diffstat of debian/ for libxml2_2.9.4+dfsg1-4 libxml2_2.9.4+dfsg1-4ubuntu1.2

 changelog                    |   23 +++++++++
 control                      |   19 +++++++
 patches/CVE-2017-15412.patch |   33 +++++++++++++
 patches/CVE-2017-16932.patch |  105 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    2 
 rules                        |    9 ++-
 6 files changed, 186 insertions(+), 5 deletions(-)

diff -Nru libxml2-2.9.4+dfsg1/debian/changelog libxml2-2.9.4+dfsg1/debian/changelog
--- libxml2-2.9.4+dfsg1/debian/changelog	2017-09-04 09:46:04.000000000 +0000
+++ libxml2-2.9.4+dfsg1/debian/changelog	2017-12-11 16:30:29.000000000 +0000
@@ -1,3 +1,26 @@
+libxml2 (2.9.4+dfsg1-4ubuntu1.2) artful-security; urgency=medium
+
+  * SECURITY UPDATE: use after-free in xmlXPathCompOpEvalPositionPredicate
+    - debian/patches/CVE-2017-15412.patch: fix XPath stack frame logic in
+      xpath.c.
+    - CVE-2017-15412
+
+ -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Mon, 11 Dec 2017 13:30:29 -0300
+
+libxml2 (2.9.4+dfsg1-4ubuntu1.1) artful-security; urgency=medium
+
+  * SECURITY UPDATE: infinite recursion in parameter entities
+    - CVE-2017-16932
+
+ -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Mon, 04 Dec 2017 15:22:50 -0300
+
+libxml2 (2.9.4+dfsg1-4ubuntu1) artful; urgency=medium
+
+  * Fix FTBFS: Fix debhelper -p and -N flags.
+  * 
+
+ -- Matthias Klose <doko@ubuntu.com>  Wed, 11 Oct 2017 11:06:37 +0200
+
 libxml2 (2.9.4+dfsg1-4) unstable; urgency=medium
 
   * Team upload.
diff -Nru libxml2-2.9.4+dfsg1/debian/control libxml2-2.9.4+dfsg1/debian/control
--- libxml2-2.9.4+dfsg1/debian/control	2017-09-04 09:43:44.000000000 +0000
+++ libxml2-2.9.4+dfsg1/debian/control	2017-12-04 18:22:50.000000000 +0000
@@ -1,7 +1,8 @@
 Source: libxml2
 Priority: optional
 Section: libs
-Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
 Uploaders:
  Aron Xu <aron@debian.org>,
  YunQiang Su <wzssyqa@gmail.com>,
@@ -205,3 +206,19 @@
  .
  This package contains the files needed to use the GNOME XML library
  in Python3 programs for use with the Python3 debug interpreter.
+
+Package: libxml2-udeb
+XC-Package-Type: udeb
+Architecture: any
+Section: debian-installer
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Description: GNOME XML library - minimal runtime
+ XML is a metalanguage to let you design your own markup language.
+ A regular markup language defines a way to describe information in
+ a certain class of documents (eg HTML). XML lets you define your
+ own customized markup languages for many classes of document. It
+ can do this because it's written in SGML, the international standard
+ metalanguage for markup languages.
+ .
+ This is a minimal package for use in debian-installer that yields a
+ library providing an extensive API to handle such XML data files.
diff -Nru libxml2-2.9.4+dfsg1/debian/patches/CVE-2017-15412.patch libxml2-2.9.4+dfsg1/debian/patches/CVE-2017-15412.patch
--- libxml2-2.9.4+dfsg1/debian/patches/CVE-2017-15412.patch	1970-01-01 00:00:00.000000000 +0000
+++ libxml2-2.9.4+dfsg1/debian/patches/CVE-2017-15412.patch	2017-12-11 16:30:14.000000000 +0000
@@ -0,0 +1,33 @@
+From 0f3b843b3534784ef57a4f9b874238aa1fda5a73 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 1 Jun 2017 23:12:19 +0200
+Subject: Fix XPath stack frame logic
+
+Move the calls to xmlXPathSetFrame and xmlXPathPopFrame around in
+xmlXPathCompOpEvalPositionalPredicate to make sure that the context
+object on the stack is actually protected. Otherwise, memory corruption
+can occur when calling sloppily coded XPath extension functions.
+
+Fixes bug 783160.
+---
+ xpath.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Index: libxml2-2.9.4+dfsg1/xpath.c
+===================================================================
+--- libxml2-2.9.4+dfsg1.orig/xpath.c
++++ libxml2-2.9.4+dfsg1/xpath.c
+@@ -11915,11 +11915,11 @@ xmlXPathCompOpEvalPositionalPredicate(xm
+ 		}
+ 	    }
+ 
+-            frame = xmlXPathSetFrame(ctxt);
+ 	    valuePush(ctxt, contextObj);
++            frame = xmlXPathSetFrame(ctxt);
+ 	    res = xmlXPathCompOpEvalToBoolean(ctxt, exprOp, 1);
+-            tmp = valuePop(ctxt);
+             xmlXPathPopFrame(ctxt, frame);
++            tmp = valuePop(ctxt);
+ 
+ 	    if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) {
+                 while (tmp != contextObj) {
diff -Nru libxml2-2.9.4+dfsg1/debian/patches/CVE-2017-16932.patch libxml2-2.9.4+dfsg1/debian/patches/CVE-2017-16932.patch
--- libxml2-2.9.4+dfsg1/debian/patches/CVE-2017-16932.patch	1970-01-01 00:00:00.000000000 +0000
+++ libxml2-2.9.4+dfsg1/debian/patches/CVE-2017-16932.patch	2017-12-04 18:22:43.000000000 +0000
@@ -0,0 +1,105 @@
+Backport of:
+
+From 899a5d9f0ed13b8e32449a08a361e0de127dd961 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 25 Jul 2017 14:59:49 +0200
+Subject: [PATCH] Detect infinite recursion in parameter entities
+
+When expanding a parameter entity in a DTD, infinite recursion could
+lead to an infinite loop or memory exhaustion.
+
+Thanks to Wei Lei for the first of many reports.
+
+Fixes bug 759579.
+
+---
+ parser.c                     | 13 +++++++++++--
+ result/errors/759579.xml     |  0
+ result/errors/759579.xml.err |  6 ++++++
+ result/errors/759579.xml.str |  7 +++++++
+ test/errors/759579.xml       | 11 +++++++++++
+ 5 files changed, 35 insertions(+), 2 deletions(-)
+ create mode 100644 result/errors/759579.xml
+ create mode 100644 result/errors/759579.xml.err
+ create mode 100644 result/errors/759579.xml.str
+ create mode 100644 test/errors/759579.xml
+
+diff --git a/parser.c b/parser.c
+index 7f33bb9..036308a 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2238,6 +2238,13 @@ xmlPushInput(xmlParserCtxtPtr ctxt, xmlParserInputPtr input) {
+ 	xmlGenericError(xmlGenericErrorContext,
+ 		"Pushing input %d : %.30s\n", ctxt->inputNr+1, input->cur);
+     }
++    if (((ctxt->inputNr > 40) && ((ctxt->options & XML_PARSE_HUGE) == 0)) ||
++        (ctxt->inputNr > 1024)) {
++        xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
++        while (ctxt->inputNr > 1)
++            xmlFreeInputStream(inputPop(ctxt));
++	return(-1);
++    }
+     ret = inputPush(ctxt, input);
+     if (ctxt->instate == XML_PARSER_EOF)
+         return(-1);
+@@ -8140,8 +8147,10 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
+ 	     * c.f. http://www.w3.org/TR/REC-xml#as-PE
+ 	     */
+ 	    input = xmlNewEntityInputStream(ctxt, entity);
+-	    if (xmlPushInput(ctxt, input) < 0)
+-		return;
++	    if (xmlPushInput(ctxt, input) < 0) {
++                xmlFreeInputStream(input);
++ 		return;
++            }
+ 	    if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
+ 		(CMP5(CUR_PTR, '<', '?', 'x', 'm', 'l')) &&
+ 		(IS_BLANK_CH(NXT(5)))) {
+diff --git a/result/errors/759579.xml b/result/errors/759579.xml
+new file mode 100644
+index 0000000..e69de29
+diff --git a/result/errors/759579.xml.err b/result/errors/759579.xml.err
+new file mode 100644
+index 0000000..288026e
+--- /dev/null
++++ b/result/errors/759579.xml.err
+@@ -0,0 +1,6 @@
++Entity: line 2: parser error : Detected an entity reference loop
++        %z; %z; %z; %z; %z;
++           ^
++Entity: line 2: 
++        %z; %z; %z; %z; %z;
++           ^
+diff --git a/result/errors/759579.xml.str b/result/errors/759579.xml.str
+new file mode 100644
+index 0000000..09408f5
+--- /dev/null
++++ b/result/errors/759579.xml.str
+@@ -0,0 +1,7 @@
++Entity: line 2: parser error : Detected an entity reference loop
++        %z; %z; %z; %z; %z;
++           ^
++Entity: line 2: 
++        %z; %z; %z; %z; %z;
++           ^
++./test/errors/759579.xml : failed to parse
+diff --git a/test/errors/759579.xml b/test/errors/759579.xml
+new file mode 100644
+index 0000000..7fadd70
+--- /dev/null
++++ b/test/errors/759579.xml
+@@ -0,0 +1,11 @@
++<!DOCTYPE doc [
++    <!ENTITY % z '
++        &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
++        &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
++        &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
++        &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
++        &#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
++    '>
++    %z;
++]>
++<doc/>
+-- 
+2.7.4
+
diff -Nru libxml2-2.9.4+dfsg1/debian/patches/series libxml2-2.9.4+dfsg1/debian/patches/series
--- libxml2-2.9.4+dfsg1/debian/patches/series	2017-08-20 11:49:49.000000000 +0000
+++ libxml2-2.9.4+dfsg1/debian/patches/series	2017-12-11 16:30:06.000000000 +0000
@@ -11,3 +11,5 @@
 0011-Fix-handling-of-parameter-entity-references.patch
 0012-Fix-buffer-size-checks-in-xmlSnprintfElementContent.patch
 0013-Fix-type-confusion-in-xmlValidateOneNamespace.patch
+CVE-2017-16932.patch
+CVE-2017-15412.patch
diff -Nru libxml2-2.9.4+dfsg1/debian/rules libxml2-2.9.4+dfsg1/debian/rules
--- libxml2-2.9.4+dfsg1/debian/rules	2017-07-04 19:55:22.000000000 +0000
+++ libxml2-2.9.4+dfsg1/debian/rules	2017-10-11 09:06:37.000000000 +0000
@@ -32,7 +32,6 @@
 TARGETS += udeb
 else
 $(if $(shell grep -q libxml2-udeb debian/control && echo yes),$(shell sed -i /libxml2-udeb/,\$$d debian/control))
-export DH_OPTIONS = -Nlibxml2-udeb
 endif
 
 CONFIGURE_FLAGS := --disable-silent-rules --with-history --cache-file="$(CURDIR)/builddir/config.cache"
@@ -97,7 +96,7 @@
 
 doinstall-python%-dbg:
 	$(MAKE) -C builddir/main/python$(*)-dbg DESTDIR=$(CURDIR)/debian/tmp-dbg install-pythonLTLIBRARIES
-	prename -vf 's/(?<!_d)\.so$$/_d.so/' debian/tmp-dbg/usr/lib/python$(*)/*-packages/*.so
+	prename -v -f 's/(?<!_d)\.so$$/_d.so/' debian/tmp-dbg/usr/lib/python$(*)/*-packages/*.so
 
 doinstall-python%:
 	dh_auto_install --builddirectory=builddir/main/python$(*)
@@ -117,18 +116,20 @@
 	dh_installchangelogs -k NEWS
 
 override_dh_install-arch:
-	dh_install -Npython-libxml2-dbg -Npython3-libxml2-dbg -Nlibxml2-udeb
+	dh_install -Npython-libxml2-dbg -Npython3-libxml2-dbg $(if $(WITH_UDEB),-Nlibxml2-udeb)
 ifneq (,$(filter python-libxml2-dbg,$(DOPACKAGES)))
 	dh_install -ppython-libxml2-dbg --sourcedir=debian/tmp-dbg
 endif
 ifneq (,$(filter python3-libxml2-dbg,$(DOPACKAGES)))
 	dh_install -ppython3-libxml2-dbg --sourcedir=debian/tmp-dbg
 endif
+ifneq ($(WITH_UDEB),)
 	dh_install -plibxml2-udeb --sourcedir=debian/tmp-udeb
+endif
 	sed -i -e 's,/lib/$(DEB_HOST_MULTIARCH),/lib,' debian/libxml2-dev/usr/bin/xml2-config
 
 override_dh_strip:
-	dh_strip -a --dbg-package=libxml2-dbg -Nlibxml2-udeb -Nlibxml2-utils -Nlibxml2-utils-dbg -Npython-libxml2 -Npython-libxml2-dbg -Npython3-libxml2 -Npython3-libxml2-dbg
+	dh_strip -a --dbg-package=libxml2-dbg $(if $(WITH_UDEB),-Nlibxml2-udeb) -Nlibxml2-utils -Npython-libxml2 -Npython-libxml2-dbg -Npython3-libxml2 -Npython3-libxml2-dbg
 ifneq (,$(filter python-libxml2 python-libxml2-dbg,$(DOPACKAGES)))
 	dh_strip -ppython-libxml2 --dbg-package=python-libxml2-dbg
 endif