diffstat for libxml2-2.9.0+dfsg1 libxml2-2.9.0+dfsg1 changelog | 56 ++++ control | 22 + patches/0006-fix-python-multiarch-includes.patch | 56 ++++ patches/CVE-2013-0338.patch | 148 +++++++++++ patches/CVE-2013-1969.patch | 77 +++++ patches/CVE-2013-2877.patch | 301 +++++++++++++++++++++++ patches/series | 4 rules | 15 - 8 files changed, 672 insertions(+), 7 deletions(-) diff -Nru libxml2-2.9.0+dfsg1/debian/changelog libxml2-2.9.0+dfsg1/debian/changelog --- libxml2-2.9.0+dfsg1/debian/changelog 2012-11-28 15:13:06.000000000 +0000 +++ libxml2-2.9.0+dfsg1/debian/changelog 2013-07-16 17:48:26.000000000 +0000 @@ -1,3 +1,59 @@ +libxml2 (2.9.0+dfsg1-4ubuntu4.3) raring-security; urgency=low + + * SECURITY REGRESSION: wrong return values + - debian/patches/CVE-2013-2877.patch: revised to fix up a couple of + return values. + - CVE-2013-2877 + + -- Marc Deslauriers Tue, 16 Jul 2013 13:46:23 -0400 + +libxml2 (2.9.0+dfsg1-4ubuntu4.2) raring-security; urgency=low + + * SECURITY UPDATE: denial of service via incomplete document + - debian/patches/CVE-2013-2877.patch: try to stop parsing as quickly as + possible in parser.c, include/libxml/xmlerror.h. + - CVE-2013-2877 + + -- Marc Deslauriers Thu, 11 Jul 2013 14:26:36 -0400 + +libxml2 (2.9.0+dfsg1-4ubuntu4.1) raring-security; urgency=low + + * SECURITY UPDATE: multiple use after free issues + - debian/patches/CVE-2013-1969.patch: properly reset pointers in + HTMLparser.c, parser.c. + - CVE-2013-1969 + + -- Marc Deslauriers Wed, 01 May 2013 09:39:42 -0700 + +libxml2 (2.9.0+dfsg1-4ubuntu4) raring; urgency=low + + * SECURITY UPDATE: denial of service via entity expansion + - debian/patches/CVE-2013-0338.patch: limit number of entity expansions + in include/libxml/parser.h, parser.c, parserInternals.c. + - CVE-2013-0338 + + -- Marc Deslauriers Tue, 26 Mar 2013 10:04:58 -0400 + +libxml2 (2.9.0+dfsg1-4ubuntu3) raring; urgency=low + + * Set PYTHON_LIBS for cross builds. + * Remove explicit build dependency on binutils. + * Configure the udeb --without-python. + + -- Matthias Klose Thu, 07 Mar 2013 17:03:45 +0800 + +libxml2 (2.9.0+dfsg1-4ubuntu2) raring; urgency=low + + * Allow the package to cross-build. + + -- Matthias Klose Thu, 07 Mar 2013 15:46:38 +0800 + +libxml2 (2.9.0+dfsg1-4ubuntu1) raring; urgency=low + + * Fix python multi-arch includes issues. + + -- Chris J Arges Fri, 11 Jan 2013 13:10:08 -0600 + libxml2 (2.9.0+dfsg1-4) experimental; urgency=low [ Daniel Veillard ] diff -Nru libxml2-2.9.0+dfsg1/debian/control libxml2-2.9.0+dfsg1/debian/control --- libxml2-2.9.0+dfsg1/debian/control 2012-11-28 15:13:06.000000000 +0000 +++ libxml2-2.9.0+dfsg1/debian/control 2013-03-07 09:24:35.000000000 +0000 @@ -1,11 +1,13 @@ Source: libxml2 Priority: optional Section: libs -Maintainer: Debian XML/SGML Group +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian XML/SGML Group Uploaders: Aron Xu , YunQiang Su Standards-Version: 3.9.4 Build-Depends: debhelper (>= 9), perl, dh-autoreconf, autotools-dev, - binutils (>= 2.14.90.0.7), python-all-dev (>= 2.6.6-3~), python-all-dbg, + libpython-all-dev (>= 2.6.6-3~), libpython-all-dbg, + python-all-dev:any (>= 2.6.6-3~), python-all-dbg:any, zlib1g-dev | libz-dev, liblzma-dev, libreadline-dev | libreadline6-dev Homepage: http://xmlsoft.org/ Vcs-Git: git://git.debian.org/debian-xml-sgml/libxml2.git @@ -145,3 +147,19 @@ . This package contains the files needed to use the GNOME XML library in Python programs for use with the Python debug interpreter. + +Package: libxml2-udeb +XC-Package-Type: udeb +Architecture: any +Section: debian-installer +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: GNOME XML library - minimal runtime + XML is a metalanguage to let you design your own markup language. + A regular markup language defines a way to describe information in + a certain class of documents (eg HTML). XML lets you define your + own customized markup languages for many classes of document. It + can do this because it's written in SGML, the international standard + metalanguage for markup languages. + . + This is a minimal package for use in debian-installer that yields a + library providing an extensive API to handle such XML data files. diff -Nru libxml2-2.9.0+dfsg1/debian/patches/0006-fix-python-multiarch-includes.patch libxml2-2.9.0+dfsg1/debian/patches/0006-fix-python-multiarch-includes.patch --- libxml2-2.9.0+dfsg1/debian/patches/0006-fix-python-multiarch-includes.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.0+dfsg1/debian/patches/0006-fix-python-multiarch-includes.patch 2013-03-07 09:27:18.000000000 +0000 @@ -0,0 +1,56 @@ +Description: fix python multi-arch include issues. + . + libxml2 (2.9.0+dfsg1-4ubuntu1) raring; urgency=low + . + * Fix python multi-arch includes issues. +Author: Chris J Arges + +Index: b/configure.in +=================================================================== +--- a/configure.in 2013-03-07 08:35:01.000000000 +0000 ++++ b/configure.in 2013-03-07 08:35:01.000000000 +0000 +@@ -781,6 +781,10 @@ + fi + if test "$PYTHON_VERSION" != "" + then ++ if which $PYTHON-config > /dev/null 2>&1; then ++ PYTHON_INCLUDES=`python$PYTHON_VERSION-config --includes` ++ PYTHON_SITE_PACKAGES=`$PYTHON -c "from distutils import sysconfig; print sysconfig.get_python_lib()"` ++ else + if test -r $with_python/include/python$PYTHON_VERSION/Python.h -a \ + -d $with_python/lib/python$PYTHON_VERSION/site-packages + then +@@ -812,6 +816,7 @@ + PYTHON_SITE_PACKAGES=`$PYTHON -c "from distutils import sysconfig; print sysconfig.get_python_lib()"` + fi + fi ++ fi + PYTHON_LIBS=`python$PYTHON_VERSION-config --ldflags` + fi + if test "$with_python" != "" +Index: b/python/Makefile.am +=================================================================== +--- a/python/Makefile.am 2013-03-07 08:35:01.000000000 +0000 ++++ b/python/Makefile.am 2013-03-07 08:35:01.000000000 +0000 +@@ -19,7 +19,7 @@ + AM_CPPFLAGS = \ + -I$(top_builddir)/include \ + -I$(top_srcdir)/include \ +- -I$(PYTHON_INCLUDES) ++ $(PYTHON_INCLUDES) + + python_LTLIBRARIES = libxml2mod.la + +Index: b/python/Makefile.in +=================================================================== +--- a/python/Makefile.in 2013-03-07 09:04:27.763641401 +0000 ++++ b/python/Makefile.in 2013-03-07 09:27:10.600360803 +0000 +@@ -412,7 +412,7 @@ + @WITH_PYTHON_TRUE@AM_CPPFLAGS = \ + @WITH_PYTHON_TRUE@ -I$(top_builddir)/include \ + @WITH_PYTHON_TRUE@ -I$(top_srcdir)/include \ +-@WITH_PYTHON_TRUE@ -I$(PYTHON_INCLUDES) ++@WITH_PYTHON_TRUE@ $(PYTHON_INCLUDES) + + @WITH_PYTHON_TRUE@python_LTLIBRARIES = libxml2mod.la + @WITH_PYTHON_TRUE@libxml2mod_la_SOURCES = libxml.c libxml_wrap.h libxml2-py.h libxml2-py.c types.c diff -Nru libxml2-2.9.0+dfsg1/debian/patches/CVE-2013-0338.patch libxml2-2.9.0+dfsg1/debian/patches/CVE-2013-0338.patch --- libxml2-2.9.0+dfsg1/debian/patches/CVE-2013-0338.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.0+dfsg1/debian/patches/CVE-2013-0338.patch 2013-03-26 14:04:53.000000000 +0000 @@ -0,0 +1,148 @@ +From 23f05e0c33987d6605387b300c4be5da2120a7ab Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Tue, 19 Feb 2013 02:21:49 +0000 +Subject: Detect excessive entities expansion upon replacement + +If entities expansion in the XML parser is asked for, +it is possble to craft relatively small input document leading +to excessive on-the-fly content generation. +This patch accounts for those replacement and stop parsing +after a given threshold. it can be bypassed as usual with the +HUGE parser option. +--- +Index: libxml2-2.9.0+dfsg1/include/libxml/parser.h +=================================================================== +--- libxml2-2.9.0+dfsg1.orig/include/libxml/parser.h 2013-03-26 10:04:50.237092212 -0400 ++++ libxml2-2.9.0+dfsg1/include/libxml/parser.h 2013-03-26 10:04:50.225092212 -0400 +@@ -310,6 +310,7 @@ + xmlParserNodeInfo *nodeInfoTab; /* array of nodeInfos */ + + int input_id; /* we need to label inputs */ ++ unsigned long sizeentcopy; /* volume of entity copy */ + }; + + /** +Index: libxml2-2.9.0+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.0+dfsg1.orig/parser.c 2013-03-26 10:04:50.237092212 -0400 ++++ libxml2-2.9.0+dfsg1/parser.c 2013-03-26 10:04:50.233092212 -0400 +@@ -122,7 +122,7 @@ + */ + static int + xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, +- xmlEntityPtr ent) ++ xmlEntityPtr ent, size_t replacement) + { + size_t consumed = 0; + +@@ -130,7 +130,24 @@ + return (0); + if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) + return (1); +- if (size != 0) { ++ if (replacement != 0) { ++ if (replacement < XML_MAX_TEXT_LENGTH) ++ return(0); ++ ++ /* ++ * If the volume of entity copy reaches 10 times the ++ * amount of parsed data and over the large text threshold ++ * then that's very likely to be an abuse. ++ */ ++ if (ctxt->input != NULL) { ++ consumed = ctxt->input->consumed + ++ (ctxt->input->cur - ctxt->input->base); ++ } ++ consumed += ctxt->sizeentities; ++ ++ if (replacement < XML_PARSER_NON_LINEAR * consumed) ++ return(0); ++ } else if (size != 0) { + /* + * Do the check based on the replacement size of the entity + */ +@@ -176,7 +193,6 @@ + */ + return (0); + } +- + xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); + return (1); + } +@@ -2742,7 +2758,7 @@ + while (*current != 0) { /* non input consuming loop */ + buffer[nbchars++] = *current++; + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { +- if (xmlParserEntityCheck(ctxt, nbchars, ent)) ++ if (xmlParserEntityCheck(ctxt, nbchars, ent, 0)) + goto int_error; + growBuffer(buffer, XML_PARSER_BUFFER_SIZE); + } +@@ -2784,7 +2800,7 @@ + while (*current != 0) { /* non input consuming loop */ + buffer[nbchars++] = *current++; + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { +- if (xmlParserEntityCheck(ctxt, nbchars, ent)) ++ if (xmlParserEntityCheck(ctxt, nbchars, ent, 0)) + goto int_error; + growBuffer(buffer, XML_PARSER_BUFFER_SIZE); + } +@@ -7202,7 +7218,7 @@ + xmlFreeNodeList(list); + return; + } +- if (xmlParserEntityCheck(ctxt, 0, ent)) { ++ if (xmlParserEntityCheck(ctxt, 0, ent, 0)) { + xmlFreeNodeList(list); + return; + } +@@ -7360,6 +7376,13 @@ + xmlNodePtr nw = NULL, cur, firstChild = NULL; + + /* ++ * We are copying here, make sure there is no abuse ++ */ ++ ctxt->sizeentcopy += ent->length; ++ if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) ++ return; ++ ++ /* + * when operating on a reader, the entities definitions + * are always owning the entities subtree. + if (ctxt->parseMode == XML_PARSE_READER) +@@ -7399,6 +7422,14 @@ + } else if ((list == NULL) || (ctxt->inputNr > 0)) { + xmlNodePtr nw = NULL, cur, next, last, + firstChild = NULL; ++ ++ /* ++ * We are copying here, make sure there is no abuse ++ */ ++ ctxt->sizeentcopy += ent->length; ++ if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) ++ return; ++ + /* + * Copy the entity child list and make it the new + * entity child list. The goal is to make sure any +@@ -14749,6 +14780,7 @@ + ctxt->catalogs = NULL; + ctxt->nbentities = 0; + ctxt->sizeentities = 0; ++ ctxt->sizeentcopy = 0; + xmlInitNodeInfoSeq(&ctxt->node_seq); + + if (ctxt->attsDefault != NULL) { +Index: libxml2-2.9.0+dfsg1/parserInternals.c +=================================================================== +--- libxml2-2.9.0+dfsg1.orig/parserInternals.c 2013-03-26 10:04:50.237092212 -0400 ++++ libxml2-2.9.0+dfsg1/parserInternals.c 2013-03-26 10:04:50.233092212 -0400 +@@ -1719,6 +1719,8 @@ + ctxt->charset = XML_CHAR_ENCODING_UTF8; + ctxt->catalogs = NULL; + ctxt->nbentities = 0; ++ ctxt->sizeentities = 0; ++ ctxt->sizeentcopy = 0; + ctxt->input_id = 1; + xmlInitNodeInfoSeq(&ctxt->node_seq); + return(0); diff -Nru libxml2-2.9.0+dfsg1/debian/patches/CVE-2013-1969.patch libxml2-2.9.0+dfsg1/debian/patches/CVE-2013-1969.patch --- libxml2-2.9.0+dfsg1/debian/patches/CVE-2013-1969.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.0+dfsg1/debian/patches/CVE-2013-1969.patch 2013-05-01 16:39:37.000000000 +0000 @@ -0,0 +1,77 @@ +From de0cc20c29cb3f056062925395e0f68d2250a46f Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Tue, 12 Feb 2013 08:55:34 +0000 +Subject: Fix some buffer conversion issues + +https://bugzilla.gnome.org/show_bug.cgi?id=690202 + +Buffer overflow errors originating from xmlBufGetInputBase in 2.9.0 +The pointers from the context input were not properly reset after +that call which can do reallocations. +--- +Index: libxml2-2.9.0+dfsg1/HTMLparser.c +=================================================================== +--- libxml2-2.9.0+dfsg1.orig/HTMLparser.c 2013-05-01 09:39:34.597939970 -0700 ++++ libxml2-2.9.0+dfsg1/HTMLparser.c 2013-05-01 09:39:34.585939970 -0700 +@@ -6054,6 +6054,8 @@ + if ((in->encoder != NULL) && (in->buffer != NULL) && + (in->raw != NULL)) { + int nbchars; ++ size_t base = xmlBufGetInputBase(in->buffer, ctxt->input); ++ size_t current = ctxt->input->cur - ctxt->input->base; + + nbchars = xmlCharEncInput(in); + if (nbchars < 0) { +@@ -6061,6 +6063,7 @@ + "encoder error\n", NULL, NULL); + return(XML_ERR_INVALID_ENCODING); + } ++ xmlBufSetInputBaseCur(in->buffer, ctxt->input, base, current); + } + } + } +Index: libxml2-2.9.0+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.0+dfsg1.orig/parser.c 2013-05-01 09:39:34.597939970 -0700 ++++ libxml2-2.9.0+dfsg1/parser.c 2013-05-01 09:39:34.593939970 -0700 +@@ -12156,7 +12156,7 @@ + remain = 0; + } + } +- res =xmlParserInputBufferPush(ctxt->input->buf, size, chunk); ++ res = xmlParserInputBufferPush(ctxt->input->buf, size, chunk); + if (res < 0) { + ctxt->errNo = XML_PARSER_EOF; + ctxt->disableSAX = 1; +@@ -12173,6 +12173,8 @@ + if ((in->encoder != NULL) && (in->buffer != NULL) && + (in->raw != NULL)) { + int nbchars; ++ size_t base = xmlBufGetInputBase(in->buffer, ctxt->input); ++ size_t current = ctxt->input->cur - ctxt->input->base; + + nbchars = xmlCharEncInput(in); + if (nbchars < 0) { +@@ -12181,6 +12183,7 @@ + "xmlParseChunk: encoder error\n"); + return(XML_ERR_INVALID_ENCODING); + } ++ xmlBufSetInputBaseCur(in->buffer, ctxt->input, base, current); + } + } + } +@@ -12220,7 +12223,14 @@ + } + if ((end_in_lf == 1) && (ctxt->input != NULL) && + (ctxt->input->buf != NULL)) { ++ size_t base = xmlBufGetInputBase(ctxt->input->buf->buffer, ++ ctxt->input); ++ size_t current = ctxt->input->cur - ctxt->input->base; ++ + xmlParserInputBufferPush(ctxt->input->buf, 1, "\r"); ++ ++ xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input, ++ base, current); + } + if (terminate) { + /* diff -Nru libxml2-2.9.0+dfsg1/debian/patches/CVE-2013-2877.patch libxml2-2.9.0+dfsg1/debian/patches/CVE-2013-2877.patch --- libxml2-2.9.0+dfsg1/debian/patches/CVE-2013-2877.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.0+dfsg1/debian/patches/CVE-2013-2877.patch 2013-07-16 17:49:00.000000000 +0000 @@ -0,0 +1,301 @@ +Description: fix denial of service via incomplete document +Origin: upstream, https://git.gnome.org/browse/libxml2/commit/?id=e50ba8164eee06461c73cd8abb9b46aa0be81869 +Origin: upstream, https://git.gnome.org/browse/libxml2/commit/?id=9ca816b3a64e7b1bada7baa2cbc09e8937b38215 + +Index: libxml2-2.9.0+dfsg1/include/libxml/xmlerror.h +=================================================================== +--- libxml2-2.9.0+dfsg1.orig/include/libxml/xmlerror.h 2013-07-11 14:26:26.032515161 -0400 ++++ libxml2-2.9.0+dfsg1/include/libxml/xmlerror.h 2013-07-11 14:26:26.020515161 -0400 +@@ -208,6 +208,7 @@ + XML_ERR_UNKNOWN_VERSION, /* 108 */ + XML_ERR_VERSION_MISMATCH, /* 109 */ + XML_ERR_NAME_TOO_LONG, /* 110 */ ++ XML_ERR_USER_STOP, /* 111 */ + XML_NS_ERR_XML_NAMESPACE = 200, + XML_NS_ERR_UNDEFINED_NAMESPACE, /* 201 */ + XML_NS_ERR_QNAME, /* 202 */ +Index: libxml2-2.9.0+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.0+dfsg1.orig/parser.c 2013-07-11 14:26:26.032515161 -0400 ++++ libxml2-2.9.0+dfsg1/parser.c 2013-07-11 14:26:26.024515161 -0400 +@@ -2548,6 +2548,8 @@ + NEXT; + if ((ctxt->sax != NULL) && (ctxt->sax->getParameterEntity != NULL)) + entity = ctxt->sax->getParameterEntity(ctxt->userData, name); ++ if (ctxt->instate == XML_PARSER_EOF) ++ return; + if (entity == NULL) { + + /* +@@ -4999,7 +5001,8 @@ + } + if (buf != NULL) + xmlFree(buf); +- ctxt->instate = state; ++ if (ctxt->instate != XML_PARSER_EOF) ++ ctxt->instate = state; + return; + } + if (buf != NULL) { +@@ -5587,6 +5590,8 @@ + } + } + } ++ if (ctxt->instate == XML_PARSER_EOF) ++ return; + SKIP_BLANKS; + if (RAW != '>') { + xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED, +@@ -7574,6 +7579,8 @@ + ent = xmlSAX2GetEntity(ctxt, name); + } + } ++ if (ctxt->instate == XML_PARSER_EOF) ++ return(NULL); + /* + * [ WFC: Entity Declared ] + * In a document without any DTD, a document with only an +@@ -7764,6 +7771,10 @@ + ent = xmlSAX2GetEntity(ctxt, name); + } + } ++ if (ctxt->instate == XML_PARSER_EOF) { ++ xmlFree(name); ++ return(NULL); ++ } + + /* + * [ WFC: Entity Declared ] +@@ -7925,8 +7936,9 @@ + */ + if ((ctxt->sax != NULL) && + (ctxt->sax->getParameterEntity != NULL)) +- entity = ctxt->sax->getParameterEntity(ctxt->userData, +- name); ++ entity = ctxt->sax->getParameterEntity(ctxt->userData, name); ++ if (ctxt->instate == XML_PARSER_EOF) ++ return; + if (entity == NULL) { + /* + * [ WFC: Entity Declared ] +@@ -8163,8 +8175,11 @@ + */ + if ((ctxt->sax != NULL) && + (ctxt->sax->getParameterEntity != NULL)) +- entity = ctxt->sax->getParameterEntity(ctxt->userData, +- name); ++ entity = ctxt->sax->getParameterEntity(ctxt->userData, name); ++ if (ctxt->instate == XML_PARSER_EOF) { ++ xmlFree(name); ++ return(NULL); ++ } + if (entity == NULL) { + /* + * [ WFC: Entity Declared ] +@@ -8266,6 +8281,8 @@ + if ((ctxt->sax != NULL) && (ctxt->sax->internalSubset != NULL) && + (!ctxt->disableSAX)) + ctxt->sax->internalSubset(ctxt->userData, name, ExternalID, URI); ++ if (ctxt->instate == XML_PARSER_EOF) ++ return; + + /* + * Is there any internal subset declarations ? +@@ -10024,6 +10041,8 @@ + * Parse the content of the element: + */ + xmlParseContent(ctxt); ++ if (ctxt->instate == XML_PARSER_EOF) ++ return; + if (!IS_BYTE_CHAR(RAW)) { + xmlFatalErrMsgStrIntStr(ctxt, XML_ERR_TAG_NOT_FINISHED, + "Premature end of data in tag %s line %d\n", +@@ -10596,6 +10615,8 @@ + */ + if ((ctxt->sax) && (ctxt->sax->setDocumentLocator)) + ctxt->sax->setDocumentLocator(ctxt->userData, &xmlDefaultSAXLocator); ++ if (ctxt->instate == XML_PARSER_EOF) ++ return(-1); + + if ((ctxt->encoding == NULL) && + ((ctxt->input->end - ctxt->input->cur) >= 4)) { +@@ -10647,6 +10668,8 @@ + } + if ((ctxt->sax) && (ctxt->sax->startDocument) && (!ctxt->disableSAX)) + ctxt->sax->startDocument(ctxt->userData); ++ if (ctxt->instate == XML_PARSER_EOF) ++ return(-1); + + /* + * The Misc part of the Prolog +@@ -10666,6 +10689,8 @@ + if (RAW == '[') { + ctxt->instate = XML_PARSER_DTD; + xmlParseInternalSubset(ctxt); ++ if (ctxt->instate == XML_PARSER_EOF) ++ return(-1); + } + + /* +@@ -10676,6 +10701,8 @@ + (!ctxt->disableSAX)) + ctxt->sax->externalSubset(ctxt->userData, ctxt->intSubName, + ctxt->extSubSystem, ctxt->extSubURI); ++ if (ctxt->instate == XML_PARSER_EOF) ++ return(-1); + ctxt->inSubset = 0; + + xmlCleanSpecialAttr(ctxt); +@@ -10816,6 +10843,8 @@ + } + if ((ctxt->sax) && (ctxt->sax->startDocument) && (!ctxt->disableSAX)) + ctxt->sax->startDocument(ctxt->userData); ++ if (ctxt->instate == XML_PARSER_EOF) ++ return(-1); + + /* + * Doing validity checking on chunk doesn't make sense +@@ -10826,6 +10855,8 @@ + ctxt->depth = 0; + + xmlParseContent(ctxt); ++ if (ctxt->instate == XML_PARSER_EOF) ++ return(-1); + + if ((RAW == '<') && (NXT(1) == '/')) { + xmlFatalErr(ctxt, XML_ERR_NOT_WELL_BALANCED, NULL); +@@ -11133,7 +11164,7 @@ + } + xmlParseGetLasts(ctxt, &lastlt, &lastgt); + +- while (1) { ++ while (ctxt->instate != XML_PARSER_EOF) { + if ((ctxt->errNo != XML_ERR_OK) && (ctxt->disableSAX == 1)) + return(0); + +@@ -11369,6 +11400,8 @@ + ctxt->sax->endElement(ctxt->userData, name); + #endif /* LIBXML_SAX1_ENABLED */ + } ++ if (ctxt->instate == XML_PARSER_EOF) ++ goto done; + spacePop(ctxt); + if (ctxt->nameNr == 0) { + ctxt->instate = XML_PARSER_EPILOG; +@@ -11559,6 +11592,8 @@ + ctxt->sax->characters(ctxt->userData, + ctxt->input->cur, tmp); + } ++ if (ctxt->instate == XML_PARSER_EOF) ++ goto done; + SKIPL(tmp); + ctxt->checkIndex = 0; + } +@@ -11594,6 +11629,8 @@ + ctxt->sax->characters(ctxt->userData, + ctxt->input->cur, base); + } ++ if (ctxt->instate == XML_PARSER_EOF) ++ goto done; + SKIPL(base + 3); + ctxt->checkIndex = 0; + ctxt->instate = XML_PARSER_CONTENT; +@@ -11627,6 +11664,8 @@ + "PP: Parsing PI\n"); + #endif + xmlParsePI(ctxt); ++ if (ctxt->instate == XML_PARSER_EOF) ++ goto done; + ctxt->instate = XML_PARSER_MISC; + ctxt->progressive = 1; + ctxt->checkIndex = 0; +@@ -11643,6 +11682,8 @@ + "PP: Parsing Comment\n"); + #endif + xmlParseComment(ctxt); ++ if (ctxt->instate == XML_PARSER_EOF) ++ goto done; + ctxt->instate = XML_PARSER_MISC; + ctxt->progressive = 1; + ctxt->checkIndex = 0; +@@ -11667,6 +11708,8 @@ + ctxt->progressive = 1; + ctxt->checkIndex = 0; + xmlParseDocTypeDecl(ctxt); ++ if (ctxt->instate == XML_PARSER_EOF) ++ goto done; + if (RAW == '[') { + ctxt->instate = XML_PARSER_DTD; + #ifdef DEBUG_PUSH +@@ -11726,6 +11769,8 @@ + "PP: Parsing PI\n"); + #endif + xmlParsePI(ctxt); ++ if (ctxt->instate == XML_PARSER_EOF) ++ goto done; + ctxt->instate = XML_PARSER_PROLOG; + ctxt->progressive = 1; + } else if ((cur == '<') && (next == '!') && +@@ -11740,6 +11785,8 @@ + "PP: Parsing Comment\n"); + #endif + xmlParseComment(ctxt); ++ if (ctxt->instate == XML_PARSER_EOF) ++ goto done; + ctxt->instate = XML_PARSER_PROLOG; + ctxt->progressive = 1; + } else if ((cur == '<') && (next == '!') && +@@ -11778,6 +11825,8 @@ + "PP: Parsing PI\n"); + #endif + xmlParsePI(ctxt); ++ if (ctxt->instate == XML_PARSER_EOF) ++ goto done; + ctxt->instate = XML_PARSER_EPILOG; + ctxt->progressive = 1; + } else if ((cur == '<') && (next == '!') && +@@ -11792,6 +11841,8 @@ + "PP: Parsing Comment\n"); + #endif + xmlParseComment(ctxt); ++ if (ctxt->instate == XML_PARSER_EOF) ++ goto done; + ctxt->instate = XML_PARSER_EPILOG; + ctxt->progressive = 1; + } else if ((cur == '<') && (next == '!') && +@@ -11922,6 +11973,8 @@ + found_end_int_subset: + ctxt->checkIndex = 0; + xmlParseInternalSubset(ctxt); ++ if (ctxt->instate == XML_PARSER_EOF) ++ goto done; + ctxt->inSubset = 2; + if ((ctxt->sax != NULL) && (!ctxt->disableSAX) && + (ctxt->sax->externalSubset != NULL)) +@@ -11929,6 +11982,8 @@ + ctxt->extSubSystem, ctxt->extSubURI); + ctxt->inSubset = 0; + xmlCleanSpecialAttr(ctxt); ++ if (ctxt->instate == XML_PARSER_EOF) ++ goto done; + ctxt->instate = XML_PARSER_PROLOG; + ctxt->checkIndex = 0; + #ifdef DEBUG_PUSH +@@ -12205,6 +12260,9 @@ + avail - old_avail))) + xmlParseTryOrFinish(ctxt, terminate); + } ++ if (ctxt->instate == XML_PARSER_EOF) ++ return(ctxt->errNo); ++ + if ((ctxt->input != NULL) && + (((ctxt->input->end - ctxt->input->cur) > XML_MAX_LOOKUP_LIMIT) || + ((ctxt->input->cur - ctxt->input->base) > XML_MAX_LOOKUP_LIMIT)) && +@@ -12405,6 +12463,7 @@ + if (ctxt == NULL) + return; + ctxt->instate = XML_PARSER_EOF; ++ ctxt->errNo = XML_ERR_USER_STOP; + ctxt->disableSAX = 1; + if (ctxt->input != NULL) { + ctxt->input->cur = BAD_CAST""; diff -Nru libxml2-2.9.0+dfsg1/debian/patches/series libxml2-2.9.0+dfsg1/debian/patches/series --- libxml2-2.9.0+dfsg1/debian/patches/series 2012-11-28 15:13:06.000000000 +0000 +++ libxml2-2.9.0+dfsg1/debian/patches/series 2013-07-11 18:26:24.000000000 +0000 @@ -3,3 +3,7 @@ 0003-Fix-a-thread-portability-problem.patch 0004-link-libxml2mod-first.patch 0005-Fix-potential-out-of-bound-access.patch +0006-fix-python-multiarch-includes.patch +CVE-2013-0338.patch +CVE-2013-1969.patch +CVE-2013-2877.patch diff -Nru libxml2-2.9.0+dfsg1/debian/rules libxml2-2.9.0+dfsg1/debian/rules --- libxml2-2.9.0+dfsg1/debian/rules 2012-11-28 15:13:06.000000000 +0000 +++ libxml2-2.9.0+dfsg1/debian/rules 2013-03-07 09:46:47.000000000 +0000 @@ -7,8 +7,10 @@ PYVER=$(shell pyversions -d) export DEB_BUILD_MAINT_OPTIONS=hardening=+all +DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) +CC = $(DEB_HOST_GNU_TYPE)-gcc CFLAGS = `dpkg-buildflags --get CFLAGS` -Wall LDFLAGS = `dpkg-buildflags --get LDFLAGS` -Wl,--as-needed CPPFLAGS = `dpkg-buildflags --get CPPFLAGS` @@ -34,8 +36,8 @@ doconfigure-main: CONFIGURE_FLAGS += --without-python doconfigure-python%: CONFIGURE_FLAGS += --with-python=/usr/bin/$* -#doconfigure-udeb: CONFIGURE_FLAGS += --without-history --with-minimum --with-tree --with-output -doconfigure-udeb: CONFIGURE_FLAGS += --without-history --with-tree --with-output +#doconfigure-udeb: CONFIGURE_FLAGS += --without-history --with-minimum --with-tree --with-output --without-python +doconfigure-udeb: CONFIGURE_FLAGS += --without-history --with-tree --with-output --without-python override_dh_auto_build: $(TARGETS:%=dobuild-%) @@ -45,8 +47,11 @@ dh_auto_build --builddirectory=$(BUILD_DIR) -- $(BUILD_FLAGS) dobuild-python%: BUILD_DIR=builddir/main/$* -dobuild-python%: BUILD_FLAGS = libxml2mod_la_LIBADD='$$(mylibs)' -dobuild-python%-dbg: BUILD_FLAGS += PYTHON_INCLUDES=/usr/include/$(*:-dbg=_d) \ +dobuild-python%: BUILD_FLAGS = libxml2mod_la_LIBADD='$$(mylibs)' \ + PYTHON_INCLUDES="$(shell $(DEB_HOST_GNU_TYPE)-python-config --includes)" \ + PYTHON_LIBS="$(shell $(DEB_HOST_GNU_TYPE)-python-config --ldflags)" +dobuild-python%-dbg: BUILD_FLAGS += PYTHON_INCLUDES="$(shell $(DEB_HOST_GNU_TYPE)-python-dbg-config --includes)" \ + PYTHON_LIBS="$(shell $(DEB_HOST_GNU_TYPE)-python-dbg-config --ldflags)" \ CFLAGS="$(CFLAGS) -Wall -g -O0" CPPFLAGS="$(CPPFLAGS)" LDFLAGS="$(LDFLAGS) \ -L$(CURDIR)/debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)" build-arch: $(TARGETS:%=dobuild-%) @@ -82,7 +87,7 @@ doinstall-python%-dbg: $(MAKE) -C builddir/main/python$*-dbg DESTDIR=$(CURDIR)/debian/tmp-dbg install-pythonLTLIBRARIES - prename 's/(?