NixOS · leona-ya · Jul 19, 2025 · Jul 2, 2025 · Jul 2, 2025 · Jul 13, 2025
diff --git a/pkgs/development/libraries/libxml2/CVE-2025-6021.patch b/pkgs/development/libraries/libxml2/CVE-2025-6021.patch
@@ -0,0 +1,40 @@
+diff --git a/tree.c b/tree.c
+index f097cf87..4d966ec9 100644
+--- a/tree.c
++++ b/tree.c
+@@ -47,6 +47,10 @@
+ #include "private/error.h"
+ #include "private/tree.h"
+
++#ifndef SIZE_MAX
++  #define SIZE_MAX ((size_t) -1)
++#endif
++
+ int __xmlRegisterCallbacks = 0;
+
+ /************************************************************************
+@@ -167,10 +168,10 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) {
+ xmlChar *
+ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
+ 	      xmlChar *memory, int len) {
+-    int lenn, lenp;
++    size_t lenn, lenp;
+     xmlChar *ret;
+
+-    if (ncname == NULL) return(NULL);
++    if ((ncname == NULL) || (len < 0)) return(NULL);
+     if (prefix == NULL) return((xmlChar *) ncname);
+
+ #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+@@ -181,8 +182,10 @@ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
+
+     lenn = strlen((char *) ncname);
+     lenp = strlen((char *) prefix);
++    if (lenn >= SIZE_MAX - lenp - 1)
++        return(NULL);
+
+-    if ((memory == NULL) || (len < lenn + lenp + 2)) {
++    if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) {
+ 	ret = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2);
+ 	if (ret == NULL)
+ 	    return(NULL);
diff --git a/pkgs/development/libraries/libxml2/CVE-2025-6170.patch b/pkgs/development/libraries/libxml2/CVE-2025-6170.patch
@@ -0,0 +1,112 @@
+diff --git a/result/scripts/long_command b/result/scripts/long_command
+new file mode 100644
+index 000000000..e6f00708b
+--- /dev/null
++++ b/result/scripts/long_command
+@@ -0,0 +1,8 @@
++/ > b > b > Object is a Node Set :
++Set contains 1 nodes:
++1  ELEMENT a:c
++b > Unknown command This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_comm
++b > b > Unknown command ess_currents_of_time_and_existence
++b > <?xml version="1.0"?>
++<a xmlns:a="bar"><b xmlns:a="foo">Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_prof</b></a>
++b > 
+\ No newline at end of file
+diff --git a/debugXML.c b/debugXML.c
+index ed56b0f8..aeeea3c0 100644
+--- a/debugXML.c
++++ b/debugXML.c
+@@ -2780,6 +2780,10 @@ xmlShellPwd(xmlShellCtxtPtr ctxt ATTRIBUTE_UNUSED, char *buffer,
+     return (0);
+ }
+
++#define MAX_PROMPT_SIZE     500
++#define MAX_ARG_SIZE        400
++#define MAX_COMMAND_SIZE    100
++
+ /**
+  * xmlShell:
+  * @doc:  the initial document
+@@ -2795,10 +2795,10 @@ void
+ xmlShell(xmlDocPtr doc, const char *filename, xmlShellReadlineFunc input,
+          FILE * output)
+ {
+-    char prompt[500] = "/ > ";
++    char prompt[MAX_PROMPT_SIZE] = "/ > ";
+     char *cmdline = NULL, *cur;
+-    char command[100];
+-    char arg[400];
++    char command[MAX_COMMAND_SIZE];
++    char arg[MAX_ARG_SIZE];
+     int i;
+     xmlShellCtxtPtr ctxt;
+     xmlXPathObjectPtr list;
+@@ -2856,7 +2856,8 @@ xmlShell(xmlDocPtr doc, const char *filename, xmlShellReadlineFunc input,
+             cur++;
+         i = 0;
+         while ((*cur != ' ') && (*cur != '\t') &&
+-               (*cur != '\n') && (*cur != '\r')) {
++               (*cur != '\n') && (*cur != '\r') &&
++               (i < (MAX_COMMAND_SIZE - 1))) {
+             if (*cur == 0)
+                 break;
+             command[i++] = *cur++;
+@@ -2871,7 +2872,7 @@ xmlShell(xmlDocPtr doc, const char *filename, xmlShellReadlineFunc input,
+         while ((*cur == ' ') || (*cur == '\t'))
+             cur++;
+         i = 0;
+-        while ((*cur != '\n') && (*cur != '\r') && (*cur != 0)) {
++        while ((*cur != '\n') && (*cur != '\r') && (*cur != 0) && (i < (MAX_ARG_SIZE-1))) {
+             if (*cur == 0)
+                 break;
+             arg[i++] = *cur++;
+diff --git a/xmllint.c b/xmllint.c
+index c6273477..3d90272c 100644
+--- a/xmllint.c
++++ b/xmllint.c
+@@ -724,6 +724,9 @@ xmlHTMLValidityWarning(void *ctx, const char *msg, ...)
+  ************************************************************************/
+ #ifdef LIBXML_DEBUG_ENABLED
+ #ifdef LIBXML_XPATH_ENABLED
++
++#define MAX_PROMPT_SIZE     500
++
+ /**
+  * xmlShellReadline:
+  * @prompt:  the prompt value
+@@ -754,9 +754,9 @@ xmlShellReadline(char *prompt) {
+     if (prompt != NULL)
+ 	fprintf(stdout, "%s", prompt);
+     fflush(stdout);
+-    if (!fgets(line_read, 500, stdin))
++    if (!fgets(line_read, MAX_PROMPT_SIZE, stdin))
+         return(NULL);
+-    line_read[500] = 0;
++    line_read[MAX_PROMPT_SIZE] = 0;
+     len = strlen(line_read);
+     ret = (char *) malloc(len + 1);
+     if (ret != NULL) {
+-- 
+diff --git a/test/scripts/long_command.script b/test/scripts/long_command.script
+new file mode 100644
+index 000000000..00f6df09f
+--- /dev/null
++++ b/test/scripts/long_command.script
+@@ -0,0 +1,6 @@
++cd a/b
++set <a:c/>
++xpath //*[namespace-uri()="foo"]
++This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_command_please_dont_crash foo
++set Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_profound_emotion_and_every_grand_aspiration_that_propels_our_species_ever_onward_through_the_relentless_currents_of_time_and_existence
++save -
+diff --git a/test/scripts/long_command.xml b/test/scripts/long_command.xml
+new file mode 100644
+index 000000000..1ba44016e
+--- /dev/null
++++ b/test/scripts/long_command.xml
+@@ -0,0 +1 @@
++<a xmlns:a="bar"><b xmlns:a="foo"/></a>
+-- 
+GitLab
+
diff --git a/pkgs/development/libraries/libxml2/common.nix b/pkgs/development/libraries/libxml2/common.nix
@@ -0,0 +1,166 @@
+{
+  stdenv,
+  darwin,
+  lib,
+  pkg-config,
+  autoreconfHook,
+  python3,
+  ncurses,
+  findXMLCatalogs,
+  libiconv,
+  # Python limits cross-compilation to an allowlist of host OSes.
+  # https://github.com/python/cpython/blob/dfad678d7024ab86d265d84ed45999e031a03691/configure.ac#L534-L562
+  pythonSupport ?
+    enableShared
+    && (
+      stdenv.hostPlatform == stdenv.buildPlatform
+      || stdenv.hostPlatform.isCygwin
+      || stdenv.hostPlatform.isLinux
+      || stdenv.hostPlatform.isWasi
+    ),
+  icuSupport ? false,
+  icu,
+  zlibSupport ? false,
+  zlib,
+  enableShared ? !stdenv.hostPlatform.isMinGW && !stdenv.hostPlatform.isStatic,
+  enableStatic ? !enableShared,
+  gnome,
+  testers,
+  enableHttp ? false,
+
+  version,
+  extraPatches ? [ ],
+  src,
+  extraMeta ? { },
+  freezeUpdateScript ? false,
+}:
+
+let
+  # libxml2 is a dependency of xcbuild. Avoid an infinite recursion by using a bootstrap stdenv
+  # that does not propagate xcrun.
+  stdenv' = if stdenv.hostPlatform.isDarwin then darwin.bootstrapStdenv else stdenv;
+in
+stdenv'.mkDerivation (finalAttrs: {
+  inherit
+    version
+    src
+    ;
+
+  pname = "libxml2";
+
+  outputs =
+    [
+      "bin"
+      "dev"
+      "out"
+      "devdoc"
+    ]
+    ++ lib.optional pythonSupport "py"
+    ++ lib.optional (enableStatic && enableShared) "static";
+  outputMan = "bin";
+
+  patches = [
+    # Unmerged ABI-breaking patch required to fix the following security issues:
+    # - https://gitlab.gnome.org/GNOME/libxslt/-/issues/139
+    # - https://gitlab.gnome.org/GNOME/libxslt/-/issues/140
+    # See also https://gitlab.gnome.org/GNOME/libxml2/-/issues/906
+    # Source: https://github.com/chromium/chromium/blob/4fb4ae8ce3daa399c3d8ca67f2dfb9deffcc7007/third_party/libxml/chromium/xml-attr-extra.patch
+    ./xml-attr-extra.patch
+  ] ++ extraPatches;
+
+  strictDeps = true;
+
+  nativeBuildInputs = [
+    pkg-config
+    autoreconfHook
+  ];
+
+  buildInputs =
+    lib.optionals pythonSupport [
+      ncurses
+      python3
+    ]
+    ++ lib.optionals zlibSupport [
+      zlib
+    ];
+
+  propagatedBuildInputs =
+    [
+      findXMLCatalogs
+    ]
+    ++ lib.optionals (stdenv.hostPlatform.isDarwin || stdenv.hostPlatform.isMinGW) [
+      libiconv
+    ]
+    ++ lib.optionals icuSupport [
+      icu
+    ];
+
+  configureFlags =
+    [
+      "--exec-prefix=${placeholder "dev"}"
+      (lib.enableFeature enableStatic "static")
+      (lib.enableFeature enableShared "shared")
+      (lib.withFeature icuSupport "icu")
+      (lib.withFeature pythonSupport "python")
+      (lib.optionalString pythonSupport "PYTHON=${python3.pythonOnBuildForHost.interpreter}")
+    ]
+    # avoid rebuilds, can be merged into list in version bumps
+    ++ lib.optional enableHttp "--with-http"
+    ++ lib.optional zlibSupport "--with-zlib";
+
+  installFlags = lib.optionals pythonSupport [
+    "pythondir=\"${placeholder "py"}/${python3.sitePackages}\""
+    "pyexecdir=\"${placeholder "py"}/${python3.sitePackages}\""
+  ];
+
+  enableParallelBuilding = true;
+
+  doCheck = (stdenv.hostPlatform == stdenv.buildPlatform) && stdenv.hostPlatform.libc != "musl";
+  preCheck = lib.optional stdenv.hostPlatform.isDarwin ''
+    export DYLD_LIBRARY_PATH="$PWD/.libs:$DYLD_LIBRARY_PATH"
+  '';
+
+  preConfigure = lib.optionalString (lib.versionAtLeast stdenv.hostPlatform.darwinMinVersion "11") ''
+    MACOSX_DEPLOYMENT_TARGET=10.16
+  '';
+
+  preInstall = lib.optionalString pythonSupport ''
+    substituteInPlace python/libxml2mod.la --replace-fail "$dev/${python3.sitePackages}" "$py/${python3.sitePackages}"
+  '';
+
+  postFixup =
+    ''
+      moveToOutput bin/xml2-config "$dev"
+      moveToOutput lib/xml2Conf.sh "$dev"
+    ''
+    + lib.optionalString (enableStatic && enableShared) ''
+      moveToOutput lib/libxml2.a "$static"
+    '';
+
+  passthru = {
+    inherit pythonSupport;
+
+    updateScript = gnome.updateScript {
+      packageName = "libxml2";
+      versionPolicy = "none";
+      freeze = freezeUpdateScript;
+    };
+    tests = {
+      pkg-config = testers.hasPkgConfigModules {
+        package = finalAttrs.finalPackage;
+      };
+      cmake-config = testers.hasCmakeConfigModules {
+        moduleNames = [ "LibXml2" ];
+        package = finalAttrs.finalPackage;
+      };
+    };
+  };
+
+  meta = {
+    homepage = "https://gitlab.gnome.org/GNOME/libxml2";
+    description = "XML parsing library for C";
+    license = lib.licenses.mit;
+    platforms = lib.platforms.all;
+    pkgConfigModules = [ "libxml-2.0" ];
+  } // extraMeta;
+})