Projetos/rpi-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
096589bd59f3f8e827754d43ad01dcdc406cc27f
rpi-buildroot/package/libxml2/0004-fix-potential-buffer-overflows-of-interactive-shell.patch
Thomas Perale 5f11da8ca6 package/libxml2: add patch for CVE-2025-6170 
This fixes the following vulnerability:

- CVE-2025-6170

    A flaw was found in the interactive shell of the xmllint command-line
    tool, used for parsing XML files. When a user inputs an overly long
    command, the program does not check the input size properly, which can
    cause it to crash. This issue might allow attackers to run harmful
    code in rare configurations without modern protections.

For more information, see:
  - https://www.cve.org/CVERecord?id=CVE-2025-6170
  - c340e41950

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit c68a14d73a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
2025-08-07 12:19:04 +02:00

104 lines
4.5 KiB
Diff
Raw Blame History

From: Michael Mann <mmann78@netscape.net>
Date: Fri, 20 Jun 2025 23:05:00 -0400
Subject: Fix potential buffer overflows of interactive shell
Upstream: https://gitlab.gnome.org/GNOME/libxml2/-/commit/5e9ec5c107d3f5b5179c3dbc19df43df041cd55b
Upstream: https://sources.debian.org/src/libxml2/2.12.7+dfsg+really2.9.14-2.1/debian/patches/CVE-2025-6170.patch/
CVE: CVE-2025-6170
[thomas: Originally backported for v2.9.14 re-applied on v2.13.8]
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
debugXML.c | 15 ++++++++++-----
result/scripts/long_command | 8 ++++++++
test/scripts/long_command.script | 6 ++++++
test/scripts/long_command.xml | 1 +
4 files changed, 25 insertions(+), 5 deletions(-)
create mode 100644 result/scripts/long_command
create mode 100644 test/scripts/long_command.script
create mode 100644 test/scripts/long_command.xml
diff --git a/debugXML.c b/debugXML.c
index ed56b0f8..452b9573 100644
--- a/debugXML.c
+++ b/debugXML.c
@@ -1033,6 +1033,10 @@ xmlCtxtDumpOneNode(xmlDebugCtxtPtr ctxt, xmlNodePtr node)
xmlCtxtGenericNodeCheck(ctxt, node);
}
+#define MAX_PROMPT_SIZE 500
+#define MAX_ARG_SIZE 400
+#define MAX_COMMAND_SIZE 100
+
/**
* xmlCtxtDumpNode:
* @output: the FILE * for the output
@@ -2795,10 +2799,10 @@ void
xmlShell(xmlDocPtr doc, const char *filename, xmlShellReadlineFunc input,
FILE * output)
{
- char prompt[500] = "/ > ";
+ char prompt[MAX_PROMPT_SIZE] = "/ > ";
char *cmdline = NULL, *cur;
- char command[100];
- char arg[400];
+ char command[MAX_COMMAND_SIZE];
+ char arg[MAX_ARG_SIZE];
int i;
xmlShellCtxtPtr ctxt;
xmlXPathObjectPtr list;
@@ -2856,7 +2860,8 @@ xmlShell(xmlDocPtr doc, const char *filename, xmlShellReadlineFunc input,
cur++;
i = 0;
while ((*cur != ' ') && (*cur != '\t') &&
- (*cur != '\n') && (*cur != '\r')) {
+ (*cur != '\n') && (*cur != '\r') &&
+ (i < (MAX_COMMAND_SIZE - 1))) {
if (*cur == 0)
break;
command[i++] = *cur++;
@@ -2871,7 +2876,7 @@ xmlShell(xmlDocPtr doc, const char *filename, xmlShellReadlineFunc input,
while ((*cur == ' ') || (*cur == '\t'))
cur++;
i = 0;
- while ((*cur != '\n') && (*cur != '\r') && (*cur != 0)) {
+ while ((*cur != '\n') && (*cur != '\r') && (*cur != 0) && (i < (MAX_ARG_SIZE-1))) {
if (*cur == 0)
break;
arg[i++] = *cur++;
diff --git a/result/scripts/long_command b/result/scripts/long_command
new file mode 100644
index 00000000..e6f00708
--- /dev/null
+++ b/result/scripts/long_command
@@ -0,0 +1,8 @@
+/ > b > b > Object is a Node Set :
+Set contains 1 nodes:
+1 ELEMENT a:c
+b > Unknown command This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_comm
+b > b > Unknown command ess_currents_of_time_and_existence
+b > <?xml version="1.0"?>
+<a xmlns:a="bar"><b xmlns:a="foo">Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_prof</b></a>
+b >
\ No newline at end of file
diff --git a/test/scripts/long_command.script b/test/scripts/long_command.script
new file mode 100644
index 00000000..00f6df09
--- /dev/null
+++ b/test/scripts/long_command.script
@@ -0,0 +1,6 @@
+cd a/b
+set <a:c/>
+xpath //*[namespace-uri()="foo"]
+This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_command_please_dont_crash foo
+set Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_profound_emotion_and_every_grand_aspiration_that_propels_our_species_ever_onward_through_the_relentless_currents_of_time_and_existence
+save -
diff --git a/test/scripts/long_command.xml b/test/scripts/long_command.xml
new file mode 100644
index 00000000..1ba44016
--- /dev/null
+++ b/test/scripts/long_command.xml
@@ -0,0 +1 @@
+<a xmlns:a="bar"><b xmlns:a="foo"/></a>
--
2.50.1
Reference in New Issue View Git Blame Copy Permalink