python3-xmltodict: fix CVE-2025-9375

Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-9375 https://security-tracker.debian.org/tracker/CVE-2025-9375 https://git.launchpad.net/ubuntu/+source/python-xmltodict/commit/?id=e8110a20e00d80db31d5fc9f8f4577328385d6b6 Upstream-patch: ecd456ab88 f98c90f071 (From OE-Core rev: 30624cce634cade0b030aa71a03be754abbf3da9) Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2026-04-19 06:32:13 +02:00 · 2025-10-13 17:22:44 +05:30
parent a04f9ab3a5
commit 2ab1bedda9
3 changed files with 289 additions and 0 deletions
--- a/meta/recipes-devtools/python/python3-xmltodict/CVE-2025-9375-1.patch
+++ b/meta/recipes-devtools/python/python3-xmltodict/CVE-2025-9375-1.patch
@@ -0,0 +1,111 @@
+From ecd456ab88d379514b116ef9293318b74e5ed3ee Mon Sep 17 00:00:00 2001
+From: Martin Blech <78768+martinblech@users.noreply.github.com>
+Date: Thu, 4 Sep 2025 17:25:39 -0700
+Subject: [PATCH] Prevent XML injection: reject '<'/'>' in element/attr names
+ (incl. @xmlns)
+
+* Add tests for tag names, attribute names, and @xmlns prefixes; confirm attr values are escaped.
+
+CVE: CVE-2025-9375
+
+Upstream-Status: Backport
+https://github.com/martinblech/xmltodict/commit/ecd456ab88d379514b116ef9293318b74e5ed3ee
+https://git.launchpad.net/ubuntu/+source/python-xmltodict/commit/?id=e8110a20e00d80db31d5fc9f8f4577328385d6b6
+
+Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
+
+---
+ tests/test_dicttoxml.py | 32 ++++++++++++++++++++++++++++++++
+ xmltodict.py            | 20 +++++++++++++++++++-
+ 2 files changed, 51 insertions(+), 1 deletion(-)
+
+Index: python-xmltodict-0.13.0/tests/test_dicttoxml.py
+===================================================================
+--- python-xmltodict-0.13.0.orig/tests/test_dicttoxml.py
+++ python-xmltodict-0.13.0/tests/test_dicttoxml.py
+@@ -213,3 +213,35 @@ xmlns:b="http://b.com/"><x a:attr="val">
+         expected_xml = '<?xml version="1.0" encoding="utf-8"?>\n<x>false</x>'
+         xml = unparse(dict(x=False))
+         self.assertEqual(xml, expected_xml)
+
+    def test_rejects_tag_name_with_angle_brackets(self):
+        # Minimal guard: disallow '<' or '>' to prevent breaking tag context
+        with self.assertRaises(ValueError):
+            unparse({"m><tag>content</tag": "unsafe"}, full_document=False)
+
+    def test_rejects_attribute_name_with_angle_brackets(self):
+        # Now we expect bad attribute names to be rejected
+        with self.assertRaises(ValueError):
+            unparse(
+                {"a": {"@m><tag>content</tag": "unsafe", "#text": "x"}},
+                full_document=False,
+            )
+
+    def test_rejects_malicious_xmlns_prefix(self):
+        # xmlns prefixes go under @xmlns mapping; reject angle brackets in prefix
+        with self.assertRaises(ValueError):
+            unparse(
+                {
+                    "a": {
+                        "@xmlns": {"m><bad": "http://example.com/"},
+                        "#text": "x",
+                    }
+                },
+                full_document=False,
+            )
+
+    def test_attribute_values_with_angle_brackets_are_escaped(self):
+        # Attribute values should be escaped by XMLGenerator
+        xml = unparse({"a": {"@attr": "1<middle>2", "#text": "x"}}, full_document=False)
+        # The generated XML should contain escaped '<' and '>' within the attribute value
+        self.assertIn('attr="1&lt;middle&gt;2"', xml)
+Index: python-xmltodict-0.13.0/xmltodict.py
+===================================================================
+--- python-xmltodict-0.13.0.orig/xmltodict.py
+++ python-xmltodict-0.13.0/xmltodict.py
+@@ -379,6 +379,14 @@ def parse(xml_input, encoding=None, expa
+     return handler.item
+ 
+ 
+def _has_angle_brackets(value):
+    """Return True if value (a str) contains '<' or '>'.
+
+    Non-string values return False. Uses fast substring checks implemented in C.
+    """
+    return isinstance(value, str) and ("<" in value or ">" in value)
+
+
+ def _process_namespace(name, namespaces, ns_sep=':', attr_prefix='@'):
+     if not namespaces:
+         return name
+@@ -412,6 +420,9 @@ def _emit(key, value, content_handler,
+         if result is None:
+             return
+         key, value = result
+    # Minimal validation to avoid breaking out of tag context
+    if _has_angle_brackets(key):
+        raise ValueError('Invalid element name: "<" or ">" not allowed')
+     if (not hasattr(value, '__iter__')
+             or isinstance(value, _basestring)
+             or isinstance(value, dict)):
+@@ -445,12 +456,19 @@ def _emit(key, value, content_handler,
+                                         attr_prefix)
+                 if ik == '@xmlns' and isinstance(iv, dict):
+                     for k, v in iv.items():
+                        if _has_angle_brackets(k):
+                            raise ValueError(
+                                'Invalid attribute name: "<" or ">" not allowed'
+                            )
+                         attr = 'xmlns{}'.format(':{}'.format(k) if k else '')
+                         attrs[attr] = _unicode(v)
+                     continue
+                 if not isinstance(iv, _unicode):
+                     iv = _unicode(iv)
+-                attrs[ik[len(attr_prefix):]] = iv
+                attr_name = ik[len(attr_prefix) :]
+                if _has_angle_brackets(attr_name):
+                    raise ValueError('Invalid attribute name: "<" or ">" not allowed')
+                attrs[attr_name] = iv
+                 continue
+             children.append((ik, iv))
+         if pretty: