libxml2: add patch for CVE-2025-6170

(cherry picked from commit 2da008e2ee)
2026-01-12 02:40:31 +08:00 · 2025-07-17 09:41:47 +02:00
parent d0082400be
commit 47bb459c41
2 changed files with 115 additions and 0 deletions
--- a/pkgs/development/libraries/libxml2/CVE-2025-6170.patch
+++ b/pkgs/development/libraries/libxml2/CVE-2025-6170.patch
@@ -0,0 +1,112 @@
+diff --git a/result/scripts/long_command b/result/scripts/long_command
+new file mode 100644
+index 000000000..e6f00708b
+--- /dev/null
+++ b/result/scripts/long_command
+@@ -0,0 +1,8 @@
+/ > b > b > Object is a Node Set :
+Set contains 1 nodes:
+1  ELEMENT a:c
+b > Unknown command This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_comm
+b > b > Unknown command ess_currents_of_time_and_existence
+b > <?xml version="1.0"?>
+<a xmlns:a="bar"><b xmlns:a="foo">Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_prof</b></a>
+b > 
+\ No newline at end of file
+diff --git a/debugXML.c b/debugXML.c
+index ed56b0f8..aeeea3c0 100644
+--- a/debugXML.c
+++ b/debugXML.c
+@@ -2780,6 +2780,10 @@ xmlShellPwd(xmlShellCtxtPtr ctxt ATTRIBUTE_UNUSED, char *buffer,
+     return (0);
+ }
+ 
+#define MAX_PROMPT_SIZE     500
+#define MAX_ARG_SIZE        400
+#define MAX_COMMAND_SIZE    100
+
+ /**
+  * xmlShell:
+  * @doc:  the initial document
+@@ -2795,10 +2795,10 @@ void
+ xmlShell(xmlDocPtr doc, const char *filename, xmlShellReadlineFunc input,
+          FILE * output)
+ {
+-    char prompt[500] = "/ > ";
+    char prompt[MAX_PROMPT_SIZE] = "/ > ";
+     char *cmdline = NULL, *cur;
+-    char command[100];
+-    char arg[400];
+    char command[MAX_COMMAND_SIZE];
+    char arg[MAX_ARG_SIZE];
+     int i;
+     xmlShellCtxtPtr ctxt;
+     xmlXPathObjectPtr list;
+@@ -2856,7 +2856,8 @@ xmlShell(xmlDocPtr doc, const char *filename, xmlShellReadlineFunc input,
+             cur++;
+         i = 0;
+         while ((*cur != ' ') && (*cur != '\t') &&
+-               (*cur != '\n') && (*cur != '\r')) {
+               (*cur != '\n') && (*cur != '\r') &&
+               (i < (MAX_COMMAND_SIZE - 1))) {
+             if (*cur == 0)
+                 break;
+             command[i++] = *cur++;
+@@ -2871,7 +2872,7 @@ xmlShell(xmlDocPtr doc, const char *filename, xmlShellReadlineFunc input,
+         while ((*cur == ' ') || (*cur == '\t'))
+             cur++;
+         i = 0;
+-        while ((*cur != '\n') && (*cur != '\r') && (*cur != 0)) {
+        while ((*cur != '\n') && (*cur != '\r') && (*cur != 0) && (i < (MAX_ARG_SIZE-1))) {
+             if (*cur == 0)
+                 break;
+             arg[i++] = *cur++;
+diff --git a/xmllint.c b/xmllint.c
+index c6273477..3d90272c 100644
+--- a/xmllint.c
+++ b/xmllint.c
+@@ -724,6 +724,9 @@ xmlHTMLValidityWarning(void *ctx, const char *msg, ...)
+  ************************************************************************/
+ #ifdef LIBXML_DEBUG_ENABLED
+ #ifdef LIBXML_XPATH_ENABLED
+
+#define MAX_PROMPT_SIZE     500
+
+ /**
+  * xmlShellReadline:
+  * @prompt:  the prompt value
+@@ -754,9 +754,9 @@ xmlShellReadline(char *prompt) {
+     if (prompt != NULL)
+ 	fprintf(stdout, "%s", prompt);
+     fflush(stdout);
+-    if (!fgets(line_read, 500, stdin))
+    if (!fgets(line_read, MAX_PROMPT_SIZE, stdin))
+         return(NULL);
+-    line_read[500] = 0;
+    line_read[MAX_PROMPT_SIZE] = 0;
+     len = strlen(line_read);
+     ret = (char *) malloc(len + 1);
+     if (ret != NULL) {
+-- 
+diff --git a/test/scripts/long_command.script b/test/scripts/long_command.script
+new file mode 100644
+index 000000000..00f6df09f
+--- /dev/null
+++ b/test/scripts/long_command.script
+@@ -0,0 +1,6 @@
+cd a/b
+set <a:c/>
+xpath //*[namespace-uri()="foo"]
+This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_command_please_dont_crash foo
+set Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_profound_emotion_and_every_grand_aspiration_that_propels_our_species_ever_onward_through_the_relentless_currents_of_time_and_existence
+save -
+diff --git a/test/scripts/long_command.xml b/test/scripts/long_command.xml
+new file mode 100644
+index 000000000..1ba44016e
+--- /dev/null
+++ b/test/scripts/long_command.xml
+@@ -0,0 +1 @@
+<a xmlns:a="bar"><b xmlns:a="foo"/></a>
+-- 
+GitLab
+
--- a/pkgs/development/libraries/libxml2/default.nix
+++ b/pkgs/development/libraries/libxml2/default.nix
@@ -73,6 +73,9 @@ stdenv.mkDerivation (finalAttrs: {
      hash = "sha256-r7PYKr5cDDNNMtM3ogNLsucPFTwP/uoC7McijyLl4kU=";
      excludes = [ "runtest.c" ]; # tests were rewritten in C and are on schematron for 2.13.x, meaning this does not apply
    })
+    # same as upstream, fixed conflicts
+    # https://gitlab.gnome.org/GNOME/libxml2/-/commit/c340e419505cf4bf1d9ed7019a87cc00ec200434
+    ./CVE-2025-6170.patch
  ];

  strictDeps = true;