sparklemotion
diff --git a/‎CHANGELOG.md‎
Lines changed: 7 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎patches/libxml2/0020-CVE-2025-6021-tree-Fix-integer-overflow-in-xmlBuildQ.patch‎
Lines changed: 54 additions & 0 deletions b/‎patches/libxml2/0020-CVE-2025-6021-tree-Fix-integer-overflow-in-xmlBuildQ.patch‎
Lines changed: 54 additions & 0 deletions
diff --git a/‎patches/libxml2/0021-CVE-2025-6170-Fix-potential-buffer-overflows-of-inte.patch‎
Lines changed: 102 additions & 0 deletions b/‎patches/libxml2/0021-CVE-2025-6170-Fix-potential-buffer-overflows-of-inte.patch‎
Lines changed: 102 additions & 0 deletions
diff --git a/‎patches/libxml2/0022-CVE-2025-49795-schematron-Fix-null-pointer-dereferen.patch‎
Lines changed: 69 additions & 0 deletions b/‎patches/libxml2/0022-CVE-2025-49795-schematron-Fix-null-pointer-dereferen.patch‎
Lines changed: 69 additions & 0 deletions
@@ -4,6 +4,13 @@ Nokogiri follows [Semantic Versioning](https://semver.org/), please see the [REA
 
 ---
 
+## next / unreleased
+
+### Security
+
+* [CRuby] Applied upstream libxml2 patches to address CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, and CVE-2025-49796. See [GHSA-353f-x4gh-cqq8](https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-353f-x4gh-cqq8) for more information.
+
+
 ## v1.18.8 / 2025-04-21
 
 ### Security
 
@@ -0,0 +1,54 @@
+From 17d950ae33c23f87692aa179bacedb6743f3188a Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 27 May 2025 12:53:17 +0200
+Subject: [PATCH 5/9] [CVE-2025-6021] tree: Fix integer overflow in
+ xmlBuildQName
+
+Fixes #926.
+---
+ tree.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/tree.c b/tree.c
+index f097cf87..5bc95b8a 100644
+--- a/tree.c
++++ b/tree.c
+@@ -47,6 +47,10 @@
+ #include "private/error.h"
+ #include "private/tree.h"
+ 
++#ifndef SIZE_MAX
++ #define SIZE_MAX ((size_t)-1)
++#endif
++
+ int __xmlRegisterCallbacks = 0;
+ 
+ /************************************************************************
+@@ -167,10 +171,10 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) {
+ xmlChar *
+ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
+ xmlChar *memory, int len) {
+- int lenn, lenp;
++ size_t lenn, lenp;
+ xmlChar *ret;
+ 
+- if (ncname == NULL) return(NULL);
++ if ((ncname == NULL) || (len < 0)) return(NULL);
+ if (prefix == NULL) return((xmlChar *) ncname);
+ 
+ #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+@@ -181,8 +185,10 @@ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
+ 
+ lenn = strlen((char *) ncname);
+ lenp = strlen((char *) prefix);
++ if (lenn >= SIZE_MAX - lenp - 1)
++ return(NULL);
+ 
+- if ((memory == NULL) || (len < lenn + lenp + 2)) {
++ if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) {
+	ret = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2);
+	if (ret == NULL)
+ return(NULL);
+-- 
+2.50.1
+
@@ -0,0 +1,102 @@
+From 5e9ec5c107d3f5b5179c3dbc19df43df041cd55b Mon Sep 17 00:00:00 2001
+From: Michael Mann <mmann78@netscape.net>
+Date: Fri, 20 Jun 2025 23:05:00 -0400
+Subject: [PATCH 6/9] [CVE-2025-6170] Fix potential buffer overflows of
+ interactive shell
+
+Fixes #941
+---
+ debugXML.c | 15 ++++++++++-----
+ result/scripts/long_command | 8 ++++++++
+ test/scripts/long_command.script | 6 ++++++
+ test/scripts/long_command.xml | 1 +
+ 4 files changed, 25 insertions(+), 5 deletions(-)
+ create mode 100644 result/scripts/long_command
+ create mode 100644 test/scripts/long_command.script
+ create mode 100644 test/scripts/long_command.xml
+
+diff --git a/debugXML.c b/debugXML.c
+index ed56b0f8..452b9573 100644
+--- a/debugXML.c
++++ b/debugXML.c
+@@ -1033,6 +1033,10 @@ xmlCtxtDumpOneNode(xmlDebugCtxtPtr ctxt, xmlNodePtr node)
+ xmlCtxtGenericNodeCheck(ctxt, node);
+ }
+ 
++#define MAX_PROMPT_SIZE 500
++#define MAX_ARG_SIZE 400
++#define MAX_COMMAND_SIZE 100
++
+ /**
+ * xmlCtxtDumpNode:
+ * @output: the FILE * for the output
+@@ -2795,10 +2799,10 @@ void
+ xmlShell(xmlDocPtr doc, const char *filename, xmlShellReadlineFunc input,
+ FILE * output)
+ {
+- char prompt[500] = "/ > ";
++ char prompt[MAX_PROMPT_SIZE] = "/ > ";
+ char *cmdline = NULL, *cur;
+- char command[100];
+- char arg[400];
++ char command[MAX_COMMAND_SIZE];
++ char arg[MAX_ARG_SIZE];
+ int i;
+ xmlShellCtxtPtr ctxt;
+ xmlXPathObjectPtr list;
+@@ -2856,7 +2860,8 @@ xmlShell(xmlDocPtr doc, const char *filename, xmlShellReadlineFunc input,
+ cur++;
+ i = 0;
+ while ((*cur != ' ') && (*cur != '\t') &&
+- (*cur != '\n') && (*cur != '\r')) {
++ (*cur != '\n') && (*cur != '\r') &&
++ (i < (MAX_COMMAND_SIZE - 1))) {
+ if (*cur == 0)
+ break;
+ command[i++] = *cur++;
+@@ -2871,7 +2876,7 @@ xmlShell(xmlDocPtr doc, const char *filename, xmlShellReadlineFunc input,
+ while ((*cur == ' ') || (*cur == '\t'))
+ cur++;
+ i = 0;
+- while ((*cur != '\n') && (*cur != '\r') && (*cur != 0)) {
++ while ((*cur != '\n') && (*cur != '\r') && (*cur != 0) && (i < (MAX_ARG_SIZE-1))) {
+ if (*cur == 0)
+ break;
+ arg[i++] = *cur++;
+diff --git a/result/scripts/long_command b/result/scripts/long_command
+new file mode 100644
+index 00000000..e6f00708
+--- /dev/null
++++ b/result/scripts/long_command
+@@ -0,0 +1,8 @@
++/ > b > b > Object is a Node Set :
++Set contains 1 nodes:
++1 ELEMENT a:c
++b > Unknown command This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_comm
++b > b > Unknown command ess_currents_of_time_and_existence
++b > <?xml version="1.0"?>
++<a xmlns:a="bar"><b xmlns:a="foo">Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_prof</b></a>
++b > 
+\ No newline at end of file
+diff --git a/test/scripts/long_command.script b/test/scripts/long_command.script
+new file mode 100644
+index 00000000..00f6df09
+--- /dev/null
++++ b/test/scripts/long_command.script
+@@ -0,0 +1,6 @@
++cd a/b
++set <a:c/>
++xpath //*[namespace-uri()="foo"]
++This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_command_please_dont_crash foo
++set Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_profound_emotion_and_every_grand_aspiration_that_propels_our_species_ever_onward_through_the_relentless_currents_of_time_and_existence
++save -
+diff --git a/test/scripts/long_command.xml b/test/scripts/long_command.xml
+new file mode 100644
+index 00000000..1ba44016
+--- /dev/null
++++ b/test/scripts/long_command.xml
+@@ -0,0 +1 @@
++<a xmlns:a="bar"><b xmlns:a="foo"/></a>
+-- 
+2.50.1
+
@@ -0,0 +1,69 @@
+From 62048278a4c5fdf14d287dfb400005c0a0caa69f Mon Sep 17 00:00:00 2001
+From: Michael Mann <mmann78@netscape.net>
+Date: Sat, 21 Jun 2025 12:11:30 -0400
+Subject: [PATCH 7/9] [CVE-2025-49795] schematron: Fix null pointer dereference
+ leading to DoS
+
+Fixes #932
+---
+ result/schematron/zvon16_0.err | 3 +++
+ schematron.c | 5 +++++
+ test/schematron/zvon16.sct | 7 +++++++
+ test/schematron/zvon16_0.xml | 5 +++++
+ 4 files changed, 20 insertions(+)
+ create mode 100644 result/schematron/zvon16_0.err
+ create mode 100644 test/schematron/zvon16.sct
+ create mode 100644 test/schematron/zvon16_0.xml
+
+diff --git a/result/schematron/zvon16_0.err b/result/schematron/zvon16_0.err
+new file mode 100644
+index 00000000..3d052409
+--- /dev/null
++++ b/result/schematron/zvon16_0.err
+@@ -0,0 +1,3 @@
++XPath error : Unregistered function
++./test/schematron/zvon16_0.xml:2: element book: schematron error : /library/book line 2: Book 
++./test/schematron/zvon16_0.xml fails to validate
+diff --git a/schematron.c b/schematron.c
+index 1de25deb..da603402 100644
+--- a/schematron.c
++++ b/schematron.c
+@@ -1506,6 +1506,11 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt,
+ select = xmlGetNoNsProp(child, BAD_CAST "select");
+ comp = xmlXPathCtxtCompile(ctxt->xctxt, select);
+ eval = xmlXPathCompiledEval(comp, ctxt->xctxt);
++ if (eval == NULL) {
++ xmlXPathFreeCompExpr(comp);
++ xmlFree(select);
++ return ret;
++ }
+ 
+ switch (eval->type) {
+ case XPATH_NODESET: {
+diff --git a/test/schematron/zvon16.sct b/test/schematron/zvon16.sct
+new file mode 100644
+index 00000000..f03848aa
+--- /dev/null
++++ b/test/schematron/zvon16.sct
+@@ -0,0 +1,7 @@
++<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron">
++<sch:pattern id="TestPattern">
++<sch:rule context="book">
++<sch:report test="not(@available)">Book <sch:value-of select="falae()"/> test</sch:report>
++</sch:rule>
++</sch:pattern>
++</sch:schema>
+diff --git a/test/schematron/zvon16_0.xml b/test/schematron/zvon16_0.xml
+new file mode 100644
+index 00000000..551e2d65
+--- /dev/null
++++ b/test/schematron/zvon16_0.xml
+@@ -0,0 +1,5 @@
++<library>
++<book title="Test Book" id="bk101">
++<author>Test Author</author>
++</book>
++</library>
+-- 
+2.50.1
+