master

分支 (29)

标签 (53)

管理

管理

master

openEuler-20.03-LTS-SP4

openEuler-22.03-LTS-SP4

openEuler-22.03-LTS-SP3

openEuler-24.03-LTS-SP2

openEuler-24.03-LTS-SP1

openEuler-25.09

openEuler-24.03-LTS

openEuler-24.03-LTS-Next

openEuler-25.03

openEuler-24.09

openEuler-22.03-LTS-SP1

openEuler-22.03-LTS-SP2

openEuler-22.03-LTS

openEuler-20.03-LTS-SP1

openEuler-22.03-LTS-Next

revert-merge-224-master

openEuler-20.03-LTS-SP3

openEuler-23.09

openEuler-23.03

openEuler-22.03-LTS-SP4-update-20250808

openEuler-20.03-LTS-SP4-update-20250725

openEuler-22.03-LTS-SP3-update-20250725

openEuler-22.03-LTS-SP4-update-20250725

openEuler-24.03-LTS-update-20250725

openEuler-24.03-LTS-SP1-update-20250718

openEuler-24.03-LTS-SP2-update-20250718

openEuler-24.03-LTS-update-20250711

openEuler-24.03-LTS-SP1-update-20250711

openEuler-24.03-LTS-SP2-update-20250711

openEuler-22.03-LTS-SP3-update-20250704

openEuler-20.03-LTS-SP4-update-20250627

openEuler-22.03-LTS-SP4-update-20250627

openEuler-24.03-LTS-update-20250627

openEuler-24.03-LTS-SP1-update-20250627

openEuler-24.03-LTS-SP2-release

openEuler-20.03-LTS-SP4-update-20250523

openEuler-22.03-LTS-SP3-update-20250523

openEuler-22.03-LTS-SP4-update-20250523

openEuler-24.03-LTS-update-20250425

libxml2
/
backport-CVE-2025-6170.patch

From 069bcda17d8194e9582c64dd4bc9dac99b015810 Mon Sep 17 00:00:00 2001
From: Michael Mann <mmann78@netscape.net>
Date: Fri, 20 Jun 2025 23:05:00 -0400
Subject: [PATCH] Fix potential buffer overflows of interactive shell

CVE-2025-6170

Fixes #941

Reference: https://github.com/GNOME/libxml2/commit/069bcda17d8194e9582c64dd4bc9dac99b015810
Conflict: rename shell.c to debugXML.c, no need xmllintShellReadline

---
 debugXML.c                       | 15 ++++++++++-----
 result/scripts/long_command      |  8 ++++++++
 test/scripts/long_command.script |  6 ++++++
 test/scripts/long_command.xml    |  1 +
 4 files changed, 25 insertions(+), 5 deletions(-)
 create mode 100644 result/scripts/long_command
 create mode 100644 test/scripts/long_command.script
 create mode 100644 test/scripts/long_command.xml

diff --git a/debugXML.c b/debugXML.c
index 3bb1930..c84c382 100644
--- a/debugXML.c
+++ b/debugXML.c
@@ -2781,6 +2781,10 @@ xmlShellPwd(xmlShellCtxtPtr ctxt ATTRIBUTE_UNUSED, char *buffer,
     return (0);
 }

+#define MAX_PROMPT_SIZE     500
+#define MAX_ARG_SIZE        400
+#define MAX_COMMAND_SIZE    100
+
 /**
  * xmlShell:
  * @doc:  the initial document
@@ -2796,10 +2800,10 @@ void
 xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
          FILE * output)
 {
-    char prompt[500] = "/ > ";
+    char prompt[MAX_PROMPT_SIZE] = "/ > ";
     char *cmdline = NULL, *cur;
-    char command[100];
-    char arg[400];
+    char command[MAX_COMMAND_SIZE];
+    char arg[MAX_ARG_SIZE];
     int i;
     xmlShellCtxtPtr ctxt;
     xmlXPathObjectPtr list;
@@ -2857,7 +2861,8 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
             cur++;
         i = 0;
         while ((*cur != ' ') && (*cur != '\t') &&
-               (*cur != '\n') && (*cur != '\r')) {
+               (*cur != '\n') && (*cur != '\r') &&
+               (i < (MAX_COMMAND_SIZE - 1))) {
             if (*cur == 0)
                 break;
             command[i++] = *cur++;
@@ -2872,7 +2877,7 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
         while ((*cur == ' ') || (*cur == '\t'))
             cur++;
         i = 0;
-        while ((*cur != '\n') && (*cur != '\r') && (*cur != 0)) {
+        while ((*cur != '\n') && (*cur != '\r') && (*cur != 0) && (i < (MAX_ARG_SIZE-1))) {
             if (*cur == 0)
                 break;
             arg[i++] = *cur++;
diff --git a/result/scripts/long_command b/result/scripts/long_command
new file mode 100644
index 0000000..e6f0070
--- /dev/null
+++ b/result/scripts/long_command
@@ -0,0 +1,8 @@
+/ > b > b > Object is a Node Set :
+Set contains 1 nodes:
+1  ELEMENT a:c
+b > Unknown command This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_comm
+b > b > Unknown command ess_currents_of_time_and_existence
+b > <?xml version="1.0"?>
+<a xmlns:a="bar"><b xmlns:a="foo">Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_prof</b></a>
+b >
\ No newline at end of file
diff --git a/test/scripts/long_command.script b/test/scripts/long_command.script
new file mode 100644
index 0000000..00f6df0
--- /dev/null
+++ b/test/scripts/long_command.script
@@ -0,0 +1,6 @@
+cd a/b
+set <a:c/>
+xpath //*[namespace-uri()="foo"]
+This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_command_please_dont_crash foo
+set Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_profound_emotion_and_every_grand_aspiration_that_propels_our_species_ever_onward_through_the_relentless_currents_of_time_and_existence
+save -
diff --git a/test/scripts/long_command.xml b/test/scripts/long_command.xml
new file mode 100644
index 0000000..1ba4401
--- /dev/null
+++ b/test/scripts/long_command.xml
@@ -0,0 +1 @@
+<a xmlns:a="bar"><b xmlns:a="foo"/></a>
--
2.43.0