From 6e4485fc583a26a3fa1555af097742585d95dd87 Mon Sep 17 00:00:00 2001 From: Azure Linux Security Servicing Account Date: Fri, 22 May 2026 02:16:43 +0000 Subject: [PATCH 1/2] Patch perl-XML-LibXML for CVE-2026-8177 --- SPECS/perl-XML-LibXML/CVE-2026-8177.patch | 101 +++++++++++++++++++++ SPECS/perl-XML-LibXML/perl-XML-LibXML.spec | 7 +- 2 files changed, 107 insertions(+), 1 deletion(-) create mode 100644 SPECS/perl-XML-LibXML/CVE-2026-8177.patch diff --git a/SPECS/perl-XML-LibXML/CVE-2026-8177.patch b/SPECS/perl-XML-LibXML/CVE-2026-8177.patch new file mode 100644 index 00000000000..146b2b348f9 --- /dev/null +++ b/SPECS/perl-XML-LibXML/CVE-2026-8177.patch @@ -0,0 +1,101 @@ +From 98c9596bc60b9b0187ad7ad5e76cede788d8c346 Mon Sep 17 00:00:00 2001 +From: Toddr Bot +Date: Fri, 8 May 2026 12:26:36 +0000 +Subject: [PATCH] fix: validate UTF-8 continuation bytes in domParseChar to + prevent OOB read + +domParseChar() read continuation bytes for multi-byte UTF-8 sequences +without verifying they actually exist or are valid. A truncated sequence +like "a\xF0" caused reads past the NUL terminator into uninitialized +heap memory. The caller LibXML_test_node_name() then advanced its +pointer by the (wrong) reported length, continuing to read from +uncontrolled heap until hitting a zero byte or unmapped memory. + +Add validation that each continuation byte has the 10xxxxxx form +before reading it, matching libxml2's own xmlCurrentChar() behavior. +Invalid sequences now return 0 with *len = -1. + +Fixes #146 + +Co-Authored-By: Claude Opus 4.6 +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/cpan-authors/XML-LibXML/commit/15652bd905a6c9dda59a81b14d4766adbbae2ea8.patch +--- + dom.c | 18 ++++++++++++++++++ + t/06elements.t | 10 +++++++--- + 2 files changed, 25 insertions(+), 3 deletions(-) + +diff --git a/dom.c b/dom.c +index 10eb33d..4b0b7d1 100644 +--- a/dom.c ++++ b/dom.c +@@ -292,6 +292,13 @@ domParseChar( xmlChar *cur, int *len ) + if ((c & 0xe0) == 0xe0) { + if ((c & 0xf0) == 0xf0) { + /* 4-byte code */ ++ if ((cur[1] & 0xC0) != 0x80 || ++ (cur[2] & 0xC0) != 0x80 || ++ (cur[3] & 0xC0) != 0x80) ++ { ++ *len = -1; ++ return(0); ++ } + *len = 4; + val = (cur[0] & 0x7) << 18; + val |= (cur[1] & 0x3f) << 12; +@@ -299,6 +306,12 @@ domParseChar( xmlChar *cur, int *len ) + val |= cur[3] & 0x3f; + } else { + /* 3-byte code */ ++ if ((cur[1] & 0xC0) != 0x80 || ++ (cur[2] & 0xC0) != 0x80) ++ { ++ *len = -1; ++ return(0); ++ } + *len = 3; + val = (cur[0] & 0xf) << 12; + val |= (cur[1] & 0x3f) << 6; +@@ -306,6 +319,11 @@ domParseChar( xmlChar *cur, int *len ) + } + } else { + /* 2-byte code */ ++ if ((cur[1] & 0xC0) != 0x80) ++ { ++ *len = -1; ++ return(0); ++ } + *len = 2; + val = (cur[0] & 0x1f) << 6; + val |= cur[1] & 0x3f; +diff --git a/t/06elements.t b/t/06elements.t +index 6d68e10..547254d 100755 +--- a/t/06elements.t ++++ b/t/06elements.t +@@ -8,7 +8,7 @@ use strict; + use warnings; + + # Should be 187. +-use Test::More tests => 191; ++use Test::More tests => 200; + + use XML::LibXML; + +@@ -22,8 +22,12 @@ my $attname2 = "B"; + my $attvalue2 = "b"; + my $attname3 = "C"; + +-# TEST:$badnames=4; +-my @badnames= ("1A", "<><", "&", "-:"); ++# TEST:$badnames=7; ++my @badnames= ("1A", "<><", "&", "-:", ++ "a\xF0", # truncated 4-byte UTF-8 ++ "a\xE0", # truncated 3-byte UTF-8 ++ "a\xC0", # truncated 2-byte UTF-8 ++); + + # 1. bound node + { +-- +2.45.4 + diff --git a/SPECS/perl-XML-LibXML/perl-XML-LibXML.spec b/SPECS/perl-XML-LibXML/perl-XML-LibXML.spec index 94cedd959ed..8a84fb32ee6 100644 --- a/SPECS/perl-XML-LibXML/perl-XML-LibXML.spec +++ b/SPECS/perl-XML-LibXML/perl-XML-LibXML.spec @@ -8,7 +8,7 @@ Name: perl-XML-LibXML # it might not be needed anymore # this module is maintained, the other is not Version: 2.0209 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Perl interface to the libxml2 library License: (GPL+ or Artistic) and MIT URL: https://metacpan.org/release/XML-LibXML @@ -20,6 +20,7 @@ Source0: https://cpan.metacpan.org/authors/id/S/SH/SHLOMIF/XML-LibXML-%{v Patch0: XML-LibXML-2.0202-Parse-an-ampersand-entity-in-SAX-interface.patch # To reduce dependencies replace Alien::Libxml2 with pkg-config Patch1: XML-LibXML-2.0208-Use-pkgconfig-instead-of-Alien-Libxml2.patch +Patch2: CVE-2026-8177.patch BuildRequires: coreutils BuildRequires: findutils BuildRequires: glibc-common @@ -115,6 +116,7 @@ with "%{_libexecdir}/%{name}/test". %prep %setup -q -n XML-LibXML-%{version} +%patch 2 -p1 %patch 0 -p1 %patch 1 -p1 chmod -x *.c @@ -185,6 +187,9 @@ fi %{_libexecdir}/%{name} %changelog +* Fri May 22 2026 Azure Linux Security Servicing Account - 2.0209-3 +- Patch for CVE-2026-8177 + * Tue Sep 03 2024 Neha Agarwal - 2.0209-2 - Add missing Vendor and Distribution tags. From 66d8b08144465a53afb50cc592284a329ed320b5 Mon Sep 17 00:00:00 2001 From: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com> Date: Fri, 22 May 2026 09:36:16 +0530 Subject: [PATCH 2/2] Simplify setup process in perl-XML-LibXML.spec --- SPECS/perl-XML-LibXML/perl-XML-LibXML.spec | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/SPECS/perl-XML-LibXML/perl-XML-LibXML.spec b/SPECS/perl-XML-LibXML/perl-XML-LibXML.spec index 8a84fb32ee6..d1782289ba5 100644 --- a/SPECS/perl-XML-LibXML/perl-XML-LibXML.spec +++ b/SPECS/perl-XML-LibXML/perl-XML-LibXML.spec @@ -115,10 +115,7 @@ Tests from %{name}. Execute them with "%{_libexecdir}/%{name}/test". %prep -%setup -q -n XML-LibXML-%{version} -%patch 2 -p1 -%patch 0 -p1 -%patch 1 -p1 +%autosetup -p1 -n XML-LibXML-%{version} chmod -x *.c for i in Changes; do /usr/bin/iconv -f iso8859-1 -t utf-8 $i > $i.conv && /bin/mv -f $i.conv $i