From a0b67b31b949d72c1d971f38266d520699d4480f Mon Sep 17 00:00:00 2001
From: Funda Wang <fundawang@yeah.net>
Date: Sat, 14 Jun 2025 23:27:00 +0800
Subject: [PATCH] fix CVE-2025-6021

---
 backport-CVE-2025-6021.patch | 46 ++++++++++++++++++++++++++++++++++++
 libxml2.spec                 |  9 ++++++-
 2 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2025-6021.patch

diff --git a/backport-CVE-2025-6021.patch b/backport-CVE-2025-6021.patch
new file mode 100644
index 0000000..5f3c341
--- /dev/null
+++ b/backport-CVE-2025-6021.patch
@@ -0,0 +1,46 @@
+From acbbeef9f5dcdcc901c5f3fa14d583ef8cfd22f0 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 27 May 2025 12:53:17 +0200
+Subject: [PATCH] tree: Fix integer overflow in xmlBuildQName
+
+This issue affects memory safety and might receive a CVE ID later.
+
+Fixes #926.
+---
+ tree.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/tree.c b/tree.c
+index b5a2659..d959172 100644
+--- a/tree.c
++++ b/tree.c
+@@ -27,6 +27,7 @@
+ #ifdef HAVE_STDLIB_H
+ #include <stdlib.h>
+ #endif
++#include <stdint.h>
+ #ifdef LIBXML_ZLIB_ENABLED
+ #include <zlib.h>
+ #endif
+@@ -222,16 +223,18 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) {
+ xmlChar *
+ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
+ 	      xmlChar *memory, int len) {
+-    int lenn, lenp;
++    size_t lenn, lenp;
+     xmlChar *ret;
+ 
+-    if (ncname == NULL) return(NULL);
++    if ((ncname == NULL) || (len < 0)) return(NULL);
+     if (prefix == NULL) return((xmlChar *) ncname);
+ 
+     lenn = strlen((char *) ncname);
+     lenp = strlen((char *) prefix);
++    if (lenn >= SIZE_MAX - lenp - 1)
++        return(NULL);
+ 
+-    if ((memory == NULL) || (len < lenn + lenp + 2)) {
++    if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) {
+ 	ret = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2);
+ 	if (ret == NULL) {
+ 	    xmlTreeErrMemory("building QName");
diff --git a/libxml2.spec b/libxml2.spec
index a95cf4c..c9644ca 100644
--- a/libxml2.spec
+++ b/libxml2.spec
@@ -1,7 +1,7 @@
 Summary: Library providing XML and HTML support
 Name: libxml2
 Version: 2.9.14
-Release: 17
+Release: 18
 License: MIT
 Group: Development/Libraries
 Source: https://download.gnome.org/sources/%{name}/2.9/%{name}-%{version}.tar.xz
@@ -197,6 +197,7 @@ Patch6175:  backport-CVE-2025-24928.patch
 Patch6176:  backport-CVE-2025-27113.patch
 Patch6177:  backport-CVE-2025-32415.patch
 Patch6178:  backport-CVE-2025-32414.patch
+Patch6179:  backport-CVE-2025-6021.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 BuildRequires: python3-devel
@@ -354,6 +355,12 @@ rm -fr %{buildroot}
 
 
 %changelog
+* Sat Jun 14 2025 Funda Wang <fundawang@yeah.net> - 2.9.14-18
+- Type:CVE
+- CVE:CVE-2025-6021
+- SUG:NA
+- DESC: fix CVE-2025-6021
+
 * Wed May 14 2025 Funda Wang <fundawang@yeah.net> - 2.9.14-17
 - Type:CVE
 - CVE:CVE-2025-32414
-- 
Gitee