From: Daniel Turull <daniel.turull@ericsson.com>
Date: Tue, 19 Aug 2025 10:47:24 +0000 (+0200)
Subject: libxml2: ignore CVE-2025-8732
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=348ce728af1cea4f909de5c3597801b5612719e4;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git

libxml2: ignore CVE-2025-8732

The code maintainer disputes the CVE as the issue can only be triggered with
untrusted SGML catalogs and it makes absolutely no sense to use untrusted
catalogs.

The issue triggers a crash if an invalid file is provided.
Source: https://gitlab.gnome.org/GNOME/libxml2/-/issues/958"

Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---

diff --git a/meta/recipes-core/libxml/libxml2_2.12.10.bb b/meta/recipes-core/libxml/libxml2_2.12.10.bb
index 078988286a..a155c3708e 100644
--- a/meta/recipes-core/libxml/libxml2_2.12.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.12.10.bb
@@ -32,6 +32,10 @@ SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be47223
 # Disputed as a security issue, but fixed in d39f780
 CVE_STATUS[CVE-2023-45322] = "disputed: issue requires memory allocation to fail"
 
+# Disputed as a security issue, if attempts to process an invalid file, it fails
+# https://gitlab.gnome.org/GNOME/libxml2/-/issues/958
+CVE_STATUS[CVE-2025-8732] = "disputed: the code maintainer explains, that the issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. The issue triggers a crash if an invalid file is provided.  https://gitlab.gnome.org/GNOME/libxml2/-/issues/958"
+
 BINCONFIG = "${bindir}/xml2-config"
 
 PACKAGECONFIG ??= "python \