libxml2/libxml2-CVE-2026-0990.patch

From 1961208e958ca22f80a0b4e4c9d71cfa050aa982 Mon Sep 17 00:00:00 2001
From: Daniel Garcia Moreno <daniel.garcia@suse.com>
Date: Wed, 17 Dec 2025 15:24:08 +0100
Subject: [PATCH 1/2] catalog: prevent inf recursion in xmlCatalogXMLResolveURI

Fix https://gitlab.gnome.org/GNOME/libxml2/-/issues/1018
---
 catalog.c | 31 +++++++++++++++++++++++--------
 1 file changed, 23 insertions(+), 8 deletions(-)

diff --git a/catalog.c b/catalog.c
index 76c063a8b..46b877e62 100644
--- a/catalog.c
+++ b/catalog.c
@@ -2025,12 +2025,21 @@ static xmlChar *
 xmlCatalogListXMLResolveURI(xmlCatalogEntryPtr catal, const xmlChar *URI) {
     xmlChar *ret = NULL;
     xmlChar *urnID = NULL;
+    xmlCatalogEntryPtr cur = NULL;
 
     if (catal == NULL)
         return(NULL);
     if (URI == NULL)
 	return(NULL);
 
+    if (catal->depth > MAX_CATAL_DEPTH) {
+	xmlCatalogErr(catal, NULL, XML_CATALOG_RECURSION,
+		      "Detected recursion in catalog %s\n",
+		      catal->name, NULL, NULL);
+	return(NULL);
+    }
+    catal->depth++;
+
     if (!xmlStrncmp(URI, BAD_CAST XML_URN_PUBID, sizeof(XML_URN_PUBID) - 1)) {
 	urnID = xmlCatalogUnWrapURN(URI);
 	if (xmlDebugCatalogs) {
@@ -2044,21 +2053,27 @@ xmlCatalogListXMLResolveURI(xmlCatalogEntryPtr catal, const xmlChar *URI) {
 	ret = xmlCatalogListXMLResolve(catal, urnID, NULL);
 	if (urnID != NULL)
 	    xmlFree(urnID);
+	catal->depth--;
 	return(ret);
     }
-    while (catal != NULL) {
-	if (catal->type == XML_CATA_CATALOG) {
-	    if (catal->children == NULL) {
-		xmlFetchXMLCatalogFile(catal);
+    cur = catal;
+    while (cur != NULL) {
+	if (cur->type == XML_CATA_CATALOG) {
+	    if (cur->children == NULL) {
+		xmlFetchXMLCatalogFile(cur);
 	    }
-	    if (catal->children != NULL) {
-		ret = xmlCatalogXMLResolveURI(catal->children, URI);
-		if (ret != NULL)
+	    if (cur->children != NULL) {
+		ret = xmlCatalogXMLResolveURI(cur->children, URI);
+		if (ret != NULL) {
+		    catal->depth--;
 		    return(ret);
+		}
 	    }
 	}
-	catal = catal->next;
+	cur = cur->next;
     }
+
+    catal->depth--;
     return(ret);
 }
 
-- 
GitLab


From f75abfcaa419a740a3191e56c60400f3ff18988d Mon Sep 17 00:00:00 2001
From: Daniel Garcia Moreno <daniel.garcia@suse.com>
Date: Fri, 19 Dec 2025 11:02:18 +0100
Subject: [PATCH 2/2] catalog: Ignore repeated nextCatalog entries

This patch makes the catalog parsing to ignore repeated entries of
nextCatalog with the same value.

Fix https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019
---
 catalog.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/catalog.c b/catalog.c
index 46b877e62..fa6d77ca1 100644
--- a/catalog.c
+++ b/catalog.c
@@ -1223,9 +1223,27 @@ xmlParseXMLCatalogNode(xmlNodePtr cur, xmlCatalogPrefer prefer,
 		BAD_CAST "delegateURI", BAD_CAST "uriStartString",
 		BAD_CAST "catalog", prefer, cgroup);
     } else if (xmlStrEqual(cur->name, BAD_CAST "nextCatalog")) {
+	xmlCatalogEntryPtr prev = parent->children;
+
 	entry = xmlParseXMLCatalogOneNode(cur, XML_CATA_NEXT_CATALOG,
 		BAD_CAST "nextCatalog", NULL,
 		BAD_CAST "catalog", prefer, cgroup);
+	/* Avoid duplication of nextCatalog */
+	while (prev != NULL) {
+	    if ((prev->type == XML_CATA_NEXT_CATALOG) &&
+		(xmlStrEqual (prev->URL, entry->URL)) &&
+		(xmlStrEqual (prev->value, entry->value)) &&
+		(prev->prefer == entry->prefer) &&
+		(prev->group == entry->group)) {
+		    if (xmlDebugCatalogs)
+			xmlCatalogPrintDebug(
+			    "Ignoring repeated nextCatalog %s\n", entry->URL);
+		    xmlFreeCatalogEntry(entry, NULL);
+		    entry = NULL;
+		    break;
+	    }
+	    prev = prev->next;
+	}
     }
     if (entry != NULL) {
         if (parent != NULL) {
-- 
GitLab