File libxml2-CVE-2026-0990.patch of Package libxml2.42775
From 1961208e958ca22f80a0b4e4c9d71cfa050aa982 Mon Sep 17 00:00:00 2001
From: Daniel Garcia Moreno <daniel.garcia@suse.com>
Date: Wed, 17 Dec 2025 15:24:08 +0100
Subject: [PATCH 1/2] catalog: prevent inf recursion in xmlCatalogXMLResolveURI
Fix https://gitlab.gnome.org/GNOME/libxml2/-/issues/1018
---
catalog.c | 31 +++++++++++++++++++++++--------
1 file changed, 23 insertions(+), 8 deletions(-)
Index: libxml2-2.13.8/catalog.c
===================================================================
--- libxml2-2.13.8.orig/catalog.c
+++ libxml2-2.13.8/catalog.c
@@ -1240,9 +1240,26 @@ xmlParseXMLCatalogNode(xmlNodePtr cur, x
BAD_CAST "delegateURI", BAD_CAST "uriStartString",
BAD_CAST "catalog", prefer, cgroup);
} else if (xmlStrEqual(cur->name, BAD_CAST "nextCatalog")) {
+ xmlCatalogEntryPtr prev = parent->children;
+
entry = xmlParseXMLCatalogOneNode(cur, XML_CATA_NEXT_CATALOG,
BAD_CAST "nextCatalog", NULL,
BAD_CAST "catalog", prefer, cgroup);
+ /* Avoid duplication of nextCatalog */
+ while (prev != NULL) {
+ if ((prev->type == XML_CATA_NEXT_CATALOG) &&
+ (xmlStrEqual (prev->URL, entry->URL)) &&
+ (xmlStrEqual (prev->value, entry->value)) &&
+ (prev->prefer == entry->prefer) &&
+ (prev->group == entry->group)) {
+ if (xmlDebugCatalogs)
+ fprintf(stderr, "Ignoring repeated nextCatalog %s\n", entry->URL);
+ xmlFreeCatalogEntry(entry);
+ entry = NULL;
+ break;
+ }
+ prev = prev->next;
+ }
}
if (entry != NULL) {
if (parent != NULL) {
@@ -2060,12 +2077,21 @@ static xmlChar *
xmlCatalogListXMLResolveURI(xmlCatalogEntryPtr catal, const xmlChar *URI) {
xmlChar *ret = NULL;
xmlChar *urnID = NULL;
+ xmlCatalogEntryPtr cur = NULL;
if (catal == NULL)
return(NULL);
if (URI == NULL)
return(NULL);
+ if (catal->depth > MAX_CATAL_DEPTH) {
+ xmlCatalogErr(catal, NULL, XML_CATALOG_RECURSION,
+ "Detected recursion in catalog %s\n",
+ catal->name, NULL, NULL);
+ return(NULL);
+ }
+ catal->depth++;
+
if (!xmlStrncmp(URI, BAD_CAST XML_URN_PUBID, sizeof(XML_URN_PUBID) - 1)) {
urnID = xmlCatalogUnWrapURN(URI);
if (xmlDebugCatalogs) {
@@ -2079,21 +2105,27 @@ xmlCatalogListXMLResolveURI(xmlCatalogEn
ret = xmlCatalogListXMLResolve(catal, urnID, NULL);
if (urnID != NULL)
xmlFree(urnID);
+ catal->depth--;
return(ret);
}
- while (catal != NULL) {
- if (catal->type == XML_CATA_CATALOG) {
- if (catal->children == NULL) {
- xmlFetchXMLCatalogFile(catal);
+ cur = catal;
+ while (cur != NULL) {
+ if (cur->type == XML_CATA_CATALOG) {
+ if (cur->children == NULL) {
+ xmlFetchXMLCatalogFile(cur);
}
- if (catal->children != NULL) {
- ret = xmlCatalogXMLResolveURI(catal->children, URI);
- if (ret != NULL)
+ if (cur->children != NULL) {
+ ret = xmlCatalogXMLResolveURI(cur->children, URI);
+ if (ret != NULL) {
+ catal->depth--;
return(ret);
+ }
}
}
- catal = catal->next;
+ cur = cur->next;
}
+
+ catal->depth--;
return(ret);
}
