.com designates
 195.60.68.100 as permitted sender) receiver=protection.outlook.com;
 client-ip=195.60.68.100; helo=mail.axis.com; pr=C
From: Anton Skorup <antonsk@axis.com>
To: <openembedded-core@lists.openembedded.org>
CC: Anton Skorup <anton@skorup.se>, Anton Skorup <anton.skorup@axis.com>
Subject: [PATCH] libxml2: patch CVE-2026-11979
Date: Tue, 30 Jun 2026 08:20:51 +0200
Message-ID: <20260630062051.516582-1-antonsk@axis.com>
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
	ja1y/niTq8mEbIGtbPJm0tMBlASlPhpNrc5msh8JKGm9aheLHYpjubmh30JBlbGy1hCB+2p0QIAmykVN6zfLAGMOVF6zafhNDIU6LO60m5NKol7pyNcAh5r3UF7R0TX+rATKuvqQa1nBCr80UMf2/cVjEMlH4Wf74nORir5sQvwOjoiEG2nhkZ2MrHOr02LVbHPbQG4s6gvwF31S2V12cPoroNNkRdoA36sewOmTlQugd/CLkFF+vlaIZnn3Y7CBPvCywVoSCqu5WQSm2Sq5UdUAdy+4pjpz3jTx+9ibP/3+uHLstKHDO7psNCFYrRREqEInqtMpKnYQxMhEKpMG2pvVBdiIaZsurVLDjoCoXu+FtV96xAN/n2hFd+j9VqNWnZnYVYsRmAjNBlK+8HX/aP0L87f+2q9ESA2QxvciRMFY16o4rheTt36p5mC+0sDo
X-OriginatorOrg: axis.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Jun 2026 06:20:54.8511
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 eb32efba-75cf-4ad3-d714-08ded66fbde7
X-MS-Exchange-CrossTenant-Id: 78703d3c-b907-432f-b066-88f7af9ca3af
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=78703d3c-b907-432f-b066-88f7af9ca3af;Ip=[195.60.68.100];Helo=[mail.axis.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	DB1PEPF000509EA.eurprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAWPR02MB10066
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 30 Jun 2026 10:59:33 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/239878

Series

libxml2: patch CVE-2026-11979 | expand

Commit Message

Anton Skorup June 30, 2026, 6:20 a.m. UTC

From: Anton Skorup <anton@skorup.se>

Pick patch from [1] linked from [2].

[1] https://gitlab.gnome.org/GNOME/libxml2/-/commit/c2e233fc1b341685fc99621b2768b503f777a72e
[2] https://gitlab.gnome.org/GNOME/libxml2/-/work_items/1124

Signed-off-by: Anton Skorup <anton.skorup@axis.com>
---
 .../libxml/libxml2/CVE-2026-11979.patch       | 81 +++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.15.3.bb    |  1 +
 2 files changed, 82 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-11979.patch

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2026-11979.patch b/meta/recipes-core/libxml/libxml2/CVE-2026-11979.patch
new file mode 100644
index 0000000000..a14e566681
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2026-11979.patch
@@ -0,0 +1,81 @@ 
+From dfad0660f7dab3b5f8317b703b16ad0b0d12697d Mon Sep 17 00:00:00 2001
+From: Daniel Garcia Moreno <daniel.garcia@suse.com>
+Date: Fri, 22 May 2026 12:21:20 +0200
+Subject: [PATCH] xmlcatalog: overflow check for large --shell commands
+
+Fix https://gitlab.gnome.org/GNOME/libxml2/-/work_items/1124
+
+CVE: CVE-2026-11979
+Signed-off-by: Anton Skorup <anton.skorup@axis.com>
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/c2e233fc1b341685fc99621b2768b503f777a72e]
+---
+ test/catalogs/test.sh | 11 +++++++++++
+ xmlcatalog.c          | 16 ++++++++++++++++
+ 2 files changed, 27 insertions(+)
+
+diff --git a/test/catalogs/test.sh b/test/catalogs/test.sh
+index 7e5eaa76..84e8b90a 100755
+--- a/test/catalogs/test.sh
++++ b/test/catalogs/test.sh
+@@ -10,6 +10,17 @@ fi
+ 
+ exitcode=0
+ 
++# Test xmlcatalog --shell command line
++# Case 1: Really long argument (470 chars)
++input=""; for i in {1..470}; do input="${input}A"; done
++echo $input | $xmlcatalog --shell test/catalogs/dockbook.xml || exit 1
++# Case 2: public + long argument
++input="public "; for i in {1..470}; do input="${input}A"; done
++echo $input | $xmlcatalog --shell test/catalogs/dockbook.xml || exit 1
++# Case 3: public + lots of args
++input="public "; for i in {1..80}; do input="${input} x"; done
++echo $input | $xmlcatalog --shell test/catalogs/dockbook.xml || exit 1
++
+ for i in test/catalogs/*.script ; do
+     name=$(basename $i .script)
+     xml="./test/catalogs/$name.xml"
+diff --git a/xmlcatalog.c b/xmlcatalog.c
+index b400c7cb..5113e930 100644
+--- a/xmlcatalog.c
++++ b/xmlcatalog.c
+@@ -135,6 +135,12 @@ static void usershell(void) {
+ 	       (*cur != '\n') && (*cur != '\r')) {
+ 	    if (*cur == 0)
+ 		break;
++            /* Do not read beyond the command array capacity */
++            if (i >= (int)sizeof(command) - 2) {
++                printf("Invalid command %s\n", cur);
++                i = 0;
++                break;
++            }
+ 	    command[i++] = *cur++;
+ 	}
+ 	command[i] = 0;
+@@ -152,6 +158,11 @@ static void usershell(void) {
+ 	while ((*cur != '\n') && (*cur != '\r') && (*cur != 0)) {
+ 	    if (*cur == 0)
+ 		break;
++            if (i >= (int)sizeof(arg) - 2) {
++                printf("Invalid arg %s\n", arg);
++                i = 0;
++                break;
++            }
+ 	    arg[i++] = *cur++;
+ 	}
+ 	arg[i] = 0;
+@@ -164,6 +175,11 @@ static void usershell(void) {
+ 	cur = arg;
+ 	memset(argv, 0, sizeof(argv));
+ 	while (*cur != 0) {
++            if (i >= (int)sizeof(argv) / (int)sizeof(char*)) {
++                printf("Too much arguments\n");
++                break;
++            }
++
+ 	    while ((*cur == ' ') || (*cur == '\t')) cur++;
+ 	    if (*cur == '\'') {
+ 		cur++;
+-- 
+2.43.0
+
diff --git a/meta/recipes-core/libxml/libxml2_2.15.3.bb b/meta/recipes-core/libxml/libxml2_2.15.3.bb
index 3b7a0e3cb5..abf9889b3f 100644
--- a/meta/recipes-core/libxml/libxml2_2.15.3.bb
+++ b/meta/recipes-core/libxml/libxml2_2.15.3.bb
@@ -18,6 +18,7 @@  SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt
            file://run-ptest \
            file://install-tests.patch \
            file://0001-Revert-cmake-Fix-installation-directories-in-libxml2.patch \
+           file://CVE-2026-11979.patch \
            "
 
 SRC_URI[archive.sha256sum] = "78262a6e7ac170d6528ebfe2efccdf220191a5af6a6cd61ea4a9a9a5042c7a07"

libxml2: patch CVE-2026-11979

Commit Message

Patch