diffstat for libxml2-2.9.1+dfsg1 libxml2-2.9.1+dfsg1 changelog | 347 +++++++ control | 22 libxml2.symbols | 1 patches/0006-fix-python-multiarch-includes.patch | 33 patches/CVE-2014-0191.patch | 33 patches/CVE-2014-3660.patch | 139 +++ patches/CVE-2015-1819.patch | 173 +++ patches/CVE-2015-5312.patch | 29 patches/CVE-2015-7497.patch | 32 patches/CVE-2015-7498.patch | 79 + patches/CVE-2015-7499-1.patch | 78 + patches/CVE-2015-7499-2.patch | 33 patches/CVE-2015-7499-3.patch | 171 +++ patches/CVE-2015-7499-4.patch | 28 patches/CVE-2015-7500.patch | 105 ++ patches/CVE-2015-7941.patch | 45 patches/CVE-2015-7942.patch | 20 patches/CVE-2015-8035.patch | 28 patches/CVE-2015-8241.patch | 32 patches/CVE-2015-8242.patch | 39 patches/CVE-2015-8317-1.patch | 35 patches/CVE-2015-8317-2.patch | 32 patches/CVE-2015-8710.patch | 62 + patches/CVE-2016-1762.patch | 30 patches/CVE-2016-1833-pre.patch | 27 patches/CVE-2016-1833-pre2.patch | 27 patches/CVE-2016-1833.patch | 247 +++++ patches/CVE-2016-1834.patch | 50 + patches/CVE-2016-1835.patch | 135 ++ patches/CVE-2016-1836.patch | 438 +++++++++ patches/CVE-2016-1837.patch | 137 ++ patches/CVE-2016-1838.patch | 90 + patches/CVE-2016-1839.patch | 60 + patches/CVE-2016-1840.patch | 32 patches/CVE-2016-3627.patch | 56 + patches/CVE-2016-3705.patch | 65 + patches/CVE-2016-4447.patch | 64 + patches/CVE-2016-4448-1.patch | 1064 +++++++++++++++++++++++ patches/CVE-2016-4448-2.patch | 201 ++++ patches/CVE-2016-4448-3.patch | 48 + patches/CVE-2016-4449.patch | 41 patches/CVE-2016-4483.patch | 49 + patches/CVE-2016-4658.patch | 249 +++++ patches/CVE-2016-5131-1.patch | 142 +++ patches/CVE-2016-5131-2.patch | 31 patches/CVE-2016-9318.patch | 51 + patches/CVE-2017-0663.patch | 45 patches/CVE-2017-15412.patch | 33 patches/CVE-2017-16932.patch | 96 ++ patches/CVE-2017-18258.patch | 25 patches/CVE-2017-7375.patch | 37 patches/CVE-2017-7376.patch | 33 patches/CVE-2017-9047-9048.patch | 118 ++ patches/CVE-2017-9049-9050.patch | 302 ++++++ patches/CVE-2018-14404.patch | 47 + patches/CVE-2018-14567.patch | 43 patches/lp1321869.patch | 56 + patches/series | 55 + patches/xmllint_pretty.patch | 21 rules | 20 60 files changed, 5853 insertions(+), 8 deletions(-) diff -Nru libxml2-2.9.1+dfsg1/debian/changelog libxml2-2.9.1+dfsg1/debian/changelog --- libxml2-2.9.1+dfsg1/debian/changelog 2013-08-05 03:04:19.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/changelog 2018-08-13 20:51:10.000000000 +0000 @@ -1,3 +1,298 @@ +libxml2 (2.9.1+dfsg1-3ubuntu4.13) trusty-security; urgency=medium + + * SECURITY UPDATE: XXE attacks + - debian/patches/CVE-2016-9318.patch: fix in parser.c. + - CVE-2016-9318 + * SECURITY UPDATE: Denial of service + - debian/patches/CVE-2017-18258.patch: fix in xzlib.c. + - CVE-2017-18258 + * SECURITY UPDATE: Denial of service + - debian/patches/CVE-2018-14404.patch: fix in xpath.c. + - CVE-2018-14404 + * SECURITY UPDATE: Infinite loop in LZMA decompression + - debian/patches/CVE-2018-14567.patch: fix in xzlib.c. + - CVE-2018-14567 + + -- Leonidas S. Barbosa Mon, 13 Aug 2018 17:50:43 -0300 + +libxml2 (2.9.1+dfsg1-3ubuntu4.12) trusty-security; urgency=medium + + * SECURITY UPDATE: use after-free in xmlXPathCompOpEvalPositionPredicate + - debian/patches/CVE-2017-15412.patch: fix XPath stack frame logic in + xpath.c. + - CVE-2017-15412 + + -- Leonidas S. Barbosa Mon, 11 Dec 2017 13:31:53 -0300 + +libxml2 (2.9.1+dfsg1-3ubuntu4.11) trusty-security; urgency=medium + + * SECURITY UPDATE: infinite recursion in parameter entities + - CVE-2017-16932 + + -- Leonidas S. Barbosa Mon, 04 Dec 2017 15:17:15 -0300 + +libxml2 (2.9.1+dfsg1-3ubuntu4.10) trusty-security; urgency=medium + + * SECURITY UPDATE: type confusion leading to out-of-bounds write + - debian/patches/CVE-2017-0663.patch: eliminate cast + - CVE-2017-0663 + * SECURITY UPDATE: XML external entity (XXE) vulnerability + - debian/patches/CVE-2017-7375.patch: add validation for parsed + entity references + - CVE-2017-7375 + * SECURITY UPDATE: buffer overflow in URL handling + - debian/patches/CVE-2017-7376.patch: allocate enough memory for + ports in HTTP redirect support + - CVE-2017-7376 + * SECURITY UPDATE: buffer overflows in xmlSnprintfElementContent() + - debian/patches/CVE-2017-9047-9048.patch: ensure enough space + remains in buffer for copied data + - CVE-2017-9047, CVE-2017-9048 + * SECURITY UPDATE: heap based buffer overreads in + xmlDictComputeFastKey() + - debian/patches/CVE-2017-9049-9050.patch: drop uneccessary + expansions, add additional sanity check + - CVE-2017-9049, CVE-2017-9050 + + -- Steve Beattie Fri, 15 Sep 2017 16:19:46 -0700 + +libxml2 (2.9.1+dfsg1-3ubuntu4.9) trusty-security; urgency=medium + + * SECURITY UPDATE: format string vulnerabilities + - debian/patches/CVE-2016-4448-1.patch: fix format string warnings in + HTMLparser.c, SAX2.c, catalog.c, configure.in, debugXML.c, + encoding.c, entities.c, error.c, include/libxml/parserInternals.h, + include/libxml/xmlerror.h, include/libxml/xmlstring.h, libxml.h, + parser.c, parserInternals.c, relaxng.c, schematron.c, testModule.c, + valid.c, xinclude.c, xmlIO.c, xmllint.c, xmlreader.c, xmlschemas.c, + xmlstring.c, xmlwriter.c, xpath.c, xpointer.c. + - debian/patches/CVE-2016-4448-2.patch: fix format string warnings in + libxml.h, relaxng.c, xmlschemas.c, xmlstring.c. + - debian/patches/CVE-2016-4448-3.patch: fix build on pre-C99 compilers + in relaxng.c, xmlschemas.c. + - debian/libxml2.symbols: added new symbol. + - CVE-2016-4448 + * SECURITY UPDATE: use-after-free via namespace nodes in XPointer ranges + - debian/patches/CVE-2016-4658.patch: disallow namespace nodes in + XPointer ranges in xpointer.c. + - CVE-2016-4658 + * SECURITY UPDATE: use-after-free in XPointer range-to function + - debian/patches/CVE-2016-5131-1.patch: fix XPointer paths beginning + with range-to in xpath.c, xpointer.c. + - debian/patches/CVE-2016-5131-2.patch: fix comparison with root node + in xmlXPathCmpNodes in xpath.c. + - CVE-2016-5131 + + -- Marc Deslauriers Wed, 15 Mar 2017 07:54:26 -0400 + +libxml2 (2.9.1+dfsg1-3ubuntu4.8) trusty-security; urgency=medium + + * SECURITY UPDATE: heap-based buffer overread in xmlNextChar + - debian/patches/CVE-2016-1762.patch: return after error in parser.c. + - CVE-2016-1762 + * SECURITY UPDATE: heap-based buffer overread in htmlCurrentChar + - debian/patches/CVE-2016-1833-pre.patch: clear up NULL deref in + parserInternals.c. + - debian/patches/CVE-2016-1833-pre2.patch: handle 0-length entities in + parserInternals.c. + - debian/patches/CVE-2016-1833.patch: fix tests in parserInternals.c. + - CVE-2016-1833 + * SECURITY UPDATE: heap-buffer-overflow in xmlStrncat + - debian/patches/CVE-2016-1834.patch: check for negative lengths in + xmlstring.c. + - CVE-2016-1834 + * SECURITY UPDATE: heap use-after-free in xmlSAX2AttributeNs + - debian/patches/CVE-2016-1835.patch: add check to parser.c, add tests + to result/errors/759020.xml.err, result/errors/759020.xml.str, + test/errors/759020.xml. + - CVE-2016-1835 + * SECURITY UPDATE: heap use-after-free in xmlDictComputeFastKey + - debian/patches/CVE-2016-1836.patch: prevent stale pointer usage in + parser.c, added tests to result/errors/759398.xml.err, + result/errors/759398.xml.str, test/errors/759398.xml. + - CVE-2016-1836 + * SECURITY UPDATE: heap use-after-free in htmlParsePubidLiteral and + htmlParseSystemiteral + - debian/patches/CVE-2016-1837.patch: prevent stable pointer usage in + HTMLparser.c. + - CVE-2016-1837 + * SECURITY UPDATE: heap-based buffer overread in + xmlParserPrintFileContextInternal + - debian/patches/CVE-2016-1838.patch: add bounds check to parser.c, + add tests to result/errors/758588.xml.err, + result/errors/758588.xml.str, test/errors/758588.xml. + - CVE-2016-1838 + * SECURITY UPDATE: heap-based buffer overread in xmlDictAddString + - debian/patches/CVE-2016-1839.patch: add bounds check to HTMLparser.c. + - CVE-2015-8806 + - CVE-2016-1839 + - CVE-2016-2073 + * SECURITY UPDATE: heap-buffer-overflow in xmlFAParsePosCharGroup + - debian/patches/CVE-2016-1840.patch: properly handle error in + xmlregexp.c. + - CVE-2016-1840 + * SECURITY UPDATE: avoid building recursive entities + - debian/patches/CVE-2016-3627.patch: properly handle recursion in + parser.c, tree.c. + - CVE-2016-3627 + * SECURITY UPDATE: recursion depth counter issue + - debian/patches/CVE-2016-3705.patch: properly could recursion depth in + parser.c. + - CVE-2016-3705 + * SECURITY UPDATE: heap-based buffer-underreads due to xmlParseName + - debian/patches/CVE-2016-4447.patch: improve error handling in + parser.c. + - CVE-2016-4447 + * SECURITY UPDATE: inappropriate fetch of entities content + - debian/patches/CVE-2016-4449.patch: fix another external entity fetch + in parser.c. + - CVE-2016-4449 + * SECURITY UPDATE: out of bound access when serializing malformed strings + - debian/patches/CVE-2016-4483.patch: improve string handling in + xmlsave.c. + - CVE-2016-4483 + + -- Marc Deslauriers Fri, 03 Jun 2016 08:59:55 -0400 + +libxml2 (2.9.1+dfsg1-3ubuntu4.7) trusty-security; urgency=medium + + * SECURITY UPDATE: incomplete fix for out of bounds read in xmlGROW + (LP: #1525996) + - add extra commits to this previously-fixed CVE + - debian/patches/CVE-2015-7499-3.patch: reuse xmlHaltParser() where it + makes sense in parser.c. + - debian/patches/CVE-2015-7499-4.patch: do not print error context when + there is none in error.c. + - CVE-2015-7499 + * SECURITY UPDATE: out of bounds memory access via unclosed html comment + - debian/patches/CVE-2015-8710.patch: fix parsing short unclosed + comment uninitialized access in HTMLparser.c. + - CVE-2015-8710 + + -- Marc Deslauriers Thu, 14 Jan 2016 13:13:10 -0500 + +libxml2 (2.9.1+dfsg1-3ubuntu4.6) trusty-security; urgency=medium + + * SECURITY UPDATE: denial of service via entity expansion issue + - debian/patches/CVE-2015-5312.patch: properly exit when entity + expansion is detected in parser.c. + - CVE-2015-5312 + * SECURITY UPDATE: heap buffer overflow in xmlDictComputeFastQKey + - debian/patches/CVE-2015-7497.patch: check offset in dict.c. + - CVE-2015-7497 + * SECURITY UPDATE: denial of service via encoding conversion failures + - debian/patches/CVE-2015-7498.patch: avoid processing entities after + encoding conversion failures in parser.c. + - CVE-2015-7498 + * SECURITY UPDATE: out of bounds read in xmlGROW + - debian/patches/CVE-2015-7499-1.patch: add xmlHaltParser() to stop the + parser in parser.c. + - debian/patches/CVE-2015-7499-2.patch: check input in parser.c. + - CVE-2015-7499 + * SECURITY UPDATE: out of bounds read in xmlParseMisc + - debian/patches/CVE-2015-7500.patch: check entity boundaries in + parser.c. + - CVE-2015-7500 + * SECURITY UPDATE: denial of service via extra processing of MarkupDecl + - debian/patches/CVE-2015-8241.patch: add extra EOF check in parser.c. + - CVE-2015-8241 + * SECURITY UPDATE: buffer overead with HTML parser in push mode + - debian/patches/CVE-2015-8242.patch: use pointer in the input in + HTMLparser.c. + - CVE-2015-8242 + * SECURITY UPDATE: denial of service via encoding failures + - debian/patches/CVE-2015-8317-1.patch: do not process encoding values + if the declaration is broken in parser.c. + - debian/patches/CVE-2015-8317-2.patch: fail parsing if the encoding + conversion failed in parser.c. + - CVE-2015-8317 + + -- Marc Deslauriers Wed, 09 Dec 2015 12:00:30 -0500 + +libxml2 (2.9.1+dfsg1-3ubuntu4.5) trusty-security; urgency=medium + + * SECURITY UPDATE: denial of service via XEE attack + - debian/patches/CVE-2015-1819.patch: enforce the reader to run in + constant memory in buf.c, include/libxml/tree.h, xmlreader.c. + - CVE-2015-1819 + * SECURITY UPDATE: denial of service via out-of-bounds read + - debian/patches/CVE-2015-7941.patch: stop parsing on entities + boundaries errors in parser.c. + - CVE-2015-7941 + * SECURITY UPDATE: overflow in conditional sections + - debian/patches/CVE-2015-7942.patch: properly check input in parser.c. + - CVE-2015-7942 + * SECURITY UPDATE: denial of service via crafted document with xz + - debian/patches/CVE-2015-8035.patch: check for error in xzlib.c. + - CVE-2015-8035 + + -- Marc Deslauriers Fri, 13 Nov 2015 08:58:16 -0500 + +libxml2 (2.9.1+dfsg1-3ubuntu4.4) trusty-security; urgency=medium + + * SECURITY UPDATE: denial of service via entity expansion + - debian/patches/CVE-2014-3660.patch: added additional tests to + parser.c. + - CVE-2014-3660 + + -- Marc Deslauriers Thu, 16 Oct 2014 15:30:49 -0400 + +libxml2 (2.9.1+dfsg1-3ubuntu4.3) trusty-security; urgency=medium + + * SECURITY REGRESSION: more xmllint regressions (LP: #1321869) + - debian/patches/lp1321869.patch: use upstream commit which includes + additional regression fixes to parser.c. + + -- Marc Deslauriers Fri, 13 Jun 2014 08:33:28 -0400 + +libxml2 (2.9.1+dfsg1-3ubuntu4.2) trusty-security; urgency=medium + + * SECURITY REGRESSION: xmllint no longer loads entities with --postvalid + (LP: #1321869) + - debian/patches/lp1321869.patch: also check XML_PARSE_DTDLOAD in + parser.c. + + -- Marc Deslauriers Fri, 06 Jun 2014 13:29:08 -0400 + +libxml2 (2.9.1+dfsg1-3ubuntu4.1) trusty-security; urgency=medium + + * SECURITY UPDATE: resource exhaustion via external parameter entities + - debian/patches/CVE-2014-0191.patch: do not fetch external parameter + entities in parser.c. + - CVE-2014-0191 + + -- Marc Deslauriers Thu, 08 May 2014 14:28:19 -0400 + +libxml2 (2.9.1+dfsg1-3ubuntu4) trusty; urgency=medium + + * Rebuild to drop files installed into /usr/share/pyshared. + + -- Matthias Klose Sun, 23 Feb 2014 13:48:26 +0000 + +libxml2 (2.9.1+dfsg1-3ubuntu3) trusty; urgency=low + + * Actually run dh_autoreconf, which the old/new mixed rules file misses. + + -- Adam Conrad Sun, 08 Dec 2013 02:23:52 -0700 + +libxml2 (2.9.1+dfsg1-3ubuntu2) saucy; urgency=low + + [ Tim Galeckas ] + * Fix SIGSEGV when --pretty is specified. LP: #923691 + + -- Dmitrijs Ledkovs Thu, 22 Aug 2013 21:34:37 +0100 + +libxml2 (2.9.1+dfsg1-3ubuntu1) saucy; urgency=low + + * Merge with Debian; remaining changes: + - Fix python multi-arch includes issues. + - Allow the package to cross-build. + - Set PYTHON_LIBS for cross builds. + - Remove explicit build dependency on binutils. + - Configure the udeb --without-python. + + -- Matthias Klose Sat, 17 Aug 2013 10:43:21 +0200 + libxml2 (2.9.1+dfsg1-3) unstable; urgency=low * debian/patches/0007-Fix-XPath-optimization-with-predicates.patch: @@ -5,6 +300,20 @@ -- Aron Xu Mon, 05 Aug 2013 11:02:43 +0800 +libxml2 (2.9.1+dfsg1-2ubuntu1) saucy; urgency=low + + * Merged from Debian unstable. Remaining changes: + - Fix python multi-arch includes issues. + - Allow the package to cross-build. + - Set PYTHON_LIBS for cross builds. + - Remove explicit build dependency on binutils. + - Configure the udeb --without-python. + * Dropped patches: + - CVE-2013-0338.patch: upstream + - CVE-2013-1969.patch: upstream + + -- Marc Deslauriers Thu, 11 Jul 2013 09:31:50 -0400 + libxml2 (2.9.1+dfsg1-2) unstable; urgency=low * Upload to unstable. @@ -24,6 +333,44 @@ -- Aron Xu Sun, 09 Jun 2013 00:34:16 +0800 +libxml2 (2.9.0+dfsg1-4ubuntu5) saucy; urgency=low + + * SECURITY UPDATE: multiple use after free issues + - debian/patches/CVE-2013-1969.patch: properly reset pointers in + HTMLparser.c, parser.c. + - CVE-2013-1969 + + -- Marc Deslauriers Tue, 07 May 2013 08:28:15 -0400 + +libxml2 (2.9.0+dfsg1-4ubuntu4) raring; urgency=low + + * SECURITY UPDATE: denial of service via entity expansion + - debian/patches/CVE-2013-0338.patch: limit number of entity expansions + in include/libxml/parser.h, parser.c, parserInternals.c. + - CVE-2013-0338 + + -- Marc Deslauriers Tue, 26 Mar 2013 10:04:58 -0400 + +libxml2 (2.9.0+dfsg1-4ubuntu3) raring; urgency=low + + * Set PYTHON_LIBS for cross builds. + * Remove explicit build dependency on binutils. + * Configure the udeb --without-python. + + -- Matthias Klose Thu, 07 Mar 2013 17:03:45 +0800 + +libxml2 (2.9.0+dfsg1-4ubuntu2) raring; urgency=low + + * Allow the package to cross-build. + + -- Matthias Klose Thu, 07 Mar 2013 15:46:38 +0800 + +libxml2 (2.9.0+dfsg1-4ubuntu1) raring; urgency=low + + * Fix python multi-arch includes issues. + + -- Chris J Arges Fri, 11 Jan 2013 13:10:08 -0600 + libxml2 (2.9.0+dfsg1-4) experimental; urgency=low [ Daniel Veillard ] diff -Nru libxml2-2.9.1+dfsg1/debian/control libxml2-2.9.1+dfsg1/debian/control --- libxml2-2.9.1+dfsg1/debian/control 2013-07-14 15:58:19.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/control 2013-08-17 08:47:23.000000000 +0000 @@ -1,11 +1,13 @@ Source: libxml2 Priority: optional Section: libs -Maintainer: Debian XML/SGML Group +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian XML/SGML Group Uploaders: Aron Xu , YunQiang Su Standards-Version: 3.9.4 Build-Depends: debhelper (>= 9), perl, dh-autoreconf, autotools-dev, - binutils (>= 2.14.90.0.7), python-all-dev (>= 2.6.6-3~), python-all-dbg, + libpython-all-dev (>= 2.6.6-3~), libpython-all-dbg, + python-all-dev:any (>= 2.6.6-3~), python-all-dbg:any, zlib1g-dev | libz-dev, liblzma-dev, libreadline-dev | libreadline6-dev Homepage: http://xmlsoft.org/ Vcs-Git: git://anonscm.debian.org/debian-xml-sgml/libxml2.git @@ -145,3 +147,19 @@ . This package contains the files needed to use the GNOME XML library in Python programs for use with the Python debug interpreter. + +Package: libxml2-udeb +XC-Package-Type: udeb +Architecture: any +Section: debian-installer +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: GNOME XML library - minimal runtime + XML is a metalanguage to let you design your own markup language. + A regular markup language defines a way to describe information in + a certain class of documents (eg HTML). XML lets you define your + own customized markup languages for many classes of document. It + can do this because it's written in SGML, the international standard + metalanguage for markup languages. + . + This is a minimal package for use in debian-installer that yields a + library providing an extensive API to handle such XML data files. diff -Nru libxml2-2.9.1+dfsg1/debian/libxml2.symbols libxml2-2.9.1+dfsg1/debian/libxml2.symbols --- libxml2-2.9.1+dfsg1/debian/libxml2.symbols 2013-07-14 15:58:19.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/libxml2.symbols 2017-03-15 12:10:45.000000000 +0000 @@ -142,6 +142,7 @@ xmlDictGetUsage@LIBXML2_2.9.0 2.9.0 xmlDictSetLimit@LIBXML2_2.9.0 2.9.0 xmlEncodeAttributeEntities@Base 2.9.0 + xmlEscapeFormatString@Base 2.9.1+dfsg1-3ubuntu4.9 xmlGenericErrorDefaultFunc@Base 2.6.27 xmlInitializeDict@LIBXML2_2.8.0 2.8.0 xmlMallocBreakpoint@Base 2.6.27 diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0006-fix-python-multiarch-includes.patch libxml2-2.9.1+dfsg1/debian/patches/0006-fix-python-multiarch-includes.patch --- libxml2-2.9.1+dfsg1/debian/patches/0006-fix-python-multiarch-includes.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/0006-fix-python-multiarch-includes.patch 2013-08-17 08:47:23.000000000 +0000 @@ -0,0 +1,33 @@ +Description: fix python multi-arch include issues. + . + libxml2 (2.9.0+dfsg1-4ubuntu1) raring; urgency=low + . + * Fix python multi-arch includes issues. +Author: Chris J Arges + +Index: libxml2-2.9.1+dfsg1/python/Makefile.am +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/python/Makefile.am 2013-07-11 10:00:34.032015469 -0400 ++++ libxml2-2.9.1+dfsg1/python/Makefile.am 2013-07-11 10:00:34.028015468 -0400 +@@ -19,7 +19,7 @@ + AM_CPPFLAGS = \ + -I$(top_builddir)/include \ + -I$(top_srcdir)/include \ +- -I$(PYTHON_INCLUDES) ++ $(PYTHON_INCLUDES) + + python_LTLIBRARIES = libxml2mod.la + +Index: libxml2-2.9.1+dfsg1/python/Makefile.in +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/python/Makefile.in 2013-07-11 10:00:34.032015469 -0400 ++++ libxml2-2.9.1+dfsg1/python/Makefile.in 2013-07-11 10:00:34.028015468 -0400 +@@ -430,7 +430,7 @@ + @WITH_PYTHON_TRUE@AM_CPPFLAGS = \ + @WITH_PYTHON_TRUE@ -I$(top_builddir)/include \ + @WITH_PYTHON_TRUE@ -I$(top_srcdir)/include \ +-@WITH_PYTHON_TRUE@ -I$(PYTHON_INCLUDES) ++@WITH_PYTHON_TRUE@ $(PYTHON_INCLUDES) + + @WITH_PYTHON_TRUE@python_LTLIBRARIES = libxml2mod.la + @WITH_PYTHON_TRUE@libxml2mod_la_SOURCES = libxml.c libxml_wrap.h libxml2-py.h libxml2-py.c types.c diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2014-0191.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2014-0191.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2014-0191.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2014-0191.patch 2014-05-08 18:28:14.000000000 +0000 @@ -0,0 +1,33 @@ +From 9cd1c3cfbd32655d60572c0a413e017260c854df Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Tue, 22 Apr 2014 15:30:56 +0800 +Subject: Do not fetch external parameter entities + +Unless explicitely asked for when validating or replacing entities +with their value. Problem pointed out by Daniel Berrange + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2014-05-08 14:25:10.667020623 -0400 ++++ libxml2-2.9.1+dfsg1/parser.c 2014-05-08 14:25:10.663020622 -0400 +@@ -2595,6 +2595,20 @@ + xmlCharEncoding enc; + + /* ++ * Note: external parsed entities will not be loaded, it is ++ * not required for a non-validating parser, unless the ++ * option of validating, or substituting entities were ++ * given. Doing so is far more secure as the parser will ++ * only process data coming from the document entity by ++ * default. ++ */ ++ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && ++ ((ctxt->options & XML_PARSE_NOENT) == 0) && ++ ((ctxt->options & XML_PARSE_DTDVALID) == 0) && ++ (ctxt->validate == 0)) ++ return; ++ ++ /* + * handle the extra spaces added before and after + * c.f. http://www.w3.org/TR/REC-xml#as-PE + * this is done independently. diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2014-3660.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2014-3660.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2014-3660.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2014-3660.patch 2014-10-16 19:30:43.000000000 +0000 @@ -0,0 +1,139 @@ +From be2a7edaf289c5da74a4f9ed3a0b6c733e775230 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Thu, 16 Oct 2014 13:59:47 +0800 +Subject: Fix for CVE-2014-3660 + +Issues related to the billion laugh entity expansion which happened to +escape the initial set of fixes + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2014-10-16 15:30:40.885274343 -0400 ++++ libxml2-2.9.1+dfsg1/parser.c 2014-10-16 15:30:40.881274311 -0400 +@@ -130,6 +130,29 @@ + return (0); + if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) + return (1); ++ ++ /* ++ * This may look absurd but is needed to detect ++ * entities problems ++ */ ++ if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) && ++ (ent->content != NULL) && (ent->checked == 0)) { ++ unsigned long oldnbent = ctxt->nbentities; ++ xmlChar *rep; ++ ++ ent->checked = 1; ++ ++ rep = xmlStringDecodeEntities(ctxt, ent->content, ++ XML_SUBSTITUTE_REF, 0, 0, 0); ++ ++ ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; ++ if (rep != NULL) { ++ if (xmlStrchr(rep, '<')) ++ ent->checked |= 1; ++ xmlFree(rep); ++ rep = NULL; ++ } ++ } + if (replacement != 0) { + if (replacement < XML_MAX_TEXT_LENGTH) + return(0); +@@ -189,9 +212,12 @@ + return (0); + } else { + /* +- * strange we got no data for checking just return ++ * strange we got no data for checking + */ +- return (0); ++ if (((ctxt->lastError.code != XML_ERR_UNDECLARED_ENTITY) && ++ (ctxt->lastError.code != XML_WAR_UNDECLARED_ENTITY)) || ++ (ctxt->nbentities <= 10000)) ++ return (0); + } + xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); + return (1); +@@ -2584,6 +2610,7 @@ + name, NULL); + ctxt->valid = 0; + } ++ xmlParserEntityCheck(ctxt, 0, NULL, 0); + } else if (ctxt->input->free != deallocblankswrapper) { + input = xmlNewBlanksWrapperInputStream(ctxt, entity); + if (xmlPushInput(ctxt, input) < 0) +@@ -2754,6 +2781,7 @@ + if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) || + (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR)) + goto int_error; ++ xmlParserEntityCheck(ctxt, 0, ent, 0); + if (ent != NULL) + ctxt->nbentities += ent->checked / 2; + if ((ent != NULL) && +@@ -2805,6 +2833,7 @@ + ent = xmlParseStringPEReference(ctxt, &str); + if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) + goto int_error; ++ xmlParserEntityCheck(ctxt, 0, ent, 0); + if (ent != NULL) + ctxt->nbentities += ent->checked / 2; + if (ent != NULL) { +@@ -7307,6 +7336,7 @@ + (ret != XML_WAR_UNDECLARED_ENTITY)) { + xmlFatalErrMsgStr(ctxt, XML_ERR_UNDECLARED_ENTITY, + "Entity '%s' failed to parse\n", ent->name); ++ xmlParserEntityCheck(ctxt, 0, ent, 0); + } else if (list != NULL) { + xmlFreeNodeList(list); + list = NULL; +@@ -7413,7 +7443,7 @@ + /* + * We are copying here, make sure there is no abuse + */ +- ctxt->sizeentcopy += ent->length; ++ ctxt->sizeentcopy += ent->length + 5; + if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) + return; + +@@ -7461,7 +7491,7 @@ + /* + * We are copying here, make sure there is no abuse + */ +- ctxt->sizeentcopy += ent->length; ++ ctxt->sizeentcopy += ent->length + 5; + if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) + return; + +@@ -7647,6 +7677,7 @@ + ctxt->sax->reference(ctxt->userData, name); + } + } ++ xmlParserEntityCheck(ctxt, 0, ent, 0); + ctxt->valid = 0; + } + +@@ -7840,6 +7871,7 @@ + "Entity '%s' not defined\n", + name); + } ++ xmlParserEntityCheck(ctxt, 0, ent, 0); + /* TODO ? check regressions ctxt->valid = 0; */ + } + +@@ -7999,6 +8031,7 @@ + name, NULL); + ctxt->valid = 0; + } ++ xmlParserEntityCheck(ctxt, 0, NULL, 0); + } else { + /* + * Internal checking in case the entity quest barfed +@@ -8238,6 +8271,7 @@ + name, NULL); + ctxt->valid = 0; + } ++ xmlParserEntityCheck(ctxt, 0, NULL, 0); + } else { + /* + * Internal checking in case the entity quest barfed diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-1819.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-1819.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-1819.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-1819.patch 2015-11-13 13:57:29.000000000 +0000 @@ -0,0 +1,173 @@ +From 213f1fe0d76d30eaed6e5853057defc43e6df2c9 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Tue, 14 Apr 2015 17:41:48 +0800 +Subject: CVE-2015-1819 Enforce the reader to run in constant memory + +One of the operation on the reader could resolve entities +leading to the classic expansion issue. Make sure the +buffer used for xmlreader operation is bounded. +Introduce a new allocation type for the buffers for this effect. +--- + buf.c | 43 ++++++++++++++++++++++++++++++++++++++++++- + include/libxml/tree.h | 3 ++- + xmlreader.c | 20 +++++++++++++++++++- + 3 files changed, 63 insertions(+), 3 deletions(-) + +Index: libxml2-2.9.1+dfsg1/buf.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/buf.c 2015-11-13 08:57:26.800279755 -0500 ++++ libxml2-2.9.1+dfsg1/buf.c 2015-11-13 08:57:26.796279703 -0500 +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include /* for XML_MAX_TEXT_LENGTH */ + #include "buf.h" + + #define WITH_BUFFER_COMPAT +@@ -299,7 +300,8 @@ + if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) || + (scheme == XML_BUFFER_ALLOC_EXACT) || + (scheme == XML_BUFFER_ALLOC_HYBRID) || +- (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) { ++ (scheme == XML_BUFFER_ALLOC_IMMUTABLE) || ++ (scheme == XML_BUFFER_ALLOC_BOUNDED)) { + buf->alloc = scheme; + if (buf->buffer) + buf->buffer->alloc = scheme; +@@ -458,6 +460,18 @@ + size = buf->use + len + 100; + #endif + ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if ((buf->use + len >= XML_MAX_TEXT_LENGTH) || ++ (buf->size >= XML_MAX_TEXT_LENGTH)) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(0); ++ } ++ if (size >= XML_MAX_TEXT_LENGTH) ++ size = XML_MAX_TEXT_LENGTH; ++ } + if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) { + size_t start_buf = buf->content - buf->contentIO; + +@@ -739,6 +753,15 @@ + CHECK_COMPAT(buf) + + if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0); ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if (size >= XML_MAX_TEXT_LENGTH) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(0); ++ } ++ } + + /* Don't resize if we don't have to */ + if (size < buf->size) +@@ -867,6 +890,15 @@ + + needSize = buf->use + len + 2; + if (needSize > buf->size){ ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if (needSize >= XML_MAX_TEXT_LENGTH) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(-1); ++ } ++ } + if (!xmlBufResize(buf, needSize)){ + xmlBufMemoryError(buf, "growing buffer"); + return XML_ERR_NO_MEMORY; +@@ -938,6 +970,15 @@ + } + needSize = buf->use + len + 2; + if (needSize > buf->size){ ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if (needSize >= XML_MAX_TEXT_LENGTH) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(-1); ++ } ++ } + if (!xmlBufResize(buf, needSize)){ + xmlBufMemoryError(buf, "growing buffer"); + return XML_ERR_NO_MEMORY; +Index: libxml2-2.9.1+dfsg1/include/libxml/tree.h +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/include/libxml/tree.h 2015-11-13 08:57:26.800279755 -0500 ++++ libxml2-2.9.1+dfsg1/include/libxml/tree.h 2015-11-13 08:57:26.800279755 -0500 +@@ -76,7 +76,8 @@ + XML_BUFFER_ALLOC_EXACT, /* grow only to the minimal size */ + XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */ + XML_BUFFER_ALLOC_IO, /* special allocation scheme used for I/O */ +- XML_BUFFER_ALLOC_HYBRID /* exact up to a threshold, and doubleit thereafter */ ++ XML_BUFFER_ALLOC_HYBRID, /* exact up to a threshold, and doubleit thereafter */ ++ XML_BUFFER_ALLOC_BOUNDED /* limit the upper size of the buffer */ + } xmlBufferAllocationScheme; + + /** +Index: libxml2-2.9.1+dfsg1/xmlreader.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/xmlreader.c 2015-11-13 08:57:26.800279755 -0500 ++++ libxml2-2.9.1+dfsg1/xmlreader.c 2015-11-13 08:57:26.800279755 -0500 +@@ -2077,6 +2077,9 @@ + "xmlNewTextReader : malloc failed\n"); + return(NULL); + } ++ /* no operation on a reader should require a huge buffer */ ++ xmlBufSetAllocationScheme(ret->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); + ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); + if (ret->sax == NULL) { + xmlBufFree(ret->buffer); +@@ -3602,6 +3605,7 @@ + return(((xmlNsPtr) node)->href); + case XML_ATTRIBUTE_NODE:{ + xmlAttrPtr attr = (xmlAttrPtr) node; ++ const xmlChar *ret; + + if ((attr->children != NULL) && + (attr->children->type == XML_TEXT_NODE) && +@@ -3615,10 +3619,21 @@ + "xmlTextReaderSetup : malloc failed\n"); + return (NULL); + } ++ xmlBufSetAllocationScheme(reader->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); + } else + xmlBufEmpty(reader->buffer); + xmlBufGetNodeContent(reader->buffer, node); +- return(xmlBufContent(reader->buffer)); ++ ret = xmlBufContent(reader->buffer); ++ if (ret == NULL) { ++ /* error on the buffer best to reallocate */ ++ xmlBufFree(reader->buffer); ++ reader->buffer = xmlBufCreateSize(100); ++ xmlBufSetAllocationScheme(reader->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); ++ ret = BAD_CAST ""; ++ } ++ return(ret); + } + break; + } +@@ -5117,6 +5132,9 @@ + "xmlTextReaderSetup : malloc failed\n"); + return (-1); + } ++ /* no operation on a reader should require a huge buffer */ ++ xmlBufSetAllocationScheme(reader->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); + if (reader->sax == NULL) + reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); + if (reader->sax == NULL) { diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-5312.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-5312.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-5312.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-5312.patch 2015-12-09 16:58:09.000000000 +0000 @@ -0,0 +1,29 @@ +From 69030714cde66d525a8884bda01b9e8f0abf8e1e Mon Sep 17 00:00:00 2001 +From: David Drysdale +Date: Fri, 20 Nov 2015 11:13:45 +0800 +Subject: CVE-2015-5312 Another entity expansion issue + +For https://bugzilla.gnome.org/show_bug.cgi?id=756733 +It is one case where the code in place to detect entities expansions +failed to exit when the situation was detected, leading to DoS +Problem reported by Kostya Serebryany @ Google +Patch provided by David Drysdale @ Google +--- + parser.c | 4 ++++ + 1 file changed, 4 insertions(+) + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2015-12-09 11:58:07.110986471 -0500 ++++ libxml2-2.9.1+dfsg1/parser.c 2015-12-09 11:58:07.110986471 -0500 +@@ -2801,6 +2801,10 @@ + 0, 0, 0); + ctxt->depth--; + ++ if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) || ++ (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR)) ++ goto int_error; ++ + if (rep != NULL) { + current = rep; + while (*current != 0) { /* non input consuming loop */ diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7497.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7497.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7497.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7497.patch 2015-12-09 16:58:15.000000000 +0000 @@ -0,0 +1,32 @@ +From 6360a31a84efe69d155ed96306b9a931a40beab9 Mon Sep 17 00:00:00 2001 +From: David Drysdale +Date: Fri, 20 Nov 2015 10:47:12 +0800 +Subject: CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey + +For https://bugzilla.gnome.org/show_bug.cgi?id=756528 +It was possible to hit a negative offset in the name indexing +used to randomize the dictionary key generation +Reported and fix provided by David Drysdale @ Google +--- + dict.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/dict.c b/dict.c +index 5f71d55..8c8f931 100644 +--- a/dict.c ++++ b/dict.c +@@ -486,7 +486,10 @@ xmlDictComputeFastQKey(const xmlChar *prefix, int plen, + value += 30 * (*prefix); + + if (len > 10) { +- value += name[len - (plen + 1 + 1)]; ++ int offset = len - (plen + 1 + 1); ++ if (offset < 0) ++ offset = len - (10 + 1); ++ value += name[offset]; + len = 10; + if (plen > 10) + plen = 10; +-- +cgit v0.11.2 + diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7498.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7498.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7498.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7498.patch 2015-12-09 16:58:25.000000000 +0000 @@ -0,0 +1,79 @@ +From afd27c21f6b36e22682b7da20d726bce2dcb2f43 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Mon, 9 Nov 2015 18:07:18 +0800 +Subject: Avoid processing entities after encoding conversion failures + +For https://bugzilla.gnome.org/show_bug.cgi?id=756527 +and was also raised by Chromium team in the past + +When we hit a convwersion failure when switching encoding +it is bestter to stop parsing there, this was treated as a +fatal error but the parser was continuing to process to extract +more errors, unfortunately that makes little sense as the data +is obviously corrupt and can potentially lead to unexpected behaviour. +--- + parser.c | 7 +++++-- + parserInternals.c | 11 ++++++++++- + 2 files changed, 15 insertions(+), 3 deletions(-) + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2015-12-09 11:58:21.915129571 -0500 ++++ libxml2-2.9.1+dfsg1/parser.c 2015-12-09 11:58:21.903129455 -0500 +@@ -10593,7 +10593,8 @@ + xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, "Blank needed here\n"); + } + xmlParseEncodingDecl(ctxt); +- if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) { ++ if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) || ++ (ctxt->instate == XML_PARSER_EOF)) { + /* + * The XML REC instructs us to stop parsing right here + */ +@@ -10717,6 +10718,7 @@ + + if (CUR == 0) { + xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL); ++ return(-1); + } + + /* +@@ -10734,7 +10736,8 @@ + * Note that we will switch encoding on the fly. + */ + xmlParseXMLDecl(ctxt); +- if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) { ++ if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) || ++ (ctxt->instate == XML_PARSER_EOF)) { + /* + * The XML REC instructs us to stop parsing right here + */ +Index: libxml2-2.9.1+dfsg1/parserInternals.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parserInternals.c 2015-12-09 11:58:21.915129571 -0500 ++++ libxml2-2.9.1+dfsg1/parserInternals.c 2015-12-09 11:58:21.907129494 -0500 +@@ -937,6 +937,7 @@ + { + xmlCharEncodingHandlerPtr handler; + int len = -1; ++ int ret; + + if (ctxt == NULL) return(-1); + switch (enc) { +@@ -1097,7 +1098,15 @@ + if (handler == NULL) + return(-1); + ctxt->charset = XML_CHAR_ENCODING_UTF8; +- return(xmlSwitchToEncodingInt(ctxt, handler, len)); ++ ret = xmlSwitchToEncodingInt(ctxt, handler, len); ++ if ((ret < 0) || (ctxt->errNo == XML_I18N_CONV_FAILED)) { ++ /* ++ * on encoding conversion errors, stop the parser ++ */ ++ xmlStopParser(ctxt); ++ ctxt->errNo = XML_I18N_CONV_FAILED; ++ } ++ return(ret); + } + + /** diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7499-1.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7499-1.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7499-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7499-1.patch 2015-12-09 16:58:34.000000000 +0000 @@ -0,0 +1,78 @@ +From 28cd9cb747a94483f4aea7f0968d202c20bb4cfc Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 20 Nov 2015 14:55:30 +0800 +Subject: Add xmlHaltParser() to stop the parser + +The problem is doing it in a consistent and safe fashion +It's more complex than just setting ctxt->instate = XML_PARSER_EOF +Update the public function to reuse that new internal routine +--- + parser.c | 34 +++++++++++++++++++++++++++++----- + 1 file changed, 29 insertions(+), 5 deletions(-) + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2015-12-09 11:58:32.055227430 -0500 ++++ libxml2-2.9.1+dfsg1/parser.c 2015-12-09 11:58:32.051227393 -0500 +@@ -94,6 +94,8 @@ + xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID, + const xmlChar *base, xmlParserCtxtPtr pctx); + ++static void xmlHaltParser(xmlParserCtxtPtr ctxt); ++ + /************************************************************************ + * * + * Arbitrary limits set in the parser. See XML_PARSE_HUGE * +@@ -12542,25 +12544,47 @@ + #endif /* LIBXML_PUSH_ENABLED */ + + /** +- * xmlStopParser: ++ * xmlHaltParser: + * @ctxt: an XML parser context + * +- * Blocks further parser processing ++ * Blocks further parser processing don't override error ++ * for internal use + */ +-void +-xmlStopParser(xmlParserCtxtPtr ctxt) { ++static void ++xmlHaltParser(xmlParserCtxtPtr ctxt) { + if (ctxt == NULL) + return; + ctxt->instate = XML_PARSER_EOF; +- ctxt->errNo = XML_ERR_USER_STOP; + ctxt->disableSAX = 1; + if (ctxt->input != NULL) { ++ /* ++ * in case there was a specific allocation deallocate before ++ * overriding base ++ */ ++ if (ctxt->input->free != NULL) { ++ ctxt->input->free((xmlChar *) ctxt->input->base); ++ ctxt->input->free = NULL; ++ } + ctxt->input->cur = BAD_CAST""; + ctxt->input->base = ctxt->input->cur; + } + } + + /** ++ * xmlStopParser: ++ * @ctxt: an XML parser context ++ * ++ * Blocks further parser processing ++ */ ++void ++xmlStopParser(xmlParserCtxtPtr ctxt) { ++ if (ctxt == NULL) ++ return; ++ xmlHaltParser(ctxt); ++ ctxt->errNo = XML_ERR_USER_STOP; ++} ++ ++/** + * xmlCreateIOParserCtxt: + * @sax: a SAX handler + * @user_data: The user data returned on SAX callbacks diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7499-2.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7499-2.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7499-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7499-2.patch 2015-12-09 16:58:39.000000000 +0000 @@ -0,0 +1,33 @@ +From 35bcb1d758ed70aa7b257c9c3b3ff55e54e3d0da Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 20 Nov 2015 15:04:09 +0800 +Subject: Detect incoherency on GROW + +the current pointer to the input has to be between the base and end +if not stop everything we have an internal state error. +--- + parser.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2015-12-09 11:58:37.995284698 -0500 ++++ libxml2-2.9.1+dfsg1/parser.c 2015-12-09 11:58:37.995284698 -0500 +@@ -2072,9 +2072,16 @@ + ((ctxt->input->buf) && (ctxt->input->buf->readcallback != (xmlInputReadCallback) xmlNop)) && + ((ctxt->options & XML_PARSE_HUGE) == 0)) { + xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup"); +- ctxt->instate = XML_PARSER_EOF; ++ xmlHaltParser(ctxt); ++ return; + } + xmlParserInputGrow(ctxt->input, INPUT_CHUNK); ++ if ((ctxt->input->cur > ctxt->input->end) || ++ (ctxt->input->cur < ctxt->input->base)) { ++ xmlHaltParser(ctxt); ++ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "cur index out of bound"); ++ return; ++ } + if ((ctxt->input->cur != NULL) && (*ctxt->input->cur == 0) && + (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0)) + xmlPopInput(ctxt); diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7499-3.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7499-3.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7499-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7499-3.patch 2016-01-14 18:12:57.000000000 +0000 @@ -0,0 +1,171 @@ +Backport of: + +From e3b1597421ad7cbeb5939fc3b54f43f141c82366 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 20 Nov 2015 14:59:30 +0800 +Subject: Reuse xmlHaltParser() where it makes sense + +Unify the various place where either xmlStopParser was called +(which resets the error as a side effect) and places where we +used ctxt->instate = XML_PARSER_EOF to stop further processing +--- + parser.c | 37 +++++++++++++++++-------------------- + 1 file changed, 17 insertions(+), 20 deletions(-) + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2016-01-14 13:12:55.384687959 -0500 ++++ libxml2-2.9.1+dfsg1/parser.c 2016-01-14 13:12:55.380687921 -0500 +@@ -1773,7 +1773,7 @@ + xmlFatalErrMsgInt(ctxt, XML_ERR_INTERNAL_ERROR, + "Excessive depth in document: %d use XML_PARSE_HUGE option\n", + xmlParserMaxDepth); +- ctxt->instate = XML_PARSER_EOF; ++ xmlHaltParser(ctxt); + return(-1); + } + ctxt->nodeTab[ctxt->nodeNr] = value; +@@ -5666,7 +5666,7 @@ + if (RAW != '>') { + xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED, + "xmlParseEntityDecl: entity %s not terminated\n", name); +- xmlStopParser(ctxt); ++ xmlHaltParser(ctxt); + } else { + if (input != ctxt->input) { + xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY, +@@ -6778,7 +6778,7 @@ + SKIP_BLANKS; + if (RAW != '[') { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); +- xmlStopParser(ctxt); ++ xmlHaltParser(ctxt); + return; + } else { + if (ctxt->input->id != id) { +@@ -6840,7 +6840,7 @@ + SKIP_BLANKS; + if (RAW != '[') { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); +- xmlStopParser(ctxt); ++ xmlHaltParser(ctxt); + return; + } else { + if (ctxt->input->id != id) { +@@ -6897,7 +6897,7 @@ + + } else { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL); +- xmlStopParser(ctxt); ++ xmlHaltParser(ctxt); + return; + } + +@@ -7108,7 +7108,7 @@ + /* + * The XML REC instructs us to stop parsing right here + */ +- ctxt->instate = XML_PARSER_EOF; ++ xmlHaltParser(ctxt); + return; + } + } +@@ -8094,7 +8094,7 @@ + * The XML REC instructs us to stop parsing + * right here + */ +- ctxt->instate = XML_PARSER_EOF; ++ xmlHaltParser(ctxt); + return; + } + } +@@ -10009,7 +10009,7 @@ + if ((cons == ctxt->input->consumed) && (test == CUR_PTR)) { + xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, + "detected an error in element content\n"); +- ctxt->instate = XML_PARSER_EOF; ++ xmlHaltParser(ctxt); + break; + } + } +@@ -10044,7 +10044,7 @@ + xmlFatalErrMsgInt(ctxt, XML_ERR_INTERNAL_ERROR, + "Excessive depth in document: %d use XML_PARSE_HUGE option\n", + xmlParserMaxDepth); +- ctxt->instate = XML_PARSER_EOF; ++ xmlHaltParser(ctxt); + return; + } + +@@ -11368,7 +11368,7 @@ + ctxt->sax->setDocumentLocator(ctxt->userData, + &xmlDefaultSAXLocator); + xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL); +- ctxt->instate = XML_PARSER_EOF; ++ xmlHaltParser(ctxt); + #ifdef DEBUG_PUSH + xmlGenericError(xmlGenericErrorContext, + "PP: entering EOF\n"); +@@ -11401,7 +11401,7 @@ + * The XML REC instructs us to stop parsing right + * here + */ +- ctxt->instate = XML_PARSER_EOF; ++ xmlHaltParser(ctxt); + return(0); + } + ctxt->standalone = ctxt->input->standalone; +@@ -11457,7 +11457,7 @@ + cur = ctxt->input->cur[0]; + if (cur != '<') { + xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL); +- ctxt->instate = XML_PARSER_EOF; ++ xmlHaltParser(ctxt); + if ((ctxt->sax) && (ctxt->sax->endDocument != NULL)) + ctxt->sax->endDocument(ctxt->userData); + goto done; +@@ -11489,7 +11489,7 @@ + goto done; + if (name == NULL) { + spacePop(ctxt); +- ctxt->instate = XML_PARSER_EOF; ++ xmlHaltParser(ctxt); + if ((ctxt->sax) && (ctxt->sax->endDocument != NULL)) + ctxt->sax->endDocument(ctxt->userData); + goto done; +@@ -11656,7 +11656,7 @@ + if ((cons == ctxt->input->consumed) && (test == CUR_PTR)) { + xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, + "detected an error in element content\n"); +- ctxt->instate = XML_PARSER_EOF; ++ xmlHaltParser(ctxt); + break; + } + break; +@@ -11977,7 +11977,7 @@ + goto done; + } else { + xmlFatalErr(ctxt, XML_ERR_DOCUMENT_END, NULL); +- ctxt->instate = XML_PARSER_EOF; ++ xmlHaltParser(ctxt); + #ifdef DEBUG_PUSH + xmlGenericError(xmlGenericErrorContext, + "PP: entering EOF\n"); +@@ -12341,7 +12341,7 @@ + res = xmlParserInputBufferPush(ctxt->input->buf, size, chunk); + if (res < 0) { + ctxt->errNo = XML_PARSER_EOF; +- ctxt->disableSAX = 1; ++ xmlHaltParser(ctxt); + return (XML_PARSER_EOF); + } + xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input, base, cur); +@@ -12395,7 +12395,7 @@ + ((ctxt->input->cur - ctxt->input->base) > XML_MAX_LOOKUP_LIMIT)) && + ((ctxt->options & XML_PARSE_HUGE) == 0)) { + xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup"); +- ctxt->instate = XML_PARSER_EOF; ++ xmlHaltParser(ctxt); + } + if ((ctxt->errNo != XML_ERR_OK) && (ctxt->disableSAX == 1)) + return(ctxt->errNo); diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7499-4.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7499-4.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7499-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7499-4.patch 2016-01-14 18:13:00.000000000 +0000 @@ -0,0 +1,28 @@ +From ce0b0d0d81fdbb5f722a890432b52d363e4de57b Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 20 Nov 2015 15:01:22 +0800 +Subject: Do not print error context when there is none + +Which now happens more frequently du to xmlHaltParser use +--- + error.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/error.c b/error.c +index cbcf5c9..9c45040 100644 +--- a/error.c ++++ b/error.c +@@ -177,7 +177,9 @@ xmlParserPrintFileContextInternal(xmlParserInputPtr input , + xmlChar content[81]; /* space for 80 chars + line terminator */ + xmlChar *ctnt; + +- if (input == NULL) return; ++ if ((input == NULL) || (input->cur == NULL) || ++ (*input->cur == 0)) return; ++ + cur = input->cur; + base = input->base; + /* skip backwards over any end-of-lines */ +-- +cgit v0.11.2 + diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7500.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7500.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7500.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7500.patch 2015-12-09 16:58:48.000000000 +0000 @@ -0,0 +1,105 @@ +From f1063fdbe7fa66332bbb76874101c2a7b51b519f Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 20 Nov 2015 16:06:59 +0800 +Subject: CVE-2015-7500 Fix memory access error due to incorrect entities + boundaries + +For https://bugzilla.gnome.org/show_bug.cgi?id=756525 +handle properly the case where we popped out of the current entity +while processing a start tag +Reported by Kostya Serebryany @ Google + +This slightly modifies the output of 754946 in regression tests +--- + parser.c | 28 ++++++++++++++++++++++------ + result/errors/754946.xml.err | 7 +++++-- + 2 files changed, 27 insertions(+), 8 deletions(-) + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2015-12-09 11:58:46.323364918 -0500 ++++ libxml2-2.9.1+dfsg1/parser.c 2015-12-09 11:58:46.319364879 -0500 +@@ -9302,7 +9302,7 @@ + const xmlChar **atts = ctxt->atts; + int maxatts = ctxt->maxatts; + int nratts, nbatts, nbdef; +- int i, j, nbNs, attval, oldline, oldcol; ++ int i, j, nbNs, attval, oldline, oldcol, inputNr; + const xmlChar *base; + unsigned long cur; + int nsNr = ctxt->nsNr; +@@ -9321,6 +9321,7 @@ + SHRINK; + base = ctxt->input->base; + cur = ctxt->input->cur - ctxt->input->base; ++ inputNr = ctxt->inputNr; + oldline = ctxt->input->line; + oldcol = ctxt->input->col; + nbatts = 0; +@@ -9346,7 +9347,8 @@ + */ + SKIP_BLANKS; + GROW; +- if (ctxt->input->base != base) goto base_changed; ++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) ++ goto base_changed; + + while (((RAW != '>') && + ((RAW != '/') || (NXT(1) != '>')) && +@@ -9357,7 +9359,7 @@ + + attname = xmlParseAttribute2(ctxt, prefix, localname, + &aprefix, &attvalue, &len, &alloc); +- if (ctxt->input->base != base) { ++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) { + if ((attvalue != NULL) && (alloc != 0)) + xmlFree(attvalue); + attvalue = NULL; +@@ -9486,7 +9488,8 @@ + skip_ns: + if (alloc != 0) xmlFree(attvalue); + SKIP_BLANKS; +- if (ctxt->input->base != base) goto base_changed; ++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) ++ goto base_changed; + continue; + } + +@@ -9523,7 +9526,8 @@ + GROW + if (ctxt->instate == XML_PARSER_EOF) + break; +- if (ctxt->input->base != base) goto base_changed; ++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) ++ goto base_changed; + if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>')))) + break; + if (!IS_BLANK_CH(RAW)) { +@@ -9539,7 +9543,8 @@ + break; + } + GROW; +- if (ctxt->input->base != base) goto base_changed; ++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) ++ goto base_changed; + } + + /* +@@ -9706,6 +9711,17 @@ + if ((ctxt->attallocs[j] != 0) && (atts[i] != NULL)) + xmlFree((xmlChar *) atts[i]); + } ++ ++ /* ++ * We can't switch from one entity to another in the middle ++ * of a start tag ++ */ ++ if (inputNr != ctxt->inputNr) { ++ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY, ++ "Start tag doesn't start and stop in the same entity\n"); ++ return(NULL); ++ } ++ + ctxt->input->cur = ctxt->input->base + cur; + ctxt->input->line = oldline; + ctxt->input->col = oldcol; diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7941.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7941.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7941.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7941.patch 2015-11-13 13:57:41.000000000 +0000 @@ -0,0 +1,45 @@ +Description: fix denial of service via out-of-bounds read +Origin: upstream, https://git.gnome.org/browse/libxml2/commit/?id=a7dfab7411cbf545f359dd3157e5df1eb0e7ce31 +Origin: upstream, https://git.gnome.org/browse/libxml2/commit/?id=9b8512337d14c8ddf662fcb98b0135f225a1c489 +Bug: https://bugzilla.gnome.org/show_bug.cgi?id=744980 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783010 + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2015-11-13 08:57:39.460444801 -0500 ++++ libxml2-2.9.1+dfsg1/parser.c 2015-11-13 08:57:39.460444801 -0500 +@@ -5653,6 +5653,7 @@ + if (RAW != '>') { + xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED, + "xmlParseEntityDecl: entity %s not terminated\n", name); ++ xmlStopParser(ctxt); + } else { + if (input != ctxt->input) { + xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY, +@@ -6764,6 +6765,8 @@ + SKIP_BLANKS; + if (RAW != '[') { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); ++ xmlStopParser(ctxt); ++ return; + } else { + if (ctxt->input->id != id) { + xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, +@@ -6824,6 +6827,8 @@ + SKIP_BLANKS; + if (RAW != '[') { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); ++ xmlStopParser(ctxt); ++ return; + } else { + if (ctxt->input->id != id) { + xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, +@@ -6879,6 +6884,8 @@ + + } else { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL); ++ xmlStopParser(ctxt); ++ return; + } + + if (RAW == 0) diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7942.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7942.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7942.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7942.patch 2015-11-13 13:57:49.000000000 +0000 @@ -0,0 +1,20 @@ +Description: fix overflow in conditional sections +Origin: upstream, https://git.gnome.org/browse/libxml2/commit/?id=bd0526e66a56e75a18da8c15c4750db8f801c52d +Origin: upstream, https://git.gnome.org/browse/libxml2/commit/?id=41ac9049a27f52e7a1f3b341f8714149fc88d450 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802827 + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2015-11-13 08:57:47.808553350 -0500 ++++ libxml2-2.9.1+dfsg1/parser.c 2015-11-13 08:57:47.800553246 -0500 +@@ -6899,7 +6899,9 @@ + "All markup of the conditional section is not in the same entity\n", + NULL, NULL); + } +- SKIP(3); ++ if ((ctxt-> instate != XML_PARSER_EOF) && ++ ((ctxt->input->cur + 3) <= ctxt->input->end)) ++ SKIP(3); + } + } + diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8035.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8035.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8035.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8035.patch 2015-11-13 13:58:08.000000000 +0000 @@ -0,0 +1,28 @@ +From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Tue, 3 Nov 2015 15:31:25 +0800 +Subject: CVE-2015-8035 Fix XZ compression support loop + +For https://bugzilla.gnome.org/show_bug.cgi?id=757466 +DoS when parsing specially crafted XML document if XZ support +is compiled in (which wasn't the case for 2.9.2 and master since +Nov 2013, fixed in next commit !) +--- + xzlib.c | 4 ++++ + 1 file changed, 4 insertions(+) + +Index: libxml2-2.9.1+dfsg1/xzlib.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/xzlib.c 2015-11-13 08:58:06.384794119 -0500 ++++ libxml2-2.9.1+dfsg1/xzlib.c 2015-11-13 08:58:06.380794067 -0500 +@@ -538,6 +538,10 @@ + xz_error(state, LZMA_DATA_ERROR, "compressed data error"); + return -1; + } ++ if (ret == LZMA_PROG_ERROR) { ++ xz_error(state, LZMA_PROG_ERROR, "compression error"); ++ return -1; ++ } + } while (strm->avail_out && ret != LZMA_STREAM_END); + + /* update available output and crc check value */ diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8241.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8241.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8241.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8241.patch 2015-12-09 17:00:02.000000000 +0000 @@ -0,0 +1,32 @@ +From ab2b9a93ff19cedde7befbf2fcc48c6e352b6cbe Mon Sep 17 00:00:00 2001 +From: Hugh Davenport +Date: Tue, 3 Nov 2015 20:40:49 +0800 +Subject: Avoid extra processing of MarkupDecl when EOF + +For https://bugzilla.gnome.org/show_bug.cgi?id=756263 + +One place where ctxt->instate == XML_PARSER_EOF whic was set up +by entity detection issues doesn't get noticed, and even overrided +--- + parser.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2015-12-09 12:00:00.768078515 -0500 ++++ libxml2-2.9.1+dfsg1/parser.c 2015-12-09 12:00:00.768078515 -0500 +@@ -6969,6 +6969,14 @@ + xmlParsePI(ctxt); + } + } ++ ++ /* ++ * detect requirement to exit there and act accordingly ++ * and avoid having instate overriden later on ++ */ ++ if (ctxt->instate == XML_PARSER_EOF) ++ return; ++ + /* + * This is only for internal subset. On external entities, + * the replacement is done before parsing stage diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8242.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8242.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8242.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8242.patch 2015-12-09 17:00:06.000000000 +0000 @@ -0,0 +1,39 @@ +From 8fb4a770075628d6441fb17a1e435100e2f3b1a2 Mon Sep 17 00:00:00 2001 +From: Hugh Davenport +Date: Fri, 20 Nov 2015 17:16:06 +0800 +Subject: CVE-2015-8242 Buffer overead with HTML parser in push mode + +For https://bugzilla.gnome.org/show_bug.cgi?id=756372 +Error in the code pointing to the codepoint in the stack for the +current char value instead of the pointer in the input that the SAX +callback expects +Reported and fixed by Hugh Davenport +--- + HTMLparser.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +Index: libxml2-2.9.2+zdfsg1/HTMLparser.c +=================================================================== +--- libxml2-2.9.2+zdfsg1.orig/HTMLparser.c 2015-12-09 10:07:19.961212325 -0500 ++++ libxml2-2.9.2+zdfsg1/HTMLparser.c 2015-12-09 10:07:19.961212325 -0500 +@@ -5701,17 +5701,17 @@ + if (ctxt->keepBlanks) { + if (ctxt->sax->characters != NULL) + ctxt->sax->characters( +- ctxt->userData, &cur, 1); ++ ctxt->userData, &in->cur[0], 1); + } else { + if (ctxt->sax->ignorableWhitespace != NULL) + ctxt->sax->ignorableWhitespace( +- ctxt->userData, &cur, 1); ++ ctxt->userData, &in->cur[0], 1); + } + } else { + htmlCheckParagraph(ctxt); + if (ctxt->sax->characters != NULL) + ctxt->sax->characters( +- ctxt->userData, &cur, 1); ++ ctxt->userData, &in->cur[0], 1); + } + } + ctxt->token = 0; diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8317-1.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8317-1.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8317-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8317-1.patch 2015-12-09 17:00:17.000000000 +0000 @@ -0,0 +1,35 @@ +From 9aa37588ee78a06ca1379a9d9356eab16686099c Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Mon, 29 Jun 2015 09:08:25 +0800 +Subject: Do not process encoding values if the declaration if broken + +For https://bugzilla.gnome.org/show_bug.cgi?id=751603 + +If the string is not properly terminated do not try to convert +to the given encoding. +--- + parser.c | 4 ++++ + 1 file changed, 4 insertions(+) + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2015-12-09 12:00:15.124215449 -0500 ++++ libxml2-2.9.1+dfsg1/parser.c 2015-12-09 12:00:15.124215449 -0500 +@@ -10396,6 +10396,8 @@ + encoding = xmlParseEncName(ctxt); + if (RAW != '"') { + xmlFatalErr(ctxt, XML_ERR_STRING_NOT_CLOSED, NULL); ++ xmlFree((xmlChar *) encoding); ++ return(NULL); + } else + NEXT; + } else if (RAW == '\''){ +@@ -10403,6 +10405,8 @@ + encoding = xmlParseEncName(ctxt); + if (RAW != '\'') { + xmlFatalErr(ctxt, XML_ERR_STRING_NOT_CLOSED, NULL); ++ xmlFree((xmlChar *) encoding); ++ return(NULL); + } else + NEXT; + } else { diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8317-2.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8317-2.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8317-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8317-2.patch 2015-12-09 17:00:24.000000000 +0000 @@ -0,0 +1,32 @@ +From 709a952110e98621c9b78c4f26462a9d8333102e Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Mon, 29 Jun 2015 16:10:26 +0800 +Subject: Fail parsing early on if encoding conversion failed + +For https://bugzilla.gnome.org/show_bug.cgi?id=751631 + +If we fail conversing the current input stream while +processing the encoding declaration of the XMLDecl +then it's safer to just abort there and not try to +report further errors. +--- + parser.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2015-12-09 12:00:21.000271438 -0500 ++++ libxml2-2.9.1+dfsg1/parser.c 2015-12-09 12:00:20.996271400 -0500 +@@ -10461,7 +10461,11 @@ + + handler = xmlFindCharEncodingHandler((const char *) encoding); + if (handler != NULL) { +- xmlSwitchToEncoding(ctxt, handler); ++ if (xmlSwitchToEncoding(ctxt, handler) < 0) { ++ /* failed to convert */ ++ ctxt->errNo = XML_ERR_UNSUPPORTED_ENCODING; ++ return(NULL); ++ } + } else { + xmlFatalErrMsgStr(ctxt, XML_ERR_UNSUPPORTED_ENCODING, + "Unsupported encoding %s\n", encoding); diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8710.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8710.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8710.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8710.patch 2016-01-14 18:13:07.000000000 +0000 @@ -0,0 +1,62 @@ +From e724879d964d774df9b7969fc846605aa1bac54c Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 30 Oct 2015 21:14:55 +0800 +Subject: Fix parsing short unclosed comment uninitialized access + +For https://bugzilla.gnome.org/show_bug.cgi?id=746048 +The HTML parser was too optimistic when processing comments and +didn't check for the end of the stream on the first 2 characters +--- + HTMLparser.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +Index: libxml2-2.9.2+zdfsg1/HTMLparser.c +=================================================================== +--- libxml2-2.9.2+zdfsg1.orig/HTMLparser.c 2016-01-14 08:59:21.702167883 -0500 ++++ libxml2-2.9.2+zdfsg1/HTMLparser.c 2016-01-14 08:59:21.698167840 -0500 +@@ -3245,12 +3245,17 @@ + ctxt->instate = state; + return; + } ++ len = 0; ++ buf[len] = 0; + q = CUR_CHAR(ql); ++ if (!IS_CHAR(q)) ++ goto unfinished; + NEXTL(ql); + r = CUR_CHAR(rl); ++ if (!IS_CHAR(r)) ++ goto unfinished; + NEXTL(rl); + cur = CUR_CHAR(l); +- len = 0; + while (IS_CHAR(cur) && + ((cur != '>') || + (r != '-') || (q != '-'))) { +@@ -3281,18 +3286,20 @@ + } + } + buf[len] = 0; +- if (!IS_CHAR(cur)) { +- htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, +- "Comment not terminated \n ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++"> ++ ++'"> ++ ++ ++ ++ ++ ++ ++ ++ ++ ++amp, ++lt, ++gt, ++apos, ++quot"> ++ ++ ++ ++ ++ ++]> ++ ++ ++ ++ ++ ++
++Extensible Markup Language (XML) 1.0 ++ ++REC-xml-&iso6.doc.date; ++W3C Recommendation ++&draft.day;&draft.month;&draft.year; ++ ++ ++ ++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date; ++ ++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.xml ++ ++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.html ++ ++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.pdf ++ ++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.ps ++ ++ ++ ++httwww.w3.org/TR/REC-xml ++ ++ ++ ++http://www.w3.org/TR/PR-xml-971208 ++ ++ ++ ++Tim Bray ++Textuality and Netscape ++tbray@textuality.com ++Jean Paoli ++Microsoft ++jeanpa@microsoft.com ++C. M. Sperberg-McQueen ++University of Illinois at Chicago ++cmsmcq@uic.edu ++ ++ ++

The Extensible Markup Language (XML) is a subset of ++SGML that is completely described in this document. Its goal is to ++enable generic SGML to be served, received, and processed on the Web ++in the way that is now possible with HTML. XML has been designed for ++ease of implementation and for interoperability with both SGML and ++HTML.

++ ++ ++

This document has been reviewed by W3C Members and ++other interested parties and has been endorsed by the ++Director as a W3C Recommendation. It is a stable ++document and may be used as reference material or cited ++as a normative reference from another document. W3C's ++role in making the Recommendation is to draw attention ++to the spPcification and to promote its widespread ++deployment. This enhances the functionality and ++interoperability of the Web.

++

++This document specifies a syntax created by subsetting an existing, ++widely used international text processing standard (Standard ++Generalized Markup Language, ISO 8879:1986(E) as amended and ++corrected) for use on the World Wide Web. It is a product of the W3C ++XML Activity, details of which can be found at http://www.w3.org/XML. A list of ++current W3C Recommendations and other technical documents can be found ++at http://www.w3.org/TR. ++

++

This specification uses the term URI, which is defined by , a work in progress expected to update and . ++

++

The list of known errors in this specification is ++available at ++http://www.w3.org/XML/xml-19980210-errata.

++

Please report errors in this document to ++xml-editor@w3.org. ++

++ ++ ++ ++ ++

Chicago, Vancouver, Mountain View, et al.: ++World-Wide Web Consortium, XML Working Group, 1996, 1997.

++ ++ ++

Created in electronic form.

++ ++ ++English ++Extended Backus-Naur Form (formal grammar) ++ ++ ++ ++1997-12-03 : CMSMcQ : yet further changes ++1997-12-02 : TB : further changes (see TB to XML WG, ++2 December 1997) ++1997-12-02 : CMSMcQ : deal with as many corrections and ++comments from the proofreaders as possible: ++entify hard-coded document date in pubdate element, ++change expansion of entity WebSGML, ++update status description as per Dan Connolly (am not sure ++about refernece to Berners-Lee et al.), ++add 'The' to abstract as per WG decision, ++move Relationship to Existing Standards to back matter and ++combine with References, ++re-order back matter so normative appendices come first, ++re-tag back matter so informative appendices are tagged informdiv1, ++remove XXX XXX from list of 'normative' specs in prose, ++move some references from Other References to Normative References, ++add RFC 1738, 1808, and 2141 to Other References (they are not ++normative since we do not require the processor to enforce any ++rules based on them), ++add reference to 'Fielding draft' (Berners-Lee et al.), ++move notation section to end of body, ++drop URIchar non-terminal and use SkipLit instead, ++lose stray reference to defunct nonterminal 'markupdecls', ++move reference to Aho et al. into appendix (Tim's right), ++add prose note saying that hash marks and fragment identifiers are ++NOT part of the URI formally speaking, and are NOT legal in ++system identifiers (processor 'may' signal an error). ++Work through: ++Tim Bray reacting to James Clark, ++Tim Bray on his own, ++Eve Maler, ++ ++NOT DONE YET: ++change binary / text to unparsed / parsed. ++handle James's suggestion about < in attriubte values ++uppercase hex characters, ++namechar list, ++ ++1997-12-01 : JB : add some column-width parameters ++1997-12-01 : CMSMcQ : begin round of changes to incorporate ++recent WG decisions and other corrections: ++binding sources of character encoding info (27 Aug / 3 Sept), ++correct wording of Faust quotation (restore dropped line), ++drop SDD from EncodingDecl, ++change text at version number 1.0, ++drop misleading (wrong!) sentence about ignorables and extenders, ++modify definxamples with Byte Order Mark. ++Add content model as a term and clarify that it applies to both ++mixed and element content. ++ ++1997-06-30 : CMSMcQ : change date, some cosmetic changes, ++changes to productions for choice, seq, Mixed, NotationType, ++Enumeration. Follow James Clark's suggestion and prohibit ++conditional sections in internal subset. TO DO: simplify ++production for ignored sections as a result, since we don't ++need to worry about parsers whi ++1997-06-29 : TB : various edits ++1997-06-29 : CMSMcQ : further changes: ++Suppress old FINAL EDIT comments and some dead material. ++Revise occurrences of % in grammar to exploit Henry Thompson's pun, ++especially markupdecl and attdef. ++Remove RMD requirement relating to element content (?). ++ ++1997-06-28 : CMSMcQ : Various changes for 1 July draft: ++Add text for draconian error handling (introduce ++the term Fatal Error). ++RE deleta est (changing wording from ++original announcement to restrict the requirement to validating ++parsers). ++Tag definition of validawwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww it meant 'may or may not'. ++1997-03-21 : TB : massive changes on plane flight from Chicago ++to Vancouver ++1997-03-21 : CMSMcQ : correct as many reported errors as possible. ++ ++1997-03-20 : CMSMcQ : correct typos listed in CMSMcQ hand copy of spec. ++1997 James Clark: ++Define the set of characters from which [^abc] subtracts. ++Charref should use just [0-9] not Digit. ++Location info needs cleaner treatment: remove? (ERB ++question). ++One example of a PI has wrong pic. ++Clarify discussion of encoding names. ++Encoding failure should lead to unspecified results; don't ++prescribe error recovery. ++Don't require exposure of entity boundaries. ++Ignore white space in element content. ++Reserve entity names of the form u-NNNN. ++Clarify relative URLs. ++And some of my own: ++Correct productions for content model: model cannot ++consist of a name, so "elements ::= cp" is no good. ++ ++1996-11-11 : CMSMcQ : revise for style. ++Add new rhs to entity declaration, for parameter entities. ++1996-11-10 : CMSMcQ : revise for style. ++Fix / complete section on names, characters. ++Add sections on parameter entities, conditional sections. ++Still to do: Add compatibility note on deterministic content models. ++Finish stylistic revision. ++1996-10-31 : TB : Add Entity Handling section ++1996-10-30 : TB : Clean up term & termdef. Slip in ++ERB decision re EMPTY. ++1996-10-28 : TB : Change DTD. Implement some of Michael's ++suggestions. Change comments back to //. Introduce language for ++XML namespace reservation. Add section on white-space handling. ++Lots more cleanup. ++1996-10-24 : CMSMcQ : quick tweaks, implement some ERB ++decisions. Characters are not integers. Comments are /* */ not //. ++Add bibliographic refs to 10646, HyTime, Unicode. ++Rename old Cdata as MsData since it's only seen ++in marked sections. Call them attribute-value pairs not ++name-value pairs, except once. Internal subset is optional, needs ++'?'. Implied attributes should be signaled to the app, not ++have values supplied by processor. ++1996-10-16 : TB : track down & excise all DSD references; ++introduce some EBNF for entity declarations. ++1996-10-?? nsistency check, fix up scraps so ++they all parse, get formatter working, correct a few productions. ++1996-10-10/11 : CMSMcQ : various maintenance, stylistic, and ++organizational changes: ++Replace a few literals with xmlpio and ++pi""entities, to make them consistent and ensure we can change pic ++reliably when the ERB votes. ++Drop paragraph on recognizers from notation section. ++Add match, exact match to terminology. ++Move old 2.2 XML Processors and Apps into intro. ++Mention comments, PIs, and marked sections in discussion of ++delimiter escaping. ++Streamline discussion of doctype decl syntax. ++Drop old section of 'PI syntax' for doctype decl, and add ++section on partial-DTD summary PIs to end of Logical Structures ++section. ++Revise DSD syntax section to use Tim's subset-in-a-PI ++mechanism. ++1996-10-10 : TB : eliminate name recognizers (and more?) ++1996-10-09 : CMSMcQ : revise for style, consistency through 2.3 ++(Characters) ++1996-10-09 : CMSMcQ : re-unite everything for convenience, ++at least temporarily, and revise quickly ++1996-10-08 : TB : first major homogenization pass ++1996-10-08 : TB : turn "current" attribute on div type into ++CDATA ++1996-10-02 : TB : remould into skeleton + entities ++1996-09-30 : CMSMcQ : add a few more sections prior to exchange ++ with Tim. ++1996-09-20 : CMSMcQ : finish transcribing notes. ++1996-09-19 : CMSMcQ : begin transcribing notes for draft. ++1996-09-13 : CMSMcQ : made outline from notes of 09-06, ++do some housekeeping ++ ++ ++
++ is used to read XML documents ++and provide access to their content and structure. It is @ssumed that an XML processor is ++doing its work on behalf of another module, called the ++application. This specification describes the ++required beh\vior of an XML processor in terms of how it must read XML ++data and the information it must provide to the application.

++ ++ ++Origin and Goals ++

XML was developed by an XML Working Group (orisable over the ++Internet.

++

XML shall support a wide variey of applications.

 ++

XML shall be compatible with SGML.

 ++

It shall be easy to write programs which process XML ++documents.

 ++

The number of optional features in XML is to be kept to the ++absolute minimum, ideally zero.

 ++

XML documents shou +\ No newline at end of file diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1837.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1837.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1837.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1837.patch 2016-06-03 12:58:17.000000000 +0000 @@ -0,0 +1,137 @@ +From 11ed4a7a90d5ce156a18980a4ad4e53e77384852 Mon Sep 17 00:00:00 2001 +From: Pranjal Jumde +Date: Wed, 2 Mar 2016 15:52:24 -0800 +Subject: Heap use-after-free in htmlParsePubidLiteral and + htmlParseSystemiteral + +For https://bugzilla.gnome.org/show_bug.cgi?id=760263 + +* HTMLparser.c: Add BASE_PTR convenience macro. +(htmlParseSystemLiteral): Store length and start position instead +of a pointer while iterating through the public identifier since +the underlying buffer may change, resulting in a stale pointer +being used. +(htmlParsePubidLiteral): Ditto. +--- + HTMLparser.c | 58 +++++++++++++++++++++++++++++++++++++++++++--------------- + 1 file changed, 43 insertions(+), 15 deletions(-) + +Index: libxml2-2.9.3+dfsg1/HTMLparser.c +=================================================================== +--- libxml2-2.9.3+dfsg1.orig/HTMLparser.c 2016-06-03 08:00:33.892487010 -0400 ++++ libxml2-2.9.3+dfsg1/HTMLparser.c 2016-06-03 08:00:33.888486962 -0400 +@@ -303,6 +303,7 @@ + #define UPP(val) (toupper(ctxt->input->cur[(val)])) + + #define CUR_PTR ctxt->input->cur ++#define BASE_PTR ctxt->input->base + + #define SHRINK if ((ctxt->input->cur - ctxt->input->base > 2 * INPUT_CHUNK) && \ + (ctxt->input->end - ctxt->input->cur < 2 * INPUT_CHUNK)) \ +@@ -2765,31 +2766,43 @@ + + static xmlChar * + htmlParseSystemLiteral(htmlParserCtxtPtr ctxt) { +- const xmlChar *q; ++ size_t len = 0, startPosition = 0; + xmlChar *ret = NULL; + + if (CUR == '"') { + NEXT; +- q = CUR_PTR; +- while ((IS_CHAR_CH(CUR)) && (CUR != '"')) ++ ++ if (CUR_PTR < BASE_PTR) ++ return(ret); ++ startPosition = CUR_PTR - BASE_PTR; ++ ++ while ((IS_CHAR_CH(CUR)) && (CUR != '"')) { + NEXT; ++ len++; ++ } + if (!IS_CHAR_CH(CUR)) { + htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED, + "Unfinished SystemLiteral\n", NULL, NULL); + } else { +- ret = xmlStrndup(q, CUR_PTR - q); ++ ret = xmlStrndup((BASE_PTR+startPosition), len); + NEXT; + } + } else if (CUR == '\'') { + NEXT; +- q = CUR_PTR; +- while ((IS_CHAR_CH(CUR)) && (CUR != '\'')) ++ ++ if (CUR_PTR < BASE_PTR) ++ return(ret); ++ startPosition = CUR_PTR - BASE_PTR; ++ ++ while ((IS_CHAR_CH(CUR)) && (CUR != '\'')) { + NEXT; ++ len++; ++ } + if (!IS_CHAR_CH(CUR)) { + htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED, + "Unfinished SystemLiteral\n", NULL, NULL); + } else { +- ret = xmlStrndup(q, CUR_PTR - q); ++ ret = xmlStrndup((BASE_PTR+startPosition), len); + NEXT; + } + } else { +@@ -2813,32 +2826,47 @@ + + static xmlChar * + htmlParsePubidLiteral(htmlParserCtxtPtr ctxt) { +- const xmlChar *q; ++ size_t len = 0, startPosition = 0; + xmlChar *ret = NULL; + /* + * Name ::= (Letter | '_') (NameChar)* + */ + if (CUR == '"') { + NEXT; +- q = CUR_PTR; +- while (IS_PUBIDCHAR_CH(CUR)) NEXT; ++ ++ if (CUR_PTR < BASE_PTR) ++ return(ret); ++ startPosition = CUR_PTR - BASE_PTR; ++ ++ while (IS_PUBIDCHAR_CH(CUR)) { ++ len++; ++ NEXT; ++ } ++ + if (CUR != '"') { + htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED, + "Unfinished PubidLiteral\n", NULL, NULL); + } else { +- ret = xmlStrndup(q, CUR_PTR - q); ++ ret = xmlStrndup((BASE_PTR + startPosition), len); + NEXT; + } + } else if (CUR == '\'') { + NEXT; +- q = CUR_PTR; +- while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\'')) +- NEXT; ++ ++ if (CUR_PTR < BASE_PTR) ++ return(ret); ++ startPosition = CUR_PTR - BASE_PTR; ++ ++ while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\'')){ ++ len++; ++ NEXT; ++ } ++ + if (CUR != '\'') { + htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED, + "Unfinished PubidLiteral\n", NULL, NULL); + } else { +- ret = xmlStrndup(q, CUR_PTR - q); ++ ret = xmlStrndup((BASE_PTR + startPosition), len); + NEXT; + } + } else { diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1838.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1838.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1838.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1838.patch 2016-06-03 12:58:26.000000000 +0000 @@ -0,0 +1,90 @@ +From db07dd613e461df93dde7902c6505629bf0734e9 Mon Sep 17 00:00:00 2001 +From: David Kilzer +Date: Fri, 12 Feb 2016 09:58:29 -0800 +Subject: Bug 758588: Heap-based buffer overread in + xmlParserPrintFileContextInternal + + +* parser.c: +(xmlParseEndTag2): Add bounds checks before dereferencing +ctxt->input->cur past the end of the buffer, or incrementing the +pointer past the end of the buffer. + +* result/errors/758588.xml: Add test result. +* result/errors/758588.xml.err: Ditto. +* result/errors/758588.xml.str: Ditto. +* test/errors/758588.xml: Add regression test. +--- + parser.c | 8 ++++++-- + result/errors/758588.xml | 0 + result/errors/758588.xml.err | 9 +++++++++ + result/errors/758588.xml.str | 10 ++++++++++ + test/errors/758588.xml | 1 + + 5 files changed, 26 insertions(+), 2 deletions(-) + create mode 100644 result/errors/758588.xml + create mode 100644 result/errors/758588.xml.err + create mode 100644 result/errors/758588.xml.str + create mode 100644 test/errors/758588.xml + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2016-06-03 08:58:22.736533361 -0400 ++++ libxml2-2.9.1+dfsg1/parser.c 2016-06-03 08:58:22.732533310 -0400 +@@ -9766,6 +9766,7 @@ + xmlParseEndTag2(xmlParserCtxtPtr ctxt, const xmlChar *prefix, + const xmlChar *URI, int line, int nsNr, int tlen) { + const xmlChar *name; ++ size_t curLength; + + GROW; + if ((RAW != '<') || (NXT(1) != '/')) { +@@ -9774,8 +9775,11 @@ + } + SKIP(2); + +- if ((tlen > 0) && (xmlStrncmp(ctxt->input->cur, ctxt->name, tlen) == 0)) { +- if (ctxt->input->cur[tlen] == '>') { ++ curLength = ctxt->input->end - ctxt->input->cur; ++ if ((tlen > 0) && (curLength >= (size_t)tlen) && ++ (xmlStrncmp(ctxt->input->cur, ctxt->name, tlen) == 0)) { ++ if ((curLength >= (size_t)(tlen + 1)) && ++ (ctxt->input->cur[tlen] == '>')) { + ctxt->input->cur += tlen + 1; + goto done; + } +Index: libxml2-2.9.1+dfsg1/result/errors/758588.xml.err +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ libxml2-2.9.1+dfsg1/result/errors/758588.xml.err 2016-06-03 08:58:22.732533310 -0400 +@@ -0,0 +1,9 @@ ++./test/errors/758588.xml:1: namespace error : Namespace prefix a-340282366920938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867261d on a is not defined ++63472597946867209384634725979468672093846347259794686720938463472597946867261d:a ++ ^ ++./test/errors/758588.xml:1: parser error : expected '>' ++2597946867209384634725979468672093846347259794686720938463472597946867261d:a>' ++2597946867209384634725979468672093846347259794686720938463472597946867261d:a> +Date: Tue, 1 Mar 2016 11:34:04 -0800 +Subject: Bug 758605: Heap-based buffer overread in xmlDictAddString + + +Reviewed by David Kilzer. + +* HTMLparser.c: +(htmlParseName): Add bounds check. +(htmlParseNameComplex): Ditto. +* result/HTML/758605.html: Added. +* result/HTML/758605.html.err: Added. +* result/HTML/758605.html.sax: Added. +* runtest.c: +(pushParseTest): The input for the new test case was so small +(4 bytes) that htmlParseChunk() was never called after +htmlCreatePushParserCtxt(), thereby creating a false positive +test failure. Fixed by using a do-while loop so we always call +htmlParseChunk() at least once. +* test/HTML/758605.html: Added. +--- + HTMLparser.c | 8 ++++++++ + result/HTML/758605.html | 3 +++ + result/HTML/758605.html.err | 3 +++ + result/HTML/758605.html.sax | 13 +++++++++++++ + runtest.c | 4 ++-- + test/HTML/758605.html | 1 + + 6 files changed, 30 insertions(+), 2 deletions(-) + create mode 100644 result/HTML/758605.html + create mode 100644 result/HTML/758605.html.err + create mode 100644 result/HTML/758605.html.sax + create mode 100644 test/HTML/758605.html + +Index: libxml2-2.9.3+dfsg1/HTMLparser.c +=================================================================== +--- libxml2-2.9.3+dfsg1.orig/HTMLparser.c 2016-06-03 08:00:49.064670606 -0400 ++++ libxml2-2.9.3+dfsg1/HTMLparser.c 2016-06-03 08:00:49.060670558 -0400 +@@ -2472,6 +2472,10 @@ + (*in == '_') || (*in == '-') || + (*in == ':') || (*in == '.')) + in++; ++ ++ if (in == ctxt->input->end) ++ return(NULL); ++ + if ((*in > 0) && (*in < 0x80)) { + count = in - ctxt->input->cur; + ret = xmlDictLookup(ctxt->dict, ctxt->input->cur, count); +@@ -2515,6 +2519,10 @@ + NEXTL(l); + c = CUR_CHAR(l); + } ++ ++ if (ctxt->input->base > ctxt->input->cur - len) ++ return(NULL); ++ + return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); + } + diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1840.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1840.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1840.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1840.patch 2016-06-03 12:59:12.000000000 +0000 @@ -0,0 +1,32 @@ +From cbb271655cadeb8dbb258a64701d9a3a0c4835b4 Mon Sep 17 00:00:00 2001 +From: Pranjal Jumde +Date: Mon, 7 Mar 2016 06:34:26 -0800 +Subject: Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup + + +* xmlregexp.c: +(xmlFAParseCharRange): Only advance to the next character if +there is no error. Advancing to the next character in case of +an error while parsing regexp leads to an out of bounds access. +--- + xmlregexp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Index: libxml2-2.9.1+dfsg1/xmlregexp.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/xmlregexp.c 2016-06-03 08:59:10.053135718 -0400 ++++ libxml2-2.9.1+dfsg1/xmlregexp.c 2016-06-03 08:59:10.053135718 -0400 +@@ -5050,11 +5050,12 @@ + ERROR("Expecting the end of a char range"); + return; + } +- NEXTL(len); ++ + /* TODO check that the values are acceptable character ranges for XML */ + if (end < start) { + ERROR("End of range is before start of range"); + } else { ++ NEXTL(len); + xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg, + XML_REGEXP_CHARVAL, start, end, NULL); + } diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-3627.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-3627.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-3627.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-3627.patch 2016-06-03 12:59:52.000000000 +0000 @@ -0,0 +1,56 @@ +From bdd66182ef53fe1f7209ab6535fda56366bd7ac9 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Mon, 23 May 2016 12:27:58 +0800 +Subject: Avoid building recursive entities + +For https://bugzilla.gnome.org/show_bug.cgi?id=762100 + +When we detect a recusive entity we should really not +build the associated data, moreover if someone bypass +libxml2 fatal errors and still tries to serialize a broken +entity make sure we don't risk to get ito a recursion + +* parser.c: xmlParserEntityCheck() don't build if entity loop + were found and remove the associated text content +* tree.c: xmlStringGetNodeList() avoid a potential recursion +--- + parser.c | 6 +++++- + tree.c | 1 + + 2 files changed, 6 insertions(+), 1 deletion(-) + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2016-06-03 08:59:49.753640913 -0400 ++++ libxml2-2.9.1+dfsg1/parser.c 2016-06-03 08:59:49.749640863 -0400 +@@ -138,7 +138,8 @@ + * entities problems + */ + if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) && +- (ent->content != NULL) && (ent->checked == 0)) { ++ (ent->content != NULL) && (ent->checked == 0) && ++ (ctxt->errNo != XML_ERR_ENTITY_LOOP)) { + unsigned long oldnbent = ctxt->nbentities; + xmlChar *rep; + +@@ -148,6 +149,9 @@ + rep = xmlStringDecodeEntities(ctxt, ent->content, + XML_SUBSTITUTE_REF, 0, 0, 0); + --ctxt->depth; ++ if (ctxt->errNo == XML_ERR_ENTITY_LOOP) { ++ ent->content[0] = 0; ++ } + + ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; + if (rep != NULL) { +Index: libxml2-2.9.1+dfsg1/tree.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/tree.c 2016-06-03 08:59:49.753640913 -0400 ++++ libxml2-2.9.1+dfsg1/tree.c 2016-06-03 08:59:49.749640863 -0400 +@@ -1588,6 +1588,7 @@ + else if ((ent != NULL) && (ent->children == NULL)) { + xmlNodePtr temp; + ++ ent->children = (xmlNodePtr) -1; + ent->children = xmlStringGetNodeList(doc, + (const xmlChar*)node->content); + ent->owner = 1; diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-3705.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-3705.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-3705.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-3705.patch 2016-06-03 12:59:21.000000000 +0000 @@ -0,0 +1,65 @@ +From 8f30bdff69edac9075f4663ce3b56b0c52d48ce6 Mon Sep 17 00:00:00 2001 +From: Peter Simons +Date: Fri, 15 Apr 2016 11:56:55 +0200 +Subject: Add missing increments of recursion depth counter to XML parser. + +For https://bugzilla.gnome.org/show_bug.cgi?id=765207 +CVE-2016-3705 +The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call +xmlStringDecodeEntities() in a recursive context without incrementing the +'depth' counter in the parser context. Because of that omission, the parser +failed to detect attribute recursions in certain documents before running out +of stack space. +--- + parser.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2016-06-03 08:59:18.205239470 -0400 ++++ libxml2-2.9.1+dfsg1/parser.c 2016-06-03 08:59:18.205239470 -0400 +@@ -144,8 +144,10 @@ + + ent->checked = 1; + ++ ++ctxt->depth; + rep = xmlStringDecodeEntities(ctxt, ent->content, + XML_SUBSTITUTE_REF, 0, 0, 0); ++ --ctxt->depth; + + ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; + if (rep != NULL) { +@@ -3947,8 +3949,10 @@ + * an entity declaration, it is bypassed and left as is. + * so XML_SUBSTITUTE_REF is not set here. + */ ++ ++ctxt->depth; + ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF, + 0, 0, 0); ++ --ctxt->depth; + if (orig != NULL) + *orig = buf; + else +@@ -4073,9 +4077,11 @@ + } else if ((ent != NULL) && + (ctxt->replaceEntities != 0)) { + if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) { ++ ++ctxt->depth; + rep = xmlStringDecodeEntities(ctxt, ent->content, + XML_SUBSTITUTE_REF, + 0, 0, 0); ++ --ctxt->depth; + if (rep != NULL) { + current = rep; + while (*current != 0) { /* non input consuming */ +@@ -4111,8 +4117,10 @@ + (ent->content != NULL) && (ent->checked == 0)) { + unsigned long oldnbent = ctxt->nbentities; + ++ ++ctxt->depth; + rep = xmlStringDecodeEntities(ctxt, ent->content, + XML_SUBSTITUTE_REF, 0, 0, 0); ++ --ctxt->depth; + + ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; + if (rep != NULL) { diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4447.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4447.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4447.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4447.patch 2016-06-03 12:59:30.000000000 +0000 @@ -0,0 +1,64 @@ +From 00906759053986b8079985644172085f74331f83 Mon Sep 17 00:00:00 2001 +From: David Kilzer +Date: Tue, 26 Jan 2016 16:57:03 -0800 +Subject: Heap-based buffer-underreads due to xmlParseName + +For https://bugzilla.gnome.org/show_bug.cgi?id=759573 + +* parser.c: +(xmlParseElementDecl): Return early on invalid input to fix +non-minimized test case (759573-2.xml). Otherwise the parser +gets into a bad state in SKIP(3) at the end of the function. +(xmlParseConditionalSections): Halt parsing when hitting invalid +input that would otherwise caused xmlParserHandlePEReference() +to recurse unexpectedly. This fixes the minimized test case +(759573.xml). + +* result/errors/759573-2.xml: Add. +* result/errors/759573-2.xml.err: Add. +* result/errors/759573-2.xml.str: Add. +* result/errors/759573.xml: Add. +* result/errors/759573.xml.err: Add. +* result/errors/759573.xml.str: Add. +* test/errors/759573-2.xml: Add. +* test/errors/759573.xml: Add. +--- + parser.c | 2 ++ + result/errors/759573-2.xml | 0 + result/errors/759573-2.xml.err | 58 ++++++++++++++++++++++++++++++++++++++++++ + result/errors/759573-2.xml.str | 4 +++ + result/errors/759573.xml | 0 + result/errors/759573.xml.err | 31 ++++++++++++++++++++++ + result/errors/759573.xml.str | 4 +++ + test/errors/759573-2.xml | 9 +++++++ + test/errors/759573.xml | 1 + + 9 files changed, 109 insertions(+) + create mode 100644 result/errors/759573-2.xml + create mode 100644 result/errors/759573-2.xml.err + create mode 100644 result/errors/759573-2.xml.str + create mode 100644 result/errors/759573.xml + create mode 100644 result/errors/759573.xml.err + create mode 100644 result/errors/759573.xml.str + create mode 100644 test/errors/759573-2.xml + create mode 100644 test/errors/759573.xml + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2016-06-03 08:59:27.601359045 -0400 ++++ libxml2-2.9.1+dfsg1/parser.c 2016-06-03 08:59:27.601359045 -0400 +@@ -6675,6 +6675,7 @@ + if (!IS_BLANK_CH(CUR)) { + xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, + "Space required after 'ELEMENT'\n"); ++ return(-1); + } + SKIP_BLANKS; + name = xmlParseName(ctxt); +@@ -6826,6 +6827,7 @@ + + if ((CUR_PTR == check) && (cons == ctxt->input->consumed)) { + xmlFatalErr(ctxt, XML_ERR_EXT_SUBSET_NOT_FINISHED, NULL); ++ xmlHaltParser(ctxt); + break; + } + } diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4448-1.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4448-1.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4448-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4448-1.patch 2017-03-15 11:53:23.000000000 +0000 @@ -0,0 +1,1064 @@ +Backport of: + +From 4472c3a5a5b516aaf59b89be602fbce52756c3e9 Mon Sep 17 00:00:00 2001 +From: David Kilzer +Date: Fri, 13 May 2016 15:13:17 +0800 +Subject: Fix some format string warnings with possible format string + vulnerability + +For https://bugzilla.gnome.org/show_bug.cgi?id=761029 + +Decorate every method in libxml2 with the appropriate +LIBXML_ATTR_FORMAT(fmt,args) macro and add some cleanups +following the reports. +--- + HTMLparser.c | 4 +-- + SAX2.c | 12 ++++---- + catalog.c | 2 +- + configure.ac | 4 +-- + debugXML.c | 4 +-- + encoding.c | 2 +- + entities.c | 2 +- + error.c | 2 +- + include/libxml/parserInternals.h | 2 +- + include/libxml/xmlerror.h | 2 +- + include/libxml/xmlstring.h | 8 ++--- + libxml.h | 2 +- + parser.c | 37 +++++++++++----------- + parserInternals.c | 4 +-- + relaxng.c | 4 +-- + schematron.c | 2 +- + testModule.c | 2 +- + valid.c | 8 ++--- + xinclude.c | 4 +-- + xmlIO.c | 14 ++++----- + xmllint.c | 20 ++++++------ + xmlreader.c | 16 +++++++--- + xmlschemas.c | 66 ++++++++++++++++++++-------------------- + xmlstring.c | 4 +-- + xmlwriter.c | 4 +-- + xpath.c | 2 +- + xpointer.c | 2 +- + 27 files changed, 121 insertions(+), 114 deletions(-) + +Index: libxml2-2.9.1+dfsg1/HTMLparser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/HTMLparser.c 2017-03-15 07:51:31.217944396 -0400 ++++ libxml2-2.9.1+dfsg1/HTMLparser.c 2017-03-15 07:51:31.193944133 -0400 +@@ -105,7 +105,7 @@ + * + * Handle a fatal parser error, i.e. violating Well-Formedness constraints + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + htmlParseErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar *str1, const xmlChar *str2) + { +@@ -132,7 +132,7 @@ + * + * Handle a fatal parser error, i.e. violating Well-Formedness constraints + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + htmlParseErrInt(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, int val) + { +Index: libxml2-2.9.1+dfsg1/SAX2.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/SAX2.c 2017-03-15 07:51:31.217944396 -0400 ++++ libxml2-2.9.1+dfsg1/SAX2.c 2017-03-15 07:51:31.193944133 -0400 +@@ -55,7 +55,7 @@ + * @ctxt: an XML validation parser context + * @msg: a string to accompany the error message + */ +-static void ++static void LIBXML_ATTR_FORMAT(2,0) + xmlSAX2ErrMemory(xmlParserCtxtPtr ctxt, const char *msg) { + xmlStructuredErrorFunc schannel = NULL; + const char *str1 = "out of memory\n"; +@@ -93,7 +93,7 @@ + * + * Handle a validation error + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlErrValid(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const char *str1, const char *str2) + { +@@ -133,7 +133,7 @@ + * + * Handle a fatal parser error, i.e. violating Well-Formedness constraints + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlFatalErrMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar *str1, const xmlChar *str2) + { +@@ -164,7 +164,7 @@ + * + * Handle a parser warning + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlWarnMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar *str1) + { +@@ -189,7 +189,7 @@ + * + * Handle a namespace error + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlNsErrMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar *str1, const xmlChar *str2) + { +@@ -213,7 +213,7 @@ + * + * Handle a namespace warning + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlNsWarnMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar *str1, const xmlChar *str2) + { +Index: libxml2-2.9.1+dfsg1/catalog.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/catalog.c 2017-03-15 07:51:31.217944396 -0400 ++++ libxml2-2.9.1+dfsg1/catalog.c 2017-03-15 07:51:31.193944133 -0400 +@@ -238,7 +238,7 @@ + * + * Handle a catalog error + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlCatalogErr(xmlCatalogEntryPtr catal, xmlNodePtr node, int error, + const char *msg, const xmlChar *str1, const xmlChar *str2, + const xmlChar *str3) +Index: libxml2-2.9.1+dfsg1/debugXML.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/debugXML.c 2017-03-15 07:51:31.217944396 -0400 ++++ libxml2-2.9.1+dfsg1/debugXML.c 2017-03-15 07:51:31.197944177 -0400 +@@ -164,7 +164,7 @@ + NULL, NULL, NULL, 0, 0, + "%s", msg); + } +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlDebugErr2(xmlDebugCtxtPtr ctxt, int error, const char *msg, int extra) + { + ctxt->errors++; +@@ -174,7 +174,7 @@ + NULL, NULL, NULL, 0, 0, + msg, extra); + } +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlDebugErr3(xmlDebugCtxtPtr ctxt, int error, const char *msg, const char *extra) + { + ctxt->errors++; +Index: libxml2-2.9.1+dfsg1/encoding.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/encoding.c 2017-03-15 07:51:31.217944396 -0400 ++++ libxml2-2.9.1+dfsg1/encoding.c 2017-03-15 07:51:31.197944177 -0400 +@@ -93,7 +93,7 @@ + * + * n encoding error + */ +-static void ++static void LIBXML_ATTR_FORMAT(2,0) + xmlEncodingErr(xmlParserErrors error, const char *msg, const char *val) + { + __xmlRaiseError(NULL, NULL, NULL, NULL, NULL, +Index: libxml2-2.9.1+dfsg1/entities.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/entities.c 2017-03-15 07:51:31.217944396 -0400 ++++ libxml2-2.9.1+dfsg1/entities.c 2017-03-15 07:51:31.197944177 -0400 +@@ -83,7 +83,7 @@ + * + * Handle an out of memory condition + */ +-static void ++static void LIBXML_ATTR_FORMAT(2,0) + xmlEntitiesErr(xmlParserErrors code, const char *msg) + { + __xmlSimpleError(XML_FROM_TREE, code, NULL, msg, NULL); +Index: libxml2-2.9.1+dfsg1/error.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/error.c 2017-03-15 07:51:31.217944396 -0400 ++++ libxml2-2.9.1+dfsg1/error.c 2017-03-15 07:51:31.197944177 -0400 +@@ -18,7 +18,7 @@ + + void XMLCDECL xmlGenericErrorDefaultFunc (void *ctx ATTRIBUTE_UNUSED, + const char *msg, +- ...); ++ ...) LIBXML_ATTR_FORMAT(2,3); + + #define XML_GET_VAR_STR(msg, str) { \ + int size, prev_size = -1; \ +Index: libxml2-2.9.1+dfsg1/include/libxml/parserInternals.h +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/include/libxml/parserInternals.h 2017-03-15 07:51:31.217944396 -0400 ++++ libxml2-2.9.1+dfsg1/include/libxml/parserInternals.h 2017-03-15 07:51:31.197944177 -0400 +@@ -351,7 +351,7 @@ + xmlParserErrors xmlerr, + const char *msg, + const xmlChar * str1, +- const xmlChar * str2); ++ const xmlChar * str2) LIBXML_ATTR_FORMAT(3,0); + #endif + + /** +Index: libxml2-2.9.1+dfsg1/include/libxml/xmlerror.h +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/include/libxml/xmlerror.h 2017-03-15 07:51:31.217944396 -0400 ++++ libxml2-2.9.1+dfsg1/include/libxml/xmlerror.h 2017-03-15 07:51:31.197944177 -0400 +@@ -937,7 +937,7 @@ + int code, + xmlNodePtr node, + const char *msg, +- const char *extra); ++ const char *extra) LIBXML_ATTR_FORMAT(4,0); + #endif + #ifdef __cplusplus + } +Index: libxml2-2.9.1+dfsg1/include/libxml/xmlstring.h +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/include/libxml/xmlstring.h 2017-03-15 07:51:31.217944396 -0400 ++++ libxml2-2.9.1+dfsg1/include/libxml/xmlstring.h 2017-03-15 07:51:31.197944177 -0400 +@@ -97,13 +97,13 @@ + XMLPUBFUN int XMLCALL + xmlStrPrintf (xmlChar *buf, + int len, +- const xmlChar *msg, +- ...); ++ const char *msg, ++ ...) LIBXML_ATTR_FORMAT(3,4); + XMLPUBFUN int XMLCALL + xmlStrVPrintf (xmlChar *buf, + int len, +- const xmlChar *msg, +- va_list ap); ++ const char *msg, ++ va_list ap) LIBXML_ATTR_FORMAT(3,0); + + XMLPUBFUN int XMLCALL + xmlGetUTF8Char (const unsigned char *utf, +Index: libxml2-2.9.1+dfsg1/libxml.h +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/libxml.h 2017-03-15 07:51:31.217944396 -0400 ++++ libxml2-2.9.1+dfsg1/libxml.h 2017-03-15 07:51:31.197944177 -0400 +@@ -68,7 +68,7 @@ + * internal error reporting routines, shared but not partof the API. + */ + void __xmlIOErr(int domain, int code, const char *extra); +-void __xmlLoaderErr(void *ctx, const char *msg, const char *filename); ++void __xmlLoaderErr(void *ctx, const char *msg, const char *filename) LIBXML_ATTR_FORMAT(2,0); + #ifdef LIBXML_HTML_ENABLED + /* + * internal function of HTML parser needed for xmlParseInNodeContext +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2017-03-15 07:51:31.217944396 -0400 ++++ libxml2-2.9.1+dfsg1/parser.c 2017-03-15 07:51:31.197944177 -0400 +@@ -350,7 +350,6 @@ + xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info) + { + const char *errmsg; +- char errstr[129] = ""; + + if ((ctxt != NULL) && (ctxt->disableSAX != 0) && + (ctxt->instate == XML_PARSER_EOF)) +@@ -537,15 +536,17 @@ + default: + errmsg = "Unregistered error message"; + } +- if (info == NULL) +- snprintf(errstr, 128, "%s\n", errmsg); +- else +- snprintf(errstr, 128, "%s: %%s\n", errmsg); + if (ctxt != NULL) + ctxt->errNo = error; +- __xmlRaiseError(NULL, NULL, NULL, ctxt, NULL, XML_FROM_PARSER, error, +- XML_ERR_FATAL, NULL, 0, info, NULL, NULL, 0, 0, &errstr[0], +- info); ++ if (info == NULL) { ++ __xmlRaiseError(NULL, NULL, NULL, ctxt, NULL, XML_FROM_PARSER, error, ++ XML_ERR_FATAL, NULL, 0, info, NULL, NULL, 0, 0, "%s\n", ++ errmsg); ++ } else { ++ __xmlRaiseError(NULL, NULL, NULL, ctxt, NULL, XML_FROM_PARSER, error, ++ XML_ERR_FATAL, NULL, 0, info, NULL, NULL, 0, 0, "%s: %s\n", ++ errmsg, info); ++ } + if (ctxt != NULL) { + ctxt->wellFormed = 0; + if (ctxt->recovery == 0) +@@ -561,7 +562,7 @@ + * + * Handle a fatal parser error, i.e. violating Well-Formedness constraints + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlFatalErrMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg) + { +@@ -589,7 +590,7 @@ + * + * Handle a warning. + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlWarningMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar *str1, const xmlChar *str2) + { +@@ -627,7 +628,7 @@ + * + * Handle a validity error. + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlValidityError(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar *str1, const xmlChar *str2) + { +@@ -667,7 +668,7 @@ + * + * Handle a fatal parser error, i.e. violating Well-Formedness constraints + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlFatalErrMsgInt(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, int val) + { +@@ -697,7 +698,7 @@ + * + * Handle a fatal parser error, i.e. violating Well-Formedness constraints + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlFatalErrMsgStrIntStr(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar *str1, int val, + const xmlChar *str2) +@@ -727,7 +728,7 @@ + * + * Handle a fatal parser error, i.e. violating Well-Formedness constraints + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlFatalErrMsgStr(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar * val) + { +@@ -756,7 +757,7 @@ + * + * Handle a non fatal parser error + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlErrMsgStr(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar * val) + { +@@ -781,7 +782,7 @@ + * + * Handle a fatal parser error, i.e. violating Well-Formedness constraints + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlNsErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, + const xmlChar * info1, const xmlChar * info2, +@@ -810,7 +811,7 @@ + * + * Handle a namespace warning error + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlNsWarn(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, + const xmlChar * info1, const xmlChar * info2, +@@ -5508,7 +5509,7 @@ + skipped = SKIP_BLANKS; + if (skipped == 0) { + xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, +- "Space required after '%'\n"); ++ "Space required after '%%'\n"); + } + isParameter = 1; + } +Index: libxml2-2.9.1+dfsg1/parserInternals.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parserInternals.c 2017-03-15 07:51:31.217944396 -0400 ++++ libxml2-2.9.1+dfsg1/parserInternals.c 2017-03-15 07:51:31.201944221 -0400 +@@ -169,7 +169,7 @@ + * + * Handle an internal error + */ +-static void ++static void LIBXML_ATTR_FORMAT(2,0) + xmlErrInternal(xmlParserCtxtPtr ctxt, const char *msg, const xmlChar * str) + { + if ((ctxt != NULL) && (ctxt->disableSAX != 0) && +@@ -197,7 +197,7 @@ + * + * n encoding error + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlErrEncodingInt(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, int val) + { +Index: libxml2-2.9.1+dfsg1/relaxng.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/relaxng.c 2017-03-15 07:51:31.217944396 -0400 ++++ libxml2-2.9.1+dfsg1/relaxng.c 2017-03-15 07:51:31.201944221 -0400 +@@ -507,7 +507,7 @@ + * + * Handle a Relax NG Parsing error + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlRngPErr(xmlRelaxNGParserCtxtPtr ctxt, xmlNodePtr node, int error, + const char *msg, const xmlChar * str1, const xmlChar * str2) + { +@@ -541,7 +541,7 @@ + * + * Handle a Relax NG Validation error + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlRngVErr(xmlRelaxNGValidCtxtPtr ctxt, xmlNodePtr node, int error, + const char *msg, const xmlChar * str1, const xmlChar * str2) + { +Index: libxml2-2.9.1+dfsg1/schematron.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/schematron.c 2017-03-15 07:51:31.217944396 -0400 ++++ libxml2-2.9.1+dfsg1/schematron.c 2017-03-15 07:51:31.201944221 -0400 +@@ -243,7 +243,7 @@ + * + * Handle a parser error + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlSchematronPErr(xmlSchematronParserCtxtPtr ctxt, xmlNodePtr node, int error, + const char *msg, const xmlChar * str1, const xmlChar * str2) + { +Index: libxml2-2.9.1+dfsg1/testModule.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/testModule.c 2017-03-15 07:51:31.217944396 -0400 ++++ libxml2-2.9.1+dfsg1/testModule.c 2017-03-15 07:51:31.201944221 -0400 +@@ -47,7 +47,7 @@ + + /* build the module filename, and confirm the module exists */ + xmlStrPrintf(filename, sizeof(filename), +- (const xmlChar*) "%s/testdso%s", ++ "%s/testdso%s", + (const xmlChar*)MODULE_PATH, + (const xmlChar*)LIBXML_MODULE_EXTENSION); + +Index: libxml2-2.9.1+dfsg1/valid.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/valid.c 2017-03-15 07:51:31.217944396 -0400 ++++ libxml2-2.9.1+dfsg1/valid.c 2017-03-15 07:51:31.201944221 -0400 +@@ -93,7 +93,7 @@ + * + * Handle a validation error + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlErrValid(xmlValidCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const char *extra) + { +@@ -137,7 +137,7 @@ + * + * Handle a validation error, provide contextual informations + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlErrValidNode(xmlValidCtxtPtr ctxt, + xmlNodePtr node, xmlParserErrors error, + const char *msg, const xmlChar * str1, +@@ -180,7 +180,7 @@ + * + * Handle a validation error, provide contextual informations + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlErrValidNodeNr(xmlValidCtxtPtr ctxt, + xmlNodePtr node, xmlParserErrors error, + const char *msg, const xmlChar * str1, +@@ -221,7 +221,7 @@ + * + * Handle a validation error, provide contextual information + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlErrValidWarning(xmlValidCtxtPtr ctxt, + xmlNodePtr node, xmlParserErrors error, + const char *msg, const xmlChar * str1, +Index: libxml2-2.9.1+dfsg1/xinclude.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/xinclude.c 2017-03-15 07:51:31.217944396 -0400 ++++ libxml2-2.9.1+dfsg1/xinclude.c 2017-03-15 07:51:31.201944221 -0400 +@@ -124,7 +124,7 @@ + * + * Handle an XInclude error + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlXIncludeErr(xmlXIncludeCtxtPtr ctxt, xmlNodePtr node, int error, + const char *msg, const xmlChar *extra) + { +@@ -146,7 +146,7 @@ + * + * Emit an XInclude warning. + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlXIncludeWarn(xmlXIncludeCtxtPtr ctxt, xmlNodePtr node, int error, + const char *msg, const xmlChar *extra) + { +Index: libxml2-2.9.1+dfsg1/xmlIO.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/xmlIO.c 2017-03-15 07:51:31.217944396 -0400 ++++ libxml2-2.9.1+dfsg1/xmlIO.c 2017-03-15 07:51:31.205944265 -0400 +@@ -1590,7 +1590,7 @@ + xmlFreeZMemBuff( buff ); + buff = NULL; + xmlStrPrintf(msg, 500, +- (const xmlChar *) "xmlCreateZMemBuff: %s %d\n", ++ "xmlCreateZMemBuff: %s %d\n", + "Error initializing compression context. ZLIB error:", + z_err ); + xmlIOErr(XML_IO_WRITE, (const char *) msg); +@@ -1658,7 +1658,7 @@ + else { + xmlChar msg[500]; + xmlStrPrintf(msg, 500, +- (const xmlChar *) "xmlZMemBuffExtend: %s %lu bytes.\n", ++ "xmlZMemBuffExtend: %s %lu bytes.\n", + "Allocation failure extending output buffer to", + new_size ); + xmlIOErr(XML_IO_WRITE, (const char *) msg); +@@ -1704,7 +1704,7 @@ + if ( z_err != Z_OK ) { + xmlChar msg[500]; + xmlStrPrintf(msg, 500, +- (const xmlChar *) "xmlZMemBuffAppend: %s %d %s - %d", ++ "xmlZMemBuffAppend: %s %d %s - %d", + "Compression error while appending", + len, "bytes to buffer. ZLIB error", z_err ); + xmlIOErr(XML_IO_WRITE, (const char *) msg); +@@ -1777,7 +1777,7 @@ + else { + xmlChar msg[500]; + xmlStrPrintf(msg, 500, +- (const xmlChar *) "xmlZMemBuffGetContent: %s - %d\n", ++ "xmlZMemBuffGetContent: %s - %d\n", + "Error flushing zlib buffers. Error code", z_err ); + xmlIOErr(XML_IO_WRITE, (const char *) msg); + } +@@ -1982,7 +1982,7 @@ + if ( len < 0 ) { + xmlChar msg[500]; + xmlStrPrintf(msg, 500, +- (const xmlChar *) "xmlIOHTTPWrite: %s\n%s '%s'.\n", ++ "xmlIOHTTPWrite: %s\n%s '%s'.\n", + "Error appending to internal buffer.", + "Error sending document to URI", + ctxt->uri ); +@@ -2054,7 +2054,7 @@ + if ( http_content == NULL ) { + xmlChar msg[500]; + xmlStrPrintf(msg, 500, +- (const xmlChar *) "xmlIOHTTPCloseWrite: %s '%s' %s '%s'.\n", ++ "xmlIOHTTPCloseWrite: %s '%s' %s '%s'.\n", + "Error retrieving content.\nUnable to", + http_mthd, "data to URI", ctxt->uri ); + xmlIOErr(XML_IO_WRITE, (const char *) msg); +@@ -2126,7 +2126,7 @@ + else { + xmlChar msg[500]; + xmlStrPrintf(msg, 500, +- (const xmlChar *) "xmlIOHTTPCloseWrite: HTTP '%s' of %d %s\n'%s' %s %d\n", ++ "xmlIOHTTPCloseWrite: HTTP '%s' of %d %s\n'%s' %s %d\n", + http_mthd, content_lgth, + "bytes to URI", ctxt->uri, + "failed. HTTP return code:", http_rtn ); +Index: libxml2-2.9.1+dfsg1/xmllint.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/xmllint.c 2017-03-15 07:51:31.217944396 -0400 ++++ libxml2-2.9.1+dfsg1/xmllint.c 2017-03-15 07:51:31.205944265 -0400 +@@ -449,7 +449,7 @@ + * message about the timing performed; format is a printf + * type argument + */ +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(1,2) + endTimer(const char *fmt, ...) + { + long msec; +@@ -485,7 +485,7 @@ + { + begin = clock(); + } +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(1,2) + endTimer(const char *fmt, ...) + { + long msec; +@@ -514,7 +514,7 @@ + * Do nothing + */ + } +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(1,2) + endTimer(char *format, ...) + { + /* +@@ -634,7 +634,7 @@ + * Display and format an error messages, gives file, line, position and + * extra parameters. + */ +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + xmlHTMLError(void *ctx, const char *msg, ...) + { + xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx; +@@ -671,7 +671,7 @@ + * Display and format a warning messages, gives file, line, position and + * extra parameters. + */ +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + xmlHTMLWarning(void *ctx, const char *msg, ...) + { + xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx; +@@ -709,7 +709,7 @@ + * Display and format an validity error messages, gives file, + * line, position and extra parameters. + */ +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + xmlHTMLValidityError(void *ctx, const char *msg, ...) + { + xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx; +@@ -746,7 +746,7 @@ + * Display and format a validity warning messages, gives file, line, + * position and extra parameters. + */ +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + xmlHTMLValidityWarning(void *ctx, const char *msg, ...) + { + xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx; +@@ -1410,7 +1410,7 @@ + * Display and format a warning messages, gives file, line, position and + * extra parameters. + */ +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + warningDebug(void *ctx ATTRIBUTE_UNUSED, const char *msg, ...) + { + va_list args; +@@ -1433,7 +1433,7 @@ + * Display and format a error messages, gives file, line, position and + * extra parameters. + */ +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + errorDebug(void *ctx ATTRIBUTE_UNUSED, const char *msg, ...) + { + va_list args; +@@ -1456,7 +1456,7 @@ + * Display and format a fatalError messages, gives file, line, position and + * extra parameters. + */ +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + fatalErrorDebug(void *ctx ATTRIBUTE_UNUSED, const char *msg, ...) + { + va_list args; +Index: libxml2-2.9.1+dfsg1/xmlreader.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/xmlreader.c 2017-03-15 07:51:31.217944396 -0400 ++++ libxml2-2.9.1+dfsg1/xmlreader.c 2017-03-15 07:51:31.205944265 -0400 +@@ -4036,13 +4036,19 @@ + } + + #ifdef LIBXML_SCHEMAS_ENABLED +-static char *xmlTextReaderBuildMessage(const char *msg, va_list ap); ++static char *xmlTextReaderBuildMessage(const char *msg, va_list ap) LIBXML_ATTR_FORMAT(1,0); + + static void XMLCDECL +-xmlTextReaderValidityError(void *ctxt, const char *msg, ...); ++xmlTextReaderValidityError(void *ctxt, const char *msg, ...) LIBXML_ATTR_FORMAT(2,3); + + static void XMLCDECL +-xmlTextReaderValidityWarning(void *ctxt, const char *msg, ...); ++xmlTextReaderValidityWarning(void *ctxt, const char *msg, ...) LIBXML_ATTR_FORMAT(2,3); ++ ++static void XMLCDECL ++xmlTextReaderValidityErrorRelay(void *ctx, const char *msg, ...) LIBXML_ATTR_FORMAT(2,3); ++ ++static void XMLCDECL ++xmlTextReaderValidityWarningRelay(void *ctx, const char *msg, ...) LIBXML_ATTR_FORMAT(2,3); + + static void XMLCDECL + xmlTextReaderValidityErrorRelay(void *ctx, const char *msg, ...) +@@ -4836,7 +4842,7 @@ + } + } + +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + xmlTextReaderError(void *ctxt, const char *msg, ...) + { + va_list ap; +@@ -4849,7 +4855,7 @@ + + } + +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + xmlTextReaderWarning(void *ctxt, const char *msg, ...) + { + va_list ap; +Index: libxml2-2.9.1+dfsg1/xmlschemas.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/xmlschemas.c 2017-03-15 07:51:31.217944396 -0400 ++++ libxml2-2.9.1+dfsg1/xmlschemas.c 2017-03-15 07:51:31.209944309 -0400 +@@ -1085,7 +1085,7 @@ + static void + xmlSchemaInternalErr(xmlSchemaAbstractCtxtPtr actxt, + const char *funcName, +- const char *message); ++ const char *message) LIBXML_ATTR_FORMAT(3,0); + static int + xmlSchemaCheckCOSSTDerivedOK(xmlSchemaAbstractCtxtPtr ctxt, + xmlSchemaTypePtr type, +@@ -1889,7 +1889,7 @@ + * + * Handle a parser error + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlSchemaPErr(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node, int error, + const char *msg, const xmlChar * str1, const xmlChar * str2) + { +@@ -1922,7 +1922,7 @@ + * + * Handle a parser error + */ +-static void ++static void LIBXML_ATTR_FORMAT(5,0) + xmlSchemaPErr2(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node, + xmlNodePtr child, int error, + const char *msg, const xmlChar * str1, const xmlChar * str2) +@@ -1951,7 +1951,7 @@ + * + * Handle a parser error + */ +-static void ++static void LIBXML_ATTR_FORMAT(7,0) + xmlSchemaPErrExt(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node, int error, + const xmlChar * strData1, const xmlChar * strData2, + const xmlChar * strData3, const char *msg, const xmlChar * str1, +@@ -2002,7 +2002,7 @@ + extra); + } + +-static void ++static void LIBXML_ATTR_FORMAT(2,0) + xmlSchemaPSimpleInternalErr(xmlNodePtr node, + const char *msg, const xmlChar *str) + { +@@ -2013,18 +2013,21 @@ + #define WXS_ERROR_TYPE_ERROR 1 + #define WXS_ERROR_TYPE_WARNING 2 + /** +- * xmlSchemaErr3: ++ * xmlSchemaErr4Line: + * @ctxt: the validation context +- * @node: the context node ++ * @errorLevel: the error level + * @error: the error code ++ * @node: the context node ++ * @line: the line number + * @msg: the error message + * @str1: extra data + * @str2: extra data + * @str3: extra data ++ * @str4: extra data + * + * Handle a validation error + */ +-static void ++static void LIBXML_ATTR_FORMAT(6,0) + xmlSchemaErr4Line(xmlSchemaAbstractCtxtPtr ctxt, + xmlErrorLevel errorLevel, + int error, xmlNodePtr node, int line, const char *msg, +@@ -2137,7 +2140,7 @@ + * + * Handle a validation error + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlSchemaErr3(xmlSchemaAbstractCtxtPtr actxt, + int error, xmlNodePtr node, const char *msg, + const xmlChar *str1, const xmlChar *str2, const xmlChar *str3) +@@ -2146,7 +2149,7 @@ + msg, str1, str2, str3, NULL); + } + +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlSchemaErr4(xmlSchemaAbstractCtxtPtr actxt, + int error, xmlNodePtr node, const char *msg, + const xmlChar *str1, const xmlChar *str2, +@@ -2156,7 +2159,7 @@ + msg, str1, str2, str3, str4); + } + +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlSchemaErr(xmlSchemaAbstractCtxtPtr actxt, + int error, xmlNodePtr node, const char *msg, + const xmlChar *str1, const xmlChar *str2) +@@ -2179,7 +2182,7 @@ + /* + * Don't try to format other nodes than element and + * attribute nodes. +- * Play save and return an empty string. ++ * Play safe and return an empty string. + */ + *msg = xmlStrdup(BAD_CAST ""); + return(*msg); +@@ -2260,7 +2263,7 @@ + return (*msg); + } + +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlSchemaInternalErr2(xmlSchemaAbstractCtxtPtr actxt, + const char *funcName, + const char *message, +@@ -2271,24 +2274,21 @@ + + if (actxt == NULL) + return; +- msg = xmlStrdup(BAD_CAST "Internal error: "); +- msg = xmlStrcat(msg, BAD_CAST funcName); +- msg = xmlStrcat(msg, BAD_CAST ", "); ++ msg = xmlStrdup(BAD_CAST "Internal error: %s, "); + msg = xmlStrcat(msg, BAD_CAST message); + msg = xmlStrcat(msg, BAD_CAST ".\n"); + + if (actxt->type == XML_SCHEMA_CTXT_VALIDATOR) +- xmlSchemaErr(actxt, XML_SCHEMAV_INTERNAL, NULL, +- (const char *) msg, str1, str2); +- ++ xmlSchemaErr3(actxt, XML_SCHEMAV_INTERNAL, NULL, ++ (const char *) msg, (const xmlChar *) funcName, str1, str2); + else if (actxt->type == XML_SCHEMA_CTXT_PARSER) +- xmlSchemaErr(actxt, XML_SCHEMAP_INTERNAL, NULL, +- (const char *) msg, str1, str2); ++ xmlSchemaErr3(actxt, XML_SCHEMAP_INTERNAL, NULL, ++ (const char *) msg, (const xmlChar *) funcName, str1, str2); + + FREE_AND_NULL(msg) + } + +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlSchemaInternalErr(xmlSchemaAbstractCtxtPtr actxt, + const char *funcName, + const char *message) +@@ -2297,7 +2297,7 @@ + } + + #if 0 +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlSchemaPInternalErr(xmlSchemaParserCtxtPtr pctxt, + const char *funcName, + const char *message, +@@ -2309,7 +2309,7 @@ + } + #endif + +-static void ++static void LIBXML_ATTR_FORMAT(5,0) + xmlSchemaCustomErr4(xmlSchemaAbstractCtxtPtr actxt, + xmlParserErrors error, + xmlNodePtr node, +@@ -2334,7 +2334,7 @@ + FREE_AND_NULL(msg) + } + +-static void ++static void LIBXML_ATTR_FORMAT(5,0) + xmlSchemaCustomErr(xmlSchemaAbstractCtxtPtr actxt, + xmlParserErrors error, + xmlNodePtr node, +@@ -2349,7 +2349,7 @@ + + + +-static void ++static void LIBXML_ATTR_FORMAT(5,0) + xmlSchemaCustomWarning(xmlSchemaAbstractCtxtPtr actxt, + xmlParserErrors error, + xmlNodePtr node, +@@ -2374,7 +2374,7 @@ + + + +-static void ++static void LIBXML_ATTR_FORMAT(5,0) + xmlSchemaKeyrefErr(xmlSchemaValidCtxtPtr vctxt, + xmlParserErrors error, + xmlSchemaPSVIIDCNodePtr idcNode, +@@ -2523,7 +2523,7 @@ + FREE_AND_NULL(msg) + } + +-static void ++static void LIBXML_ATTR_FORMAT(5,0) + xmlSchemaComplexTypeErr(xmlSchemaAbstractCtxtPtr actxt, + xmlParserErrors error, + xmlNodePtr node, +@@ -2623,7 +2623,7 @@ + xmlFree(msg); + } + +-static void ++static void LIBXML_ATTR_FORMAT(8,0) + xmlSchemaFacetErr(xmlSchemaAbstractCtxtPtr actxt, + xmlParserErrors error, + xmlNodePtr node, +@@ -2914,7 +2914,7 @@ + * + * Reports an error during parsing. + */ +-static void ++static void LIBXML_ATTR_FORMAT(5,0) + xmlSchemaPCustomErrExt(xmlSchemaParserCtxtPtr ctxt, + xmlParserErrors error, + xmlSchemaBasicItemPtr item, +@@ -2950,7 +2950,7 @@ + * + * Reports an error during parsing. + */ +-static void ++static void LIBXML_ATTR_FORMAT(5,0) + xmlSchemaPCustomErr(xmlSchemaParserCtxtPtr ctxt, + xmlParserErrors error, + xmlSchemaBasicItemPtr item, +@@ -2975,7 +2975,7 @@ + * + * Reports an attribute use error during parsing. + */ +-static void ++static void LIBXML_ATTR_FORMAT(6,0) + xmlSchemaPAttrUseErr4(xmlSchemaParserCtxtPtr ctxt, + xmlParserErrors error, + xmlNodePtr node, +@@ -3097,7 +3097,7 @@ + * Reports a simple type validation error. + * TODO: Should this report the value of an element as well? + */ +-static void ++static void LIBXML_ATTR_FORMAT(8,0) + xmlSchemaPSimpleTypeErr(xmlSchemaParserCtxtPtr ctxt, + xmlParserErrors error, + xmlSchemaBasicItemPtr ownerItem ATTRIBUTE_UNUSED, +Index: libxml2-2.9.1+dfsg1/xmlstring.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/xmlstring.c 2017-03-15 07:51:31.217944396 -0400 ++++ libxml2-2.9.1+dfsg1/xmlstring.c 2017-03-15 07:51:31.209944309 -0400 +@@ -545,7 +545,7 @@ + * Returns the number of characters written to @buf or -1 if an error occurs. + */ + int XMLCDECL +-xmlStrPrintf(xmlChar *buf, int len, const xmlChar *msg, ...) { ++xmlStrPrintf(xmlChar *buf, int len, const char *msg, ...) { + va_list args; + int ret; + +@@ -573,7 +573,7 @@ + * Returns the number of characters written to @buf or -1 if an error occurs. + */ + int +-xmlStrVPrintf(xmlChar *buf, int len, const xmlChar *msg, va_list ap) { ++xmlStrVPrintf(xmlChar *buf, int len, const char *msg, va_list ap) { + int ret; + + if((buf == NULL) || (msg == NULL)) { +Index: libxml2-2.9.1+dfsg1/xmlwriter.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/xmlwriter.c 2017-03-15 07:51:31.217944396 -0400 ++++ libxml2-2.9.1+dfsg1/xmlwriter.c 2017-03-15 07:51:31.209944309 -0400 +@@ -109,7 +109,7 @@ + const xmlChar * str, int len); + static int xmlTextWriterCloseDocCallback(void *context); + +-static xmlChar *xmlTextWriterVSprintf(const char *format, va_list argptr); ++static xmlChar *xmlTextWriterVSprintf(const char *format, va_list argptr) LIBXML_ATTR_FORMAT(1,0); + static int xmlOutputBufferWriteBase64(xmlOutputBufferPtr out, int len, + const unsigned char *data); + static void xmlTextWriterStartDocumentCallback(void *ctx); +@@ -149,7 +149,7 @@ + * + * Handle a writer error + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlWriterErrMsgInt(xmlTextWriterPtr ctxt, xmlParserErrors error, + const char *msg, int val) + { +Index: libxml2-2.9.1+dfsg1/xpath.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/xpath.c 2017-03-15 07:51:31.217944396 -0400 ++++ libxml2-2.9.1+dfsg1/xpath.c 2017-03-15 07:51:31.213944352 -0400 +@@ -348,7 +348,7 @@ + xmlChar buf[200]; + + xmlStrPrintf(buf, 200, +- BAD_CAST "Memory allocation failed : %s\n", ++ "Memory allocation failed : %s\n", + extra); + ctxt->lastError.message = (char *) xmlStrdup(buf); + } else { +Index: libxml2-2.9.1+dfsg1/xpointer.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/xpointer.c 2017-03-15 07:51:31.217944396 -0400 ++++ libxml2-2.9.1+dfsg1/xpointer.c 2017-03-15 07:51:31.213944352 -0400 +@@ -85,7 +85,7 @@ + * + * Handle a redefinition of attribute error + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlXPtrErr(xmlXPathParserContextPtr ctxt, int error, + const char * msg, const xmlChar *extra) + { +Index: libxml2-2.9.1+dfsg1/configure.in +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/configure.in 2017-03-15 07:51:09.000000000 -0400 ++++ libxml2-2.9.1+dfsg1/configure.in 2017-03-15 07:52:19.030466989 -0400 +@@ -705,7 +705,7 @@ + fi + + # warnings we'd like to see +- CFLAGS="${CFLAGS} -pedantic -W -Wformat -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wformat -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls" ++ CFLAGS="${CFLAGS} -pedantic -W -Wformat -Wno-format-extra-args -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls" + # warnings we'd like to supress + CFLAGS="${CFLAGS} -Wno-long-long" + case "${host}" in +@@ -920,7 +920,7 @@ + fi + fi + if test "${GCC}" = "yes" ; then +- CFLAGS="-g -O -pedantic -W -Wformat -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wformat -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls -Wall" ++ CFLAGS="-g -O -pedantic -W -Wformat -Wno-format-extra-args -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls -Wall" + fi + STATIC_BINARIES="-static" + dnl -Wcast-qual -ansi diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4448-2.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4448-2.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4448-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4448-2.patch 2017-03-15 11:54:02.000000000 +0000 @@ -0,0 +1,201 @@ +From 502f6a6d08b08c04b3ddfb1cd21b2f699c1b7f5b Mon Sep 17 00:00:00 2001 +From: David Kilzer +Date: Mon, 23 May 2016 14:58:41 +0800 +Subject: More format string warnings with possible format string vulnerability + +For https://bugzilla.gnome.org/show_bug.cgi?id=761029 + +adds a new xmlEscapeFormatString() function to escape composed format +strings +--- + libxml.h | 3 +++ + relaxng.c | 3 ++- + xmlschemas.c | 39 ++++++++++++++++++++++++++------------- + xmlstring.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 86 insertions(+), 14 deletions(-) + +Index: libxml2-2.9.1+dfsg1/libxml.h +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/libxml.h 2017-03-15 07:53:59.463564729 -0400 ++++ libxml2-2.9.1+dfsg1/libxml.h 2017-03-15 07:53:59.455564642 -0400 +@@ -9,6 +9,8 @@ + #ifndef __XML_LIBXML_H__ + #define __XML_LIBXML_H__ + ++#include ++ + #ifndef NO_LARGEFILE_SOURCE + #ifndef _LARGEFILE_SOURCE + #define _LARGEFILE_SOURCE +@@ -93,6 +95,7 @@ + int __xmlRandom(void); + #endif + ++XMLPUBFUN xmlChar * XMLCALL xmlEscapeFormatString(xmlChar **msg); + int xmlNop(void); + + #ifdef IN_LIBXML +Index: libxml2-2.9.1+dfsg1/relaxng.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/relaxng.c 2017-03-15 07:53:59.463564729 -0400 ++++ libxml2-2.9.1+dfsg1/relaxng.c 2017-03-15 07:53:59.459564686 -0400 +@@ -2215,7 +2215,8 @@ + snprintf(msg, 1000, "Unknown error code %d\n", err); + } + msg[1000 - 1] = 0; +- return (xmlStrdup((xmlChar *) msg)); ++ xmlChar *result = xmlCharStrdup(msg); ++ return (xmlEscapeFormatString(&result)); + } + + /** +Index: libxml2-2.9.1+dfsg1/xmlschemas.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/xmlschemas.c 2017-03-15 07:53:59.463564729 -0400 ++++ libxml2-2.9.1+dfsg1/xmlschemas.c 2017-03-15 07:53:59.463564729 -0400 +@@ -1769,7 +1769,7 @@ + } + FREE_AND_NULL(str) + +- return (*buf); ++ return (xmlEscapeFormatString(buf)); + } + + /** +@@ -2247,6 +2247,13 @@ + TODO + return (NULL); + } ++ ++ /* ++ * xmlSchemaFormatItemForReport() also returns an escaped format ++ * string, so do this before calling it below (in the future). ++ */ ++ xmlEscapeFormatString(msg); ++ + /* + * VAL TODO: The output of the given schema component is currently + * disabled. +@@ -2474,11 +2481,13 @@ + msg = xmlStrcat(msg, BAD_CAST " '"); + if (type->builtInType != 0) { + msg = xmlStrcat(msg, BAD_CAST "xs:"); +- msg = xmlStrcat(msg, type->name); +- } else +- msg = xmlStrcat(msg, +- xmlSchemaFormatQName(&str, +- type->targetNamespace, type->name)); ++ str = xmlStrdup(type->name); ++ } else { ++ const xmlChar *qName = xmlSchemaFormatQName(&str, type->targetNamespace, type->name); ++ if (!str) ++ str = xmlStrdup(qName); ++ } ++ msg = xmlStrcat(msg, xmlEscapeFormatString(&str)); + msg = xmlStrcat(msg, BAD_CAST "'"); + FREE_AND_NULL(str); + } +@@ -2615,7 +2624,7 @@ + str = xmlStrcat(str, BAD_CAST ", "); + } + str = xmlStrcat(str, BAD_CAST " ).\n"); +- msg = xmlStrcat(msg, BAD_CAST str); ++ msg = xmlStrcat(msg, xmlEscapeFormatString(&str)); + FREE_AND_NULL(str) + } else + msg = xmlStrcat(msg, BAD_CAST "\n"); +@@ -3139,11 +3148,13 @@ + msg = xmlStrcat(msg, BAD_CAST " '"); + if (type->builtInType != 0) { + msg = xmlStrcat(msg, BAD_CAST "xs:"); +- msg = xmlStrcat(msg, type->name); +- } else +- msg = xmlStrcat(msg, +- xmlSchemaFormatQName(&str, +- type->targetNamespace, type->name)); ++ str = xmlStrdup(type->name); ++ } else { ++ const xmlChar *qName = xmlSchemaFormatQName(&str, type->targetNamespace, type->name); ++ if (!str) ++ str = xmlStrdup(qName); ++ } ++ msg = xmlStrcat(msg, xmlEscapeFormatString(&str)); + msg = xmlStrcat(msg, BAD_CAST "'."); + FREE_AND_NULL(str); + } +@@ -3156,7 +3167,9 @@ + } + if (expected) { + msg = xmlStrcat(msg, BAD_CAST " Expected is '"); +- msg = xmlStrcat(msg, BAD_CAST expected); ++ xmlChar *expectedEscaped = xmlCharStrdup(expected); ++ msg = xmlStrcat(msg, xmlEscapeFormatString(&expectedEscaped)); ++ FREE_AND_NULL(expectedEscaped); + msg = xmlStrcat(msg, BAD_CAST "'.\n"); + } else + msg = xmlStrcat(msg, BAD_CAST "\n"); +Index: libxml2-2.9.1+dfsg1/xmlstring.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/xmlstring.c 2017-03-15 07:53:59.463564729 -0400 ++++ libxml2-2.9.1+dfsg1/xmlstring.c 2017-03-15 07:53:59.463564729 -0400 +@@ -987,5 +987,60 @@ + return(xmlUTF8Strndup(utf, len)); + } + ++/** ++ * xmlEscapeFormatString: ++ * @msg: a pointer to the string in which to escape '%' characters. ++ * Must be a heap-allocated buffer created by libxml2 that may be ++ * returned, or that may be freed and replaced. ++ * ++ * Replaces the string pointed to by 'msg' with an escaped string. ++ * Returns the same string with all '%' characters escaped. ++ */ ++xmlChar * ++xmlEscapeFormatString(xmlChar **msg) ++{ ++ xmlChar *msgPtr = NULL; ++ xmlChar *result = NULL; ++ xmlChar *resultPtr = NULL; ++ size_t count = 0; ++ size_t msgLen = 0; ++ size_t resultLen = 0; ++ ++ if (!msg || !*msg) ++ return(NULL); ++ ++ for (msgPtr = *msg; *msgPtr != '\0'; ++msgPtr) { ++ ++msgLen; ++ if (*msgPtr == '%') ++ ++count; ++ } ++ ++ if (count == 0) ++ return(*msg); ++ ++ resultLen = msgLen + count + 1; ++ result = (xmlChar *) xmlMallocAtomic(resultLen * sizeof(xmlChar)); ++ if (result == NULL) { ++ /* Clear *msg to prevent format string vulnerabilities in ++ out-of-memory situations. */ ++ xmlFree(*msg); ++ *msg = NULL; ++ xmlErrMemory(NULL, NULL); ++ return(NULL); ++ } ++ ++ for (msgPtr = *msg, resultPtr = result; *msgPtr != '\0'; ++msgPtr, ++resultPtr) { ++ *resultPtr = *msgPtr; ++ if (*msgPtr == '%') ++ *(++resultPtr) = '%'; ++ } ++ result[resultLen - 1] = '\0'; ++ ++ xmlFree(*msg); ++ *msg = result; ++ ++ return *msg; ++} ++ + #define bottom_xmlstring + #include "elfgcchack.h" diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4448-3.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4448-3.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4448-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4448-3.patch 2017-03-15 12:37:47.000000000 +0000 @@ -0,0 +1,48 @@ +From d77e5fc4bcdb7da748c9cca116a601ae4df60d21 Mon Sep 17 00:00:00 2001 +From: Chun-wei Fan +Date: Tue, 31 May 2016 21:04:50 +0800 +Subject: relaxng.c, xmlschemas.c: Fix build on pre-C99 compilers + +Make sure that the variables are declared at the top of the block. + +https://bugzilla.gnome.org/show_bug.cgi?id=767063 +--- + relaxng.c | 3 ++- + xmlschemas.c | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +Index: libxml2-2.9.1+dfsg1/relaxng.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/relaxng.c 2017-03-15 08:37:45.928272143 -0400 ++++ libxml2-2.9.1+dfsg1/relaxng.c 2017-03-15 08:37:45.916272013 -0400 +@@ -2088,6 +2088,7 @@ + const xmlChar * arg2) + { + char msg[1000]; ++ xmlChar *result; + + if (arg1 == NULL) + arg1 = BAD_CAST ""; +@@ -2215,7 +2216,7 @@ + snprintf(msg, 1000, "Unknown error code %d\n", err); + } + msg[1000 - 1] = 0; +- xmlChar *result = xmlCharStrdup(msg); ++ result = xmlCharStrdup(msg); + return (xmlEscapeFormatString(&result)); + } + +Index: libxml2-2.9.1+dfsg1/xmlschemas.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/xmlschemas.c 2017-03-15 08:37:45.928272143 -0400 ++++ libxml2-2.9.1+dfsg1/xmlschemas.c 2017-03-15 08:37:45.924272100 -0400 +@@ -3166,8 +3166,8 @@ + "valid."); + } + if (expected) { +- msg = xmlStrcat(msg, BAD_CAST " Expected is '"); + xmlChar *expectedEscaped = xmlCharStrdup(expected); ++ msg = xmlStrcat(msg, BAD_CAST " Expected is '"); + msg = xmlStrcat(msg, xmlEscapeFormatString(&expectedEscaped)); + FREE_AND_NULL(expectedEscaped); + msg = xmlStrcat(msg, BAD_CAST "'.\n"); diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4449.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4449.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4449.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4449.patch 2016-06-03 12:59:37.000000000 +0000 @@ -0,0 +1,41 @@ +From b1d34de46a11323fccffa9fadeb33be670d602f5 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Mon, 14 Mar 2016 17:19:44 +0800 +Subject: Fix inappropriate fetch of entities content + +For https://bugzilla.gnome.org/show_bug.cgi?id=761430 + +libfuzzer regression testing exposed another case where the parser would +fetch content of an external entity while not in validating mode. +Plug that hole +--- + parser.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2016-06-03 08:59:34.933452346 -0400 ++++ libxml2-2.9.1+dfsg1/parser.c 2016-06-03 08:59:34.933452346 -0400 +@@ -2854,7 +2854,21 @@ + ctxt->nbentities += ent->checked / 2; + if (ent != NULL) { + if (ent->content == NULL) { +- xmlLoadEntityContent(ctxt, ent); ++ /* ++ * Note: external parsed entities will not be loaded, ++ * it is not required for a non-validating parser to ++ * complete external PEreferences coming from the ++ * internal subset ++ */ ++ if (((ctxt->options & XML_PARSE_NOENT) != 0) || ++ ((ctxt->options & XML_PARSE_DTDVALID) != 0) || ++ (ctxt->validate != 0)) { ++ xmlLoadEntityContent(ctxt, ent); ++ } else { ++ xmlWarningMsg(ctxt, XML_ERR_ENTITY_PROCESSING, ++ "not validating will not read content for PE entity %s\n", ++ ent->name, NULL); ++ } + } + ctxt->depth++; + rep = xmlStringDecodeEntities(ctxt, ent->content, what, diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4483.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4483.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4483.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4483.patch 2016-06-03 12:59:41.000000000 +0000 @@ -0,0 +1,49 @@ +From c97750d11bb8b6f3303e7131fe526a61ac65bcfd Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Mon, 23 May 2016 13:39:13 +0800 +Subject: Avoid an out of bound access when serializing malformed strings + +For https://bugzilla.gnome.org/show_bug.cgi?id=766414 + +* xmlsave.c: xmlBufAttrSerializeTxtContent() if an attribute value + is not UTF-8 be more careful when serializing it as we may do an + out of bound access as a result. +--- + xmlsave.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/xmlsave.c b/xmlsave.c +index 774404b..4a8e3f3 100644 +--- a/xmlsave.c ++++ b/xmlsave.c +@@ -2097,8 +2097,8 @@ xmlBufAttrSerializeTxtContent(xmlBufPtr buf, xmlDocPtr doc, + xmlBufAdd(buf, BAD_CAST "&", 5); + cur++; + base = cur; +- } else if ((*cur >= 0x80) && ((doc == NULL) || +- (doc->encoding == NULL))) { ++ } else if ((*cur >= 0x80) && (cur[1] != 0) && ++ ((doc == NULL) || (doc->encoding == NULL))) { + /* + * We assume we have UTF-8 content. + */ +@@ -2121,14 +2121,14 @@ xmlBufAttrSerializeTxtContent(xmlBufPtr buf, xmlDocPtr doc, + val <<= 6; + val |= (cur[1]) & 0x3F; + l = 2; +- } else if (*cur < 0xF0) { ++ } else if ((*cur < 0xF0) && (cur [2] != 0)) { + val = (cur[0]) & 0x0F; + val <<= 6; + val |= (cur[1]) & 0x3F; + val <<= 6; + val |= (cur[2]) & 0x3F; + l = 3; +- } else if (*cur < 0xF8) { ++ } else if ((*cur < 0xF8) && (cur [2] != 0) && (cur[3] != 0)) { + val = (cur[0]) & 0x07; + val <<= 6; + val |= (cur[1]) & 0x3F; +-- +cgit v0.12 + diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4658.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4658.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4658.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4658.patch 2017-03-15 11:54:07.000000000 +0000 @@ -0,0 +1,249 @@ +From c1d1f7121194036608bf555f08d3062a36fd344b Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 28 Jun 2016 18:34:52 +0200 +Subject: Disallow namespace nodes in XPointer ranges + +Namespace nodes must be copied to avoid use-after-free errors. +But they don't necessarily have a physical representation in a +document, so simply disallow them in XPointer ranges. + +Found with afl-fuzz. + +Fixes CVE-2016-4658. +--- + xpointer.c | 149 +++++++++++++++++++++++-------------------------------------- + 1 file changed, 56 insertions(+), 93 deletions(-) + +diff --git a/xpointer.c b/xpointer.c +index a7b03fb..694d120 100644 +--- a/xpointer.c ++++ b/xpointer.c +@@ -320,6 +320,45 @@ xmlXPtrRangesEqual(xmlXPathObjectPtr range1, xmlXPathObjectPtr range2) { + } + + /** ++ * xmlXPtrNewRangeInternal: ++ * @start: the starting node ++ * @startindex: the start index ++ * @end: the ending point ++ * @endindex: the ending index ++ * ++ * Internal function to create a new xmlXPathObjectPtr of type range ++ * ++ * Returns the newly created object. ++ */ ++static xmlXPathObjectPtr ++xmlXPtrNewRangeInternal(xmlNodePtr start, int startindex, ++ xmlNodePtr end, int endindex) { ++ xmlXPathObjectPtr ret; ++ ++ /* ++ * Namespace nodes must be copied (see xmlXPathNodeSetDupNs). ++ * Disallow them for now. ++ */ ++ if ((start != NULL) && (start->type == XML_NAMESPACE_DECL)) ++ return(NULL); ++ if ((end != NULL) && (end->type == XML_NAMESPACE_DECL)) ++ return(NULL); ++ ++ ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); ++ if (ret == NULL) { ++ xmlXPtrErrMemory("allocating range"); ++ return(NULL); ++ } ++ memset(ret, 0, sizeof(xmlXPathObject)); ++ ret->type = XPATH_RANGE; ++ ret->user = start; ++ ret->index = startindex; ++ ret->user2 = end; ++ ret->index2 = endindex; ++ return(ret); ++} ++ ++/** + * xmlXPtrNewRange: + * @start: the starting node + * @startindex: the start index +@@ -344,17 +383,7 @@ xmlXPtrNewRange(xmlNodePtr start, int startindex, + if (endindex < 0) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = startindex; +- ret->user2 = end; +- ret->index2 = endindex; ++ ret = xmlXPtrNewRangeInternal(start, startindex, end, endindex); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -381,17 +410,8 @@ xmlXPtrNewRangePoints(xmlXPathObjectPtr start, xmlXPathObjectPtr end) { + if (end->type != XPATH_POINT) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start->user; +- ret->index = start->index; +- ret->user2 = end->user; +- ret->index2 = end->index; ++ ret = xmlXPtrNewRangeInternal(start->user, start->index, end->user, ++ end->index); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -416,17 +436,7 @@ xmlXPtrNewRangePointNode(xmlXPathObjectPtr start, xmlNodePtr end) { + if (start->type != XPATH_POINT) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start->user; +- ret->index = start->index; +- ret->user2 = end; +- ret->index2 = -1; ++ ret = xmlXPtrNewRangeInternal(start->user, start->index, end, -1); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -453,17 +463,7 @@ xmlXPtrNewRangeNodePoint(xmlNodePtr start, xmlXPathObjectPtr end) { + if (end->type != XPATH_POINT) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = -1; +- ret->user2 = end->user; +- ret->index2 = end->index; ++ ret = xmlXPtrNewRangeInternal(start, -1, end->user, end->index); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -486,17 +486,7 @@ xmlXPtrNewRangeNodes(xmlNodePtr start, xmlNodePtr end) { + if (end == NULL) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = -1; +- ret->user2 = end; +- ret->index2 = -1; ++ ret = xmlXPtrNewRangeInternal(start, -1, end, -1); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -516,17 +506,7 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) { + if (start == NULL) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = -1; +- ret->user2 = NULL; +- ret->index2 = -1; ++ ret = xmlXPtrNewRangeInternal(start, -1, NULL, -1); + return(ret); + } + +@@ -541,6 +521,8 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) { + */ + xmlXPathObjectPtr + xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) { ++ xmlNodePtr endNode; ++ int endIndex; + xmlXPathObjectPtr ret; + + if (start == NULL) +@@ -549,7 +531,12 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) { + return(NULL); + switch (end->type) { + case XPATH_POINT: ++ endNode = end->user; ++ endIndex = end->index; ++ break; + case XPATH_RANGE: ++ endNode = end->user2; ++ endIndex = end->index2; + break; + case XPATH_NODESET: + /* +@@ -557,39 +544,15 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) { + */ + if (end->nodesetval->nodeNr <= 0) + return(NULL); ++ endNode = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1]; ++ endIndex = -1; + break; + default: + /* TODO */ + return(NULL); + } + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = -1; +- switch (end->type) { +- case XPATH_POINT: +- ret->user2 = end->user; +- ret->index2 = end->index; +- break; +- case XPATH_RANGE: +- ret->user2 = end->user2; +- ret->index2 = end->index2; +- break; +- case XPATH_NODESET: { +- ret->user2 = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1]; +- ret->index2 = -1; +- break; +- } +- default: +- STRANGE +- return(NULL); +- } ++ ret = xmlXPtrNewRangeInternal(start, -1, endNode, endIndex); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +-- +cgit v0.12 + diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-5131-1.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-5131-1.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-5131-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-5131-1.patch 2017-03-15 11:54:18.000000000 +0000 @@ -0,0 +1,142 @@ +From 9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 28 Jun 2016 14:22:23 +0200 +Subject: Fix XPointer paths beginning with range-to + +The old code would invoke the broken xmlXPtrRangeToFunction. range-to +isn't really a function but a special kind of location step. Remove +this function and always handle range-to in the XPath code. + +The old xmlXPtrRangeToFunction could also be abused to trigger a +use-after-free error with the potential for remote code execution. + +Found with afl-fuzz. + +Fixes CVE-2016-5131. +--- + result/XPath/xptr/vidbase | 13 ++++++++ + test/XPath/xptr/vidbase | 1 + + xpath.c | 7 ++++- + xpointer.c | 76 ++++------------------------------------------- + 4 files changed, 26 insertions(+), 71 deletions(-) + +Index: libxml2-2.9.1+dfsg1/xpath.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/xpath.c 2017-03-15 07:54:15.755742804 -0400 ++++ libxml2-2.9.1+dfsg1/xpath.c 2017-03-15 07:54:15.751742760 -0400 +@@ -10686,13 +10686,18 @@ + lc = 1; + break; + } else if ((NXT(len) == '(')) { +- /* Note Type or Function */ ++ /* Node Type or Function */ + if (xmlXPathIsNodeType(name)) { + #ifdef DEBUG_STEP + xmlGenericError(xmlGenericErrorContext, + "PathExpr: Type search\n"); + #endif + lc = 1; ++#ifdef LIBXML_XPTR_ENABLED ++ } else if (ctxt->xptr && ++ xmlStrEqual(name, BAD_CAST "range-to")) { ++ lc = 1; ++#endif + } else { + #ifdef DEBUG_STEP + xmlGenericError(xmlGenericErrorContext, +Index: libxml2-2.9.1+dfsg1/xpointer.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/xpointer.c 2017-03-15 07:54:15.755742804 -0400 ++++ libxml2-2.9.1+dfsg1/xpointer.c 2017-03-15 07:54:15.751742760 -0400 +@@ -1295,8 +1295,6 @@ + ret->here = here; + ret->origin = origin; + +- xmlXPathRegisterFunc(ret, (xmlChar *)"range-to", +- xmlXPtrRangeToFunction); + xmlXPathRegisterFunc(ret, (xmlChar *)"range", + xmlXPtrRangeFunction); + xmlXPathRegisterFunc(ret, (xmlChar *)"range-inside", +@@ -2184,76 +2182,14 @@ + * @nargs: the number of args + * + * Implement the range-to() XPointer function ++ * ++ * Obsolete. range-to is not a real function but a special type of location ++ * step which is handled in xpath.c. + */ + void +-xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, int nargs) { +- xmlXPathObjectPtr range; +- const xmlChar *cur; +- xmlXPathObjectPtr res, obj; +- xmlXPathObjectPtr tmp; +- xmlLocationSetPtr newset = NULL; +- xmlNodeSetPtr oldset; +- int i; +- +- if (ctxt == NULL) return; +- CHECK_ARITY(1); +- /* +- * Save the expression pointer since we will have to evaluate +- * it multiple times. Initialize the new set. +- */ +- CHECK_TYPE(XPATH_NODESET); +- obj = valuePop(ctxt); +- oldset = obj->nodesetval; +- ctxt->context->node = NULL; +- +- cur = ctxt->cur; +- newset = xmlXPtrLocationSetCreate(NULL); +- +- for (i = 0; i < oldset->nodeNr; i++) { +- ctxt->cur = cur; +- +- /* +- * Run the evaluation with a node list made of a single item +- * in the nodeset. +- */ +- ctxt->context->node = oldset->nodeTab[i]; +- tmp = xmlXPathNewNodeSet(ctxt->context->node); +- valuePush(ctxt, tmp); +- +- xmlXPathEvalExpr(ctxt); +- CHECK_ERROR; +- +- /* +- * The result of the evaluation need to be tested to +- * decided whether the filter succeeded or not +- */ +- res = valuePop(ctxt); +- range = xmlXPtrNewRangeNodeObject(oldset->nodeTab[i], res); +- if (range != NULL) { +- xmlXPtrLocationSetAdd(newset, range); +- } +- +- /* +- * Cleanup +- */ +- if (res != NULL) +- xmlXPathFreeObject(res); +- if (ctxt->value == tmp) { +- res = valuePop(ctxt); +- xmlXPathFreeObject(res); +- } +- +- ctxt->context->node = NULL; +- } +- +- /* +- * The result is used as the new evaluation set. +- */ +- xmlXPathFreeObject(obj); +- ctxt->context->node = NULL; +- ctxt->context->contextSize = -1; +- ctxt->context->proximityPosition = -1; +- valuePush(ctxt, xmlXPtrWrapLocationSet(newset)); ++xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, ++ int nargs ATTRIBUTE_UNUSED) { ++ XP_ERROR(XPATH_EXPR_ERROR); + } + + /** diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-5131-2.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-5131-2.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-5131-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-5131-2.patch 2017-03-15 11:54:24.000000000 +0000 @@ -0,0 +1,31 @@ +From a005199330b86dada19d162cae15ef9bdcb6baa8 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 28 Jun 2016 14:19:58 +0200 +Subject: Fix comparison with root node in xmlXPathCmpNodes + +This change has already been made in xmlXPathCmpNodesExt but not in +xmlXPathCmpNodes. +--- + xpath.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: libxml2-2.9.1+dfsg1/xpath.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/xpath.c 2017-03-15 07:54:22.159812800 -0400 ++++ libxml2-2.9.1+dfsg1/xpath.c 2017-03-15 07:54:22.159812800 -0400 +@@ -3337,13 +3337,13 @@ + * compute depth to root + */ + for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) { +- if (cur == node1) ++ if (cur->parent == node1) + return(1); + depth2++; + } + root = cur; + for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) { +- if (cur == node2) ++ if (cur->parent == node2) + return(-1); + depth1++; + } diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-9318.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-9318.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-9318.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-9318.patch 2018-08-13 20:50:36.000000000 +0000 @@ -0,0 +1,51 @@ +From ad88b54f1a28a8565964a370b5d387927b633c0d Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 8 Dec 2017 09:42:31 +0100 +Subject: [PATCH] Improve handling of context input_id + +For https://bugzilla.gnome.org/show_bug.cgi?id=772726 +This was used in xmlsec to detect issues with accessing external entities +and prevent them, but was unreliable, based on a patch from Aleksey Sanin + +* parser.c: make sure input_id is incremented when creating sub-entities + for parsing or when parsing out of context +diff --git a/parser.c b/parser.c +index 536f2d8..773ba77 100644 +--- a/parser.c ++++ b/parser.c +@@ -13567,6 +13567,7 @@ xmlParseBalancedChunkMemoryInternal(xmlParserCtxtPtr oldctxt, + ctxt->userData = ctxt; + if (ctxt->dict != NULL) xmlDictFree(ctxt->dict); + ctxt->dict = oldctxt->dict; ++ ctxt->input_id = oldctxt->input_id + 1; + ctxt->str_xml = xmlDictLookup(ctxt->dict, BAD_CAST "xml", 3); + ctxt->str_xmlns = xmlDictLookup(ctxt->dict, BAD_CAST "xmlns", 5); + ctxt->str_xml_ns = xmlDictLookup(ctxt->dict, XML_XML_NAMESPACE, 36); +@@ -13819,6 +13820,7 @@ xmlParseInNodeContext(xmlNodePtr node, const char *data, int datalen, + xmlCtxtUseOptionsInternal(ctxt, options, NULL); + xmlDetectSAX2(ctxt); + ctxt->myDoc = doc; ++ ctxt->input_id = 2; + + fake = xmlNewComment(NULL); + if (fake == NULL) { +@@ -14031,6 +14033,7 @@ xmlParseBalancedChunkMemoryRecover(xmlDocPtr doc, xmlSAXHandlerPtr sax, + newDoc->oldNs = doc->oldNs; + } + ctxt->instate = XML_PARSER_CONTENT; ++ ctxt->input_id = 2; + ctxt->depth = depth; + + /* +@@ -14191,6 +14194,11 @@ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID, + if (pctx != NULL) { + ctxt->options = pctx->options; + ctxt->_private = pctx->_private; ++ /* ++ * this is a subparser of pctx, so the input_id should be ++ * incremented to distinguish from main entity ++ */ ++ ctxt->input_id = pctx->input_id + 1; + } + + uri = xmlBuildURI(URL, base); diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2017-0663.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2017-0663.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2017-0663.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2017-0663.patch 2017-09-15 23:18:29.000000000 +0000 @@ -0,0 +1,45 @@ +From 92b9e8c8b3787068565a1820ba575d042f9eec66 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 6 Jun 2017 12:56:28 +0200 +Subject: [PATCH] Fix type confusion in xmlValidateOneNamespace + +Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types on +namespace declarations make no practical sense anyway. + +Fixes bug 780228. + +Found with libFuzzer and ASan. + +CVE-2017-0663 +--- + valid.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/valid.c b/valid.c +index 8075d3a..c51ea29 100644 +--- a/valid.c ++++ b/valid.c +@@ -4627,6 +4627,12 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) { + } + } + ++ /* ++ * Casting ns to xmlAttrPtr is wrong. We'd need separate functions ++ * xmlAddID and xmlAddRef for namespace declarations, but it makes ++ * no practical sense to use ID types anyway. ++ */ ++#if 0 + /* Validity Constraint: ID uniqueness */ + if (attrDecl->atype == XML_ATTRIBUTE_ID) { + if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) == NULL) +@@ -4638,6 +4644,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) { + if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) == NULL) + ret = 0; + } ++#endif + + /* Validity Constraint: Notation Attributes */ + if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) { +-- +2.7.4 + diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2017-15412.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2017-15412.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2017-15412.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2017-15412.patch 2017-12-11 16:31:30.000000000 +0000 @@ -0,0 +1,33 @@ +From 0f3b843b3534784ef57a4f9b874238aa1fda5a73 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 1 Jun 2017 23:12:19 +0200 +Subject: Fix XPath stack frame logic + +Move the calls to xmlXPathSetFrame and xmlXPathPopFrame around in +xmlXPathCompOpEvalPositionalPredicate to make sure that the context +object on the stack is actually protected. Otherwise, memory corruption +can occur when calling sloppily coded XPath extension functions. + +Fixes bug 783160. +--- + xpath.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: libxml2-2.9.1+dfsg1/xpath.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/xpath.c ++++ libxml2-2.9.1+dfsg1/xpath.c +@@ -11910,11 +11910,11 @@ xmlXPathCompOpEvalPositionalPredicate(xm + } + } + +- frame = xmlXPathSetFrame(ctxt); + valuePush(ctxt, contextObj); ++ frame = xmlXPathSetFrame(ctxt); + res = xmlXPathCompOpEvalToBoolean(ctxt, exprOp, 1); +- tmp = valuePop(ctxt); + xmlXPathPopFrame(ctxt, frame); ++ tmp = valuePop(ctxt); + + if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) { + while (tmp != contextObj) { diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2017-16932.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2017-16932.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2017-16932.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2017-16932.patch 2017-12-04 18:16:54.000000000 +0000 @@ -0,0 +1,96 @@ +Backport of: + +From 899a5d9f0ed13b8e32449a08a361e0de127dd961 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 25 Jul 2017 14:59:49 +0200 +Subject: [PATCH] Detect infinite recursion in parameter entities + +When expanding a parameter entity in a DTD, infinite recursion could +lead to an infinite loop or memory exhaustion. + +Thanks to Wei Lei for the first of many reports. + +Fixes bug 759579. + +--- + parser.c | 13 +++++++++++-- + result/errors/759579.xml | 0 + result/errors/759579.xml.err | 6 ++++++ + result/errors/759579.xml.str | 7 +++++++ + test/errors/759579.xml | 11 +++++++++++ + 5 files changed, 35 insertions(+), 2 deletions(-) + create mode 100644 result/errors/759579.xml + create mode 100644 result/errors/759579.xml.err + create mode 100644 result/errors/759579.xml.str + create mode 100644 test/errors/759579.xml + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c ++++ libxml2-2.9.1+dfsg1/parser.c +@@ -2231,6 +2231,13 @@ xmlPushInput(xmlParserCtxtPtr ctxt, xmlP + xmlGenericError(xmlGenericErrorContext, + "Pushing input %d : %.30s\n", ctxt->inputNr+1, input->cur); + } ++ if (((ctxt->inputNr > 40) && ((ctxt->options & XML_PARSE_HUGE) == 0)) || ++ (ctxt->inputNr > 1024)) { ++ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); ++ while (ctxt->inputNr > 1) ++ xmlFreeInputStream(inputPop(ctxt)); ++ return(-1); ++ } + ret = inputPush(ctxt, input); + if (ctxt->instate == XML_PARSER_EOF) + return(-1); +@@ -8121,8 +8128,10 @@ xmlParsePEReference(xmlParserCtxtPtr ctx + * c.f. http://www.w3.org/TR/REC-xml#as-PE + */ + input = xmlNewEntityInputStream(ctxt, entity); +- if (xmlPushInput(ctxt, input) < 0) +- return; ++ if (xmlPushInput(ctxt, input) < 0) { ++ xmlFreeInputStream(input); ++ return; ++ } + if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && + (CMP5(CUR_PTR, '<', '?', 'x', 'm', 'l')) && + (IS_BLANK_CH(NXT(5)))) { +Index: libxml2-2.9.1+dfsg1/result/errors/759579.xml.err +=================================================================== +--- /dev/null ++++ libxml2-2.9.1+dfsg1/result/errors/759579.xml.err +@@ -0,0 +1,6 @@ ++Entity: line 2: parser error : Detected an entity reference loop ++ %z; %z; %z; %z; %z; ++ ^ ++Entity: line 2: ++ %z; %z; %z; %z; %z; ++ ^ +Index: libxml2-2.9.1+dfsg1/result/errors/759579.xml.str +=================================================================== +--- /dev/null ++++ libxml2-2.9.1+dfsg1/result/errors/759579.xml.str +@@ -0,0 +1,7 @@ ++Entity: line 2: parser error : Detected an entity reference loop ++ %z; %z; %z; %z; %z; ++ ^ ++Entity: line 2: ++ %z; %z; %z; %z; %z; ++ ^ ++./test/errors/759579.xml : failed to parse +Index: libxml2-2.9.1+dfsg1/test/errors/759579.xml +=================================================================== +--- /dev/null ++++ libxml2-2.9.1+dfsg1/test/errors/759579.xml +@@ -0,0 +1,11 @@ ++ ++ %z; ++]> ++ diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2017-18258.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2017-18258.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2017-18258.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2017-18258.patch 2018-08-14 12:42:14.000000000 +0000 @@ -0,0 +1,25 @@ +From e2a9122b8dde53d320750451e9907a7dcb2ca8bb Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 7 Sep 2017 18:36:01 +0200 +Subject: [PATCH] Set memory limit for LZMA decompression + +Otherwise malicious LZMA compressed files could consume large amounts +of memory when decompressed. + +According to the xz man page, files compressed with `xz -9` currently +require 65 MB to decompress, so set the limit to 100 MB. + +Should fix bug 786696. +diff --git a/xzlib.c b/xzlib.c +index 97af9c5..ed9f480 100644 +--- a/xzlib.c ++++ b/xzlib.c +@@ -363,7 +363,7 @@ xz_head(xz_statep state) + state->strm = init; + state->strm.avail_in = 0; + state->strm.next_in = NULL; +- if (lzma_auto_decoder(&state->strm, UINT64_MAX, 0) != LZMA_OK) { ++ if (lzma_auto_decoder(&state->strm, 100000000, 0) != LZMA_OK) { + xmlFree(state->out); + xmlFree(state->in); + state->size = 0; diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2017-7375.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2017-7375.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2017-7375.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2017-7375.patch 2017-09-15 23:18:51.000000000 +0000 @@ -0,0 +1,37 @@ +From 90ccb58242866b0ba3edbef8fe44214a101c2b3e Mon Sep 17 00:00:00 2001 +From: Neel Mehta +Date: Fri, 7 Apr 2017 17:43:02 +0200 +Subject: [PATCH] Prevent unwanted external entity reference + +For https://bugzilla.gnome.org/show_bug.cgi?id=780691 + +* parser.c: add a specific check to avoid PE reference + +CVE-2017-7375 +--- + parser.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/parser.c b/parser.c +index 609a270..c2c812d 100644 +--- a/parser.c ++++ b/parser.c +@@ -8123,6 +8123,15 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) + if (xmlPushInput(ctxt, input) < 0) + return; + } else { ++ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && ++ ((ctxt->options & XML_PARSE_NOENT) == 0) && ++ ((ctxt->options & XML_PARSE_DTDVALID) == 0) && ++ ((ctxt->options & XML_PARSE_DTDLOAD) == 0) && ++ ((ctxt->options & XML_PARSE_DTDATTR) == 0) && ++ (ctxt->replaceEntities == 0) && ++ (ctxt->validate == 0)) ++ return; ++ + /* + * TODO !!! + * handle the extra spaces added before and after +-- +2.7.4 + diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2017-7376.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2017-7376.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2017-7376.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2017-7376.patch 2017-09-15 23:19:01.000000000 +0000 @@ -0,0 +1,33 @@ +From 5dca9eea1bd4263bfa4d037ab2443de1cd730f7e Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 7 Apr 2017 17:13:28 +0200 +Subject: [PATCH] Increase buffer space for port in HTTP redirect support + +For https://bugzilla.gnome.org/show_bug.cgi?id=780690 + +nanohttp.c: the code wrongly assumed a short int port value. + +CVE-2017-7376 +--- + nanohttp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/nanohttp.c b/nanohttp.c +index e109ad7..373425d 100644 +--- a/nanohttp.c ++++ b/nanohttp.c +@@ -1423,9 +1423,9 @@ retry: + if (ctxt->port != 80) { + /* reserve space for ':xxxxx', incl. potential proxy */ + if (proxy) +- blen += 12; ++ blen += 17; + else +- blen += 6; ++ blen += 11; + } + bp = (char*)xmlMallocAtomic(blen); + if ( bp == NULL ) { +-- +2.7.4 + diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2017-9047-9048.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2017-9047-9048.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2017-9047-9048.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2017-9047-9048.patch 2017-09-15 23:19:13.000000000 +0000 @@ -0,0 +1,118 @@ +From 932cc9896ab41475d4aa429c27d9afd175959d74 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 3 Jun 2017 02:01:29 +0200 +Subject: [PATCH] Fix buffer size checks in xmlSnprintfElementContent +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +xmlSnprintfElementContent failed to correctly check the available +buffer space in two locations. + +Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048). + +Thanks to Marcel Böhme and Thuan Pham for the report. + +CVE-2017-9047, CVE-2017-9048 +--- + result/valid/781333.xml | 5 +++++ + result/valid/781333.xml.err | 3 +++ + result/valid/781333.xml.err.rdr | 6 ++++++ + test/valid/781333.xml | 4 ++++ + valid.c | 20 +++++++++++--------- + 5 files changed, 29 insertions(+), 9 deletions(-) + create mode 100644 result/valid/781333.xml + create mode 100644 result/valid/781333.xml.err + create mode 100644 result/valid/781333.xml.err.rdr + create mode 100644 test/valid/781333.xml + +diff --git a/result/valid/781333.xml b/result/valid/781333.xml +new file mode 100644 +index 0000000..45dc451 +--- /dev/null ++++ b/result/valid/781333.xml +@@ -0,0 +1,5 @@ ++ ++ ++]> ++ +diff --git a/result/valid/781333.xml.err b/result/valid/781333.xml.err +new file mode 100644 +index 0000000..b401b49 +--- /dev/null ++++ b/result/valid/781333.xml.err +@@ -0,0 +1,3 @@ ++./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got ++ ++ ^ +diff --git a/result/valid/781333.xml.err.rdr b/result/valid/781333.xml.err.rdr +new file mode 100644 +index 0000000..5ff5699 +--- /dev/null ++++ b/result/valid/781333.xml.err.rdr +@@ -0,0 +1,6 @@ ++./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got ++ ++ ^ ++./test/valid/781333.xml:5: element a: validity error : Element a content does not follow the DTD, Expecting more child ++ ++^ +diff --git a/test/valid/781333.xml b/test/valid/781333.xml +new file mode 100644 +index 0000000..b29e5a6 +--- /dev/null ++++ b/test/valid/781333.xml +@@ -0,0 +1,4 @@ ++ ++]> ++ +diff --git a/valid.c b/valid.c +index 19f84b8..9b2df56 100644 +--- a/valid.c ++++ b/valid.c +@@ -1262,22 +1262,23 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int + case XML_ELEMENT_CONTENT_PCDATA: + strcat(buf, "#PCDATA"); + break; +- case XML_ELEMENT_CONTENT_ELEMENT: ++ case XML_ELEMENT_CONTENT_ELEMENT: { ++ int qnameLen = xmlStrlen(content->name); ++ ++ if (content->prefix != NULL) ++ qnameLen += xmlStrlen(content->prefix) + 1; ++ if (size - len < qnameLen + 10) { ++ strcat(buf, " ..."); ++ return; ++ } + if (content->prefix != NULL) { +- if (size - len < xmlStrlen(content->prefix) + 10) { +- strcat(buf, " ..."); +- return; +- } + strcat(buf, (char *) content->prefix); + strcat(buf, ":"); + } +- if (size - len < xmlStrlen(content->name) + 10) { +- strcat(buf, " ..."); +- return; +- } + if (content->name != NULL) + strcat(buf, (char *) content->name); + break; ++ } + case XML_ELEMENT_CONTENT_SEQ: + if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || + (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) +@@ -1319,6 +1320,7 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int + xmlSnprintfElementContent(buf, size, content->c2, 0); + break; + } ++ if (size - strlen(buf) <= 2) return; + if (englob) + strcat(buf, ")"); + switch (content->ocur) { +-- +2.7.4 + diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2017-9049-9050.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2017-9049-9050.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2017-9049-9050.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2017-9049-9050.patch 2017-09-15 23:19:28.000000000 +0000 @@ -0,0 +1,302 @@ +From e26630548e7d138d2c560844c43820b6767251e3 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 5 Jun 2017 15:37:17 +0200 +Subject: [PATCH] Fix handling of parameter-entity references +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +There were two bugs where parameter-entity references could lead to an +unexpected change of the input buffer in xmlParseNameComplex and +xmlDictLookup being called with an invalid pointer. + +Percent sign in DTD Names +========================= + +The NEXTL macro used to call xmlParserHandlePEReference. When parsing +"complex" names inside the DTD, this could result in entity expansion +which created a new input buffer. The fix is to simply remove the call +to xmlParserHandlePEReference from the NEXTL macro. This is safe because +no users of the macro require expansion of parameter entities. + +- xmlParseNameComplex +- xmlParseNCNameComplex +- xmlParseNmtoken + +The percent sign is not allowed in names, which are grammatical tokens. + +- xmlParseEntityValue + +Parameter-entity references in entity values are expanded but this +happens in a separate step in this function. + +- xmlParseSystemLiteral + +Parameter-entity references are ignored in the system literal. + +- xmlParseAttValueComplex +- xmlParseCharDataComplex +- xmlParseCommentComplex +- xmlParsePI +- xmlParseCDSect + +Parameter-entity references are ignored outside the DTD. + +- xmlLoadEntityContent + +This function is only called from xmlStringLenDecodeEntities and +entities are replaced in a separate step immediately after the function +call. + +This bug could also be triggered with an internal subset and double +entity expansion. + +This fixes bug 766956 initially reported by Wei Lei and independently by +Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone +involved. + +xmlParseNameComplex with XML_PARSE_OLD10 +======================================== + +When parsing Names inside an expanded parameter entity with the +XML_PARSE_OLD10 option, xmlParseNameComplex would call xmlGROW via the +GROW macro if the input buffer was exhausted. At the end of the +parameter entity's replacement text, this function would then call +xmlPopInput which invalidated the input buffer. + +There should be no need to invoke GROW in this situation because the +buffer is grown periodically every XML_PARSER_CHUNK_SIZE characters and, +at least for UTF-8, in xmlCurrentChar. This also matches the code path +executed when XML_PARSE_OLD10 is not set. + +This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050). +Thanks to Marcel Böhme and Thuan Pham for the report. + +Additional hardening +==================== + +A separate check was added in xmlParseNameComplex to validate the +buffer size. + +CVE-2017-9049, CVE-2017-9050 +--- + Makefile.am | 18 ++++++++++++++++++ + parser.c | 18 ++++++++++-------- + result/errors10/781205.xml | 0 + result/errors10/781205.xml.err | 21 +++++++++++++++++++++ + result/errors10/781361.xml | 0 + result/errors10/781361.xml.err | 13 +++++++++++++ + result/valid/766956.xml | 0 + Makefile.am | 18 ++++++++++++++++++ + parser.c | 18 ++++++++++-------- + result/errors10/781205.xml.err | 21 +++++++++++++++++++++ + result/errors10/781361.xml.err | 13 +++++++++++++ + result/valid/766956.xml.err | 9 +++++++++ + result/valid/766956.xml.err.rdr | 10 ++++++++++ + runtest.c | 3 +++ + test/errors10/781205.xml | 3 +++ + test/errors10/781361.xml | 3 +++ + test/valid/766956.xml | 2 ++ + test/valid/dtds/766956.dtd | 2 ++ + 11 files changed, 94 insertions(+), 8 deletions(-) + create mode 100644 result/errors10/781205.xml + create mode 100644 result/errors10/781205.xml.err + create mode 100644 result/errors10/781361.xml + create mode 100644 result/errors10/781361.xml.err + create mode 100644 result/valid/766956.xml + create mode 100644 result/valid/766956.xml.err + create mode 100644 result/valid/766956.xml.err.rdr + create mode 100644 test/errors10/781205.xml + create mode 100644 test/errors10/781361.xml + create mode 100644 test/valid/766956.xml + create mode 100644 test/valid/dtds/766956.dtd + +Index: b/Makefile.am +=================================================================== +--- a/Makefile.am ++++ b/Makefile.am +@@ -422,6 +422,24 @@ Errtests : xmllint$(EXEEXT) + if [ -n "$$log" ] ; then echo $$name result ; echo $$log ; fi ; \ + rm result.$$name error.$$name ; \ + fi ; fi ; done) ++ @echo "## Error cases regression tests (old 1.0)" ++ -@(for i in $(srcdir)/test/errors10/*.xml ; do \ ++ name=`basename $$i`; \ ++ if [ ! -d $$i ] ; then \ ++ if [ ! -f $(srcdir)/result/errors10/$$name ] ; then \ ++ echo New test file $$name ; \ ++ $(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i \ ++ 2> $(srcdir)/result/errors10/$$name.err \ ++ > $(srcdir)/result/errors10/$$name ; \ ++ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \ ++ else \ ++ log=`$(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i 2> error.$$name > result.$$name ; \ ++ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \ ++ diff $(srcdir)/result/errors10/$$name result.$$name ; \ ++ diff $(srcdir)/result/errors10/$$name.err error.$$name` ; \ ++ if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \ ++ rm result.$$name error.$$name ; \ ++ fi ; fi ; done) + @echo "## Error cases stream regression tests" + -@(for i in $(srcdir)/test/errors/*.xml ; do \ + name=`basename $$i`; \ +Index: b/parser.c +=================================================================== +--- a/parser.c ++++ b/parser.c +@@ -2115,7 +2115,6 @@ static void xmlGROW (xmlParserCtxtPtr ct + ctxt->input->line++; ctxt->input->col = 1; \ + } else ctxt->input->col++; \ + ctxt->input->cur += l; \ +- if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt); \ + } while (0) + + #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l) +@@ -3406,13 +3405,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctx + len += l; + NEXTL(l); + c = CUR_CHAR(l); +- if (c == 0) { +- count = 0; +- GROW; +- if (ctxt->instate == XML_PARSER_EOF) +- return(NULL); +- c = CUR_CHAR(l); +- } + } + } + if ((len > XML_MAX_NAME_LENGTH) && +@@ -3420,6 +3412,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctx + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); + return(NULL); + } ++ if (ctxt->input->cur - ctxt->input->base < len) { ++ /* ++ * There were a couple of bugs where PERefs lead to to a change ++ * of the buffer. Check the buffer size to avoid passing an invalid ++ * pointer to xmlDictLookup. ++ */ ++ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, ++ "unexpected change of input buffer"); ++ return (NULL); ++ } + if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r')) + return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len)); + return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); +Index: b/result/errors10/781205.xml.err +=================================================================== +--- /dev/null ++++ b/result/errors10/781205.xml.err +@@ -0,0 +1,21 @@ ++Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration ++ ++ %a; ++ ^ ++Entity: line 1: ++<:0000 ++^ ++Entity: line 1: parser error : DOCTYPE improperly terminated ++ %a; ++ ^ ++Entity: line 1: ++<:0000 ++^ ++namespace error : Failed to parse QName ':0000' ++ %a; ++ ^ ++<:0000 ++ ^ ++./test/errors10/781205.xml:4: parser error : Couldn't find end of Start Tag :0000 line 1 ++ ++^ +Index: b/result/errors10/781361.xml.err +=================================================================== +--- /dev/null ++++ b/result/errors10/781361.xml.err +@@ -0,0 +1,13 @@ ++./test/errors10/781361.xml:4: parser error : xmlParseElementDecl: 'EMPTY', 'ANY' or '(' expected ++ ++^ ++./test/errors10/781361.xml:4: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration ++ ++ ++^ ++./test/errors10/781361.xml:4: parser error : DOCTYPE improperly terminated ++ ++^ ++./test/errors10/781361.xml:4: parser error : Start tag expected, '<' not found ++ ++^ +Index: b/result/valid/766956.xml.err +=================================================================== +--- /dev/null ++++ b/result/valid/766956.xml.err +@@ -0,0 +1,9 @@ ++test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';' ++%ä%ent; ++ ^ ++Entity: line 1: parser error : Content error in the external subset ++ %ent; ++ ^ ++Entity: line 1: ++value ++^ +Index: b/result/valid/766956.xml.err.rdr +=================================================================== +--- /dev/null ++++ b/result/valid/766956.xml.err.rdr +@@ -0,0 +1,10 @@ ++test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';' ++%ä%ent; ++ ^ ++Entity: line 1: parser error : Content error in the external subset ++ %ent; ++ ^ ++Entity: line 1: ++value ++^ ++./test/valid/766956.xml : failed to parse +Index: b/runtest.c +=================================================================== +--- a/runtest.c ++++ b/runtest.c +@@ -4202,6 +4202,9 @@ testDesc testDescriptions[] = { + { "Error cases regression tests", + errParseTest, "./test/errors/*.xml", "result/errors/", "", ".err", + 0 }, ++ { "Error cases regression tests (old 1.0)", ++ errParseTest, "./test/errors10/*.xml", "result/errors10/", "", ".err", ++ XML_PARSE_OLD10 }, + #ifdef LIBXML_READER_ENABLED + { "Error cases stream regression tests", + streamParseTest, "./test/errors/*.xml", "result/errors/", NULL, ".str", +Index: b/test/errors10/781205.xml +=================================================================== +--- /dev/null ++++ b/test/errors10/781205.xml +@@ -0,0 +1,3 @@ ++ ++ %a; +Index: b/test/errors10/781361.xml +=================================================================== +--- /dev/null ++++ b/test/errors10/781361.xml +@@ -0,0 +1,3 @@ ++ ++ %elem; +Index: b/test/valid/766956.xml +=================================================================== +--- /dev/null ++++ b/test/valid/766956.xml +@@ -0,0 +1,2 @@ ++ ++ +Index: b/test/valid/dtds/766956.dtd +=================================================================== +--- /dev/null ++++ b/test/valid/dtds/766956.dtd +@@ -0,0 +1,2 @@ ++ ++%ä%ent; diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2018-14404.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2018-14404.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2018-14404.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2018-14404.patch 2018-08-14 12:42:27.000000000 +0000 @@ -0,0 +1,47 @@ +From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 30 Jul 2018 12:54:38 +0200 +Subject: [PATCH] Fix nullptr deref with XPath logic ops + +If the XPath stack is corrupted, for example by a misbehaving extension +function, the "and" and "or" XPath operators could dereference NULL +pointers. Check that the XPath stack isn't empty and optimize the +logic operators slightly. + +Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5 + +Also see +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817 +https://bugzilla.redhat.com/show_bug.cgi?id=1595985 + +This is CVE-2018-14404. + +Thanks to Guy Inbar for the report. +diff --git a/xpath.c b/xpath.c +index 4d3503b..ee9a85b 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -13297,9 +13297,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + return(0); + } + xmlXPathBooleanFunction(ctxt, 1); +- arg1 = valuePop(ctxt); +- arg1->boolval &= arg2->boolval; +- valuePush(ctxt, arg1); ++ if (ctxt->value != NULL) ++ ctxt->value->boolval &= arg2->boolval; + xmlXPathReleaseObject(ctxt->context, arg2); + return (total); + case XPATH_OP_OR: +@@ -13323,9 +13322,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + return(0); + } + xmlXPathBooleanFunction(ctxt, 1); +- arg1 = valuePop(ctxt); +- arg1->boolval |= arg2->boolval; +- valuePush(ctxt, arg1); ++ if (ctxt->value != NULL) ++ ctxt->value->boolval |= arg2->boolval; + xmlXPathReleaseObject(ctxt->context, arg2); + return (total); + case XPATH_OP_EQUAL: diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2018-14567.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2018-14567.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2018-14567.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2018-14567.patch 2018-08-14 12:42:33.000000000 +0000 @@ -0,0 +1,43 @@ +From 2240fbf5912054af025fb6e01e26375100275e74 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 30 Jul 2018 13:14:11 +0200 +Subject: [PATCH] Fix infinite loop in LZMA decompression +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Check the liblzma error code more thoroughly to avoid infinite loops. + +Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13 +Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914 + +This is CVE-2018-9251 and CVE-2018-14567. + +Thanks to Dongliang Mu and Simon Wörner for the reports. +diff --git a/xzlib.c b/xzlib.c +index ed9f480..8ad24c4 100644 +--- a/xzlib.c ++++ b/xzlib.c +@@ -517,6 +517,10 @@ xz_decomp(xz_statep state) + "internal error: inflate stream corrupt"); + return -1; + } ++ /* ++ * FIXME: Remapping a couple of error codes and falling through ++ * to the LZMA error handling looks fragile. ++ */ + if (ret == Z_MEM_ERROR) + ret = LZMA_MEM_ERROR; + if (ret == Z_DATA_ERROR) +@@ -542,6 +546,11 @@ xz_decomp(xz_statep state) + xz_error(state, LZMA_PROG_ERROR, "compression error"); + return -1; + } ++ if ((state->how != GZIP) && ++ (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) { ++ xz_error(state, ret, "lzma error"); ++ return -1; ++ } + } while (strm->avail_out && ret != LZMA_STREAM_END); + + /* update available output and crc check value */ diff -Nru libxml2-2.9.1+dfsg1/debian/patches/lp1321869.patch libxml2-2.9.1+dfsg1/debian/patches/lp1321869.patch --- libxml2-2.9.1+dfsg1/debian/patches/lp1321869.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/lp1321869.patch 2014-06-13 12:33:19.000000000 +0000 @@ -0,0 +1,56 @@ +From dd8367da17c2948981a51e52c8a6beb445edf825 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Wed, 11 Jun 2014 16:54:32 +0800 +Subject: Fix regressions introduced by CVE-2014-0191 patch + +A number of issues have been raised after the fix, and this patch +tries to correct all of them, though most were related to +postvalidation. +https://bugzilla.gnome.org/show_bug.cgi?id=730290 +and other reports on list, off-list and on Red Hat bugzilla + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2014-06-13 07:26:26.378947533 -0400 ++++ libxml2-2.9.1+dfsg1/parser.c 2014-06-13 07:26:26.370947533 -0400 +@@ -2595,8 +2595,8 @@ + xmlCharEncoding enc; + + /* +- * Note: external parsed entities will not be loaded, it is +- * not required for a non-validating parser, unless the ++ * Note: external parameter entities will not be loaded, it ++ * is not required for a non-validating parser, unless the + * option of validating, or substituting entities were + * given. Doing so is far more secure as the parser will + * only process data coming from the document entity by +@@ -2605,6 +2605,9 @@ + if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && + ((ctxt->options & XML_PARSE_NOENT) == 0) && + ((ctxt->options & XML_PARSE_DTDVALID) == 0) && ++ ((ctxt->options & XML_PARSE_DTDLOAD) == 0) && ++ ((ctxt->options & XML_PARSE_DTDATTR) == 0) && ++ (ctxt->replaceEntities == 0) && + (ctxt->validate == 0)) + return; + +@@ -12609,6 +12612,9 @@ + return(NULL); + } + ++ /* We are loading a DTD */ ++ ctxt->options |= XML_PARSE_DTDLOAD; ++ + /* + * Set-up the SAX context + */ +@@ -12736,6 +12742,9 @@ + return(NULL); + } + ++ /* We are loading a DTD */ ++ ctxt->options |= XML_PARSE_DTDLOAD; ++ + /* + * Set-up the SAX context + */ diff -Nru libxml2-2.9.1+dfsg1/debian/patches/series libxml2-2.9.1+dfsg1/debian/patches/series --- libxml2-2.9.1+dfsg1/debian/patches/series 2013-08-05 03:02:10.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/series 2018-08-14 12:42:33.000000000 +0000 @@ -5,3 +5,58 @@ 0005-properly-quote-the-namespace-uris-written-out-during.patch 0006-Fix-a-parsing-bug-on-non-ascii-element-and-CR-LF-usa.patch 0007-Fix-XPath-optimization-with-predicates.patch +0006-fix-python-multiarch-includes.patch +xmllint_pretty.patch +CVE-2014-0191.patch +lp1321869.patch +CVE-2014-3660.patch +CVE-2015-1819.patch +CVE-2015-7941.patch +CVE-2015-7942.patch +CVE-2015-8035.patch +CVE-2015-5312.patch +CVE-2015-7497.patch +CVE-2015-7498.patch +CVE-2015-7499-1.patch +CVE-2015-7499-2.patch +CVE-2015-7500.patch +CVE-2015-8241.patch +CVE-2015-8242.patch +CVE-2015-8317-1.patch +CVE-2015-8317-2.patch +CVE-2015-7499-3.patch +CVE-2015-7499-4.patch +CVE-2015-8710.patch +CVE-2016-1762.patch +CVE-2016-1833-pre.patch +CVE-2016-1833-pre2.patch +CVE-2016-1833.patch +CVE-2016-1834.patch +CVE-2016-1835.patch +CVE-2016-1836.patch +CVE-2016-1837.patch +CVE-2016-1838.patch +CVE-2016-1839.patch +CVE-2016-1840.patch +CVE-2016-3705.patch +CVE-2016-4447.patch +CVE-2016-4449.patch +CVE-2016-4483.patch +CVE-2016-3627.patch +CVE-2016-4448-1.patch +CVE-2016-4448-2.patch +CVE-2016-4448-3.patch +CVE-2016-4658.patch +CVE-2016-5131-1.patch +CVE-2016-5131-2.patch +CVE-2017-0663.patch +CVE-2017-7375.patch +CVE-2017-7376.patch +CVE-2017-9047-9048.patch +CVE-2017-9049-9050.patch +CVE-2017-16932.patch +CVE-2017-15412.patch +CVE-2016-9318.patch +CVE-2017-18258.patch +CVE-2018-14404.patch +CVE-2018-14567.patch diff -Nru libxml2-2.9.1+dfsg1/debian/patches/xmllint_pretty.patch libxml2-2.9.1+dfsg1/debian/patches/xmllint_pretty.patch --- libxml2-2.9.1+dfsg1/debian/patches/xmllint_pretty.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/xmllint_pretty.patch 2013-08-22 20:33:19.000000000 +0000 @@ -0,0 +1,21 @@ +--- a/xmllint.c ++++ b/xmllint.c +@@ -3375,11 +3375,13 @@ + (!strcmp(argv[i], "--pretty"))) { + i++; + #ifdef LIBXML_OUTPUT_ENABLED +- format = atoi(argv[i]); +- if (format == 1) { +- noblanks++; +- xmlKeepBlanksDefault(0); +- } ++ if (argv[i] != NULL) { ++ format = atoi(argv[i]); ++ if (format == 1) { ++ noblanks++; ++ xmlKeepBlanksDefault(0); ++ } ++ } + #endif /* LIBXML_OUTPUT_ENABLED */ + } + #ifdef LIBXML_READER_ENABLED diff -Nru libxml2-2.9.1+dfsg1/debian/rules libxml2-2.9.1+dfsg1/debian/rules --- libxml2-2.9.1+dfsg1/debian/rules 2013-07-14 15:58:19.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/rules 2013-12-08 09:30:59.000000000 +0000 @@ -7,8 +7,10 @@ PYVER=$(shell pyversions -d) export DEB_BUILD_MAINT_OPTIONS=hardening=+all +DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) +CC = $(DEB_HOST_GNU_TYPE)-gcc CFLAGS = `dpkg-buildflags --get CFLAGS` -Wall LDFLAGS = `dpkg-buildflags --get LDFLAGS` -Wl,--as-needed CPPFLAGS = `dpkg-buildflags --get CPPFLAGS` @@ -29,13 +31,16 @@ override_dh_auto_configure: $(TARGETS:%=doconfigure-%) -doconfigure-%: +debian/autoreconf.after: + dh_autoreconf + +doconfigure-%: debian/autoreconf.after dh_auto_configure --builddirectory=builddir/$* -- $(CONFIGURE_FLAGS) doconfigure-main: CONFIGURE_FLAGS += --without-python doconfigure-python%: CONFIGURE_FLAGS += --with-python=/usr/bin/$* -#doconfigure-udeb: CONFIGURE_FLAGS += --without-history --with-minimum --with-tree --with-output -doconfigure-udeb: CONFIGURE_FLAGS += --without-history --with-tree --with-output +#doconfigure-udeb: CONFIGURE_FLAGS += --without-history --with-minimum --with-tree --with-output --without-python +doconfigure-udeb: CONFIGURE_FLAGS += --without-history --with-tree --with-output --without-python override_dh_auto_build: $(TARGETS:%=dobuild-%) @@ -45,8 +50,11 @@ dh_auto_build --builddirectory=$(BUILD_DIR) -- $(BUILD_FLAGS) dobuild-python%: BUILD_DIR=builddir/main/$* -dobuild-python%: BUILD_FLAGS = libxml2mod_la_LIBADD='$$(mylibs)' -dobuild-python%-dbg: BUILD_FLAGS += PYTHON_INCLUDES=/usr/include/$(*:-dbg=_d) \ +dobuild-python%: BUILD_FLAGS = libxml2mod_la_LIBADD='$$(mylibs)' \ + PYTHON_INCLUDES="$(shell $(DEB_HOST_GNU_TYPE)-python-config --includes)" \ + PYTHON_LIBS="$(shell $(DEB_HOST_GNU_TYPE)-python-config --ldflags)" +dobuild-python%-dbg: BUILD_FLAGS += PYTHON_INCLUDES="$(shell $(DEB_HOST_GNU_TYPE)-python-dbg-config --includes)" \ + PYTHON_LIBS="$(shell $(DEB_HOST_GNU_TYPE)-python-dbg-config --ldflags)" \ CFLAGS="$(CFLAGS) -Wall -g -O0" CPPFLAGS="$(CPPFLAGS)" LDFLAGS="$(LDFLAGS) \ -L$(CURDIR)/debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)" build-arch: $(TARGETS:%=dobuild-%) @@ -82,7 +90,7 @@ doinstall-python%-dbg: $(MAKE) -C builddir/main/python$*-dbg DESTDIR=$(CURDIR)/debian/tmp-dbg install-pythonLTLIBRARIES - prename 's/(?