Package: libxml2 / 2.9.4+dfsg1-7+deb10u2

Metadata

Package Version Patches format
libxml2 2.9.4+dfsg1-7+deb10u2 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
0001 modify xml2 config and pkgconfig behaviour.patch | (download)

configure.ac | 2 1 + 1 - 0 !
libxml-2.0-uninstalled.pc.in | 3 2 + 1 - 0 !
xml2-config.1 | 4 4 + 0 - 0 !
xml2-config.in | 22 10 + 12 - 0 !
4 files changed, 17 insertions(+), 14 deletions(-)

 modify xml2-config and pkgconfig behaviour


0002 fix python multiarch includes.patch | (download)

python/Makefile.am | 2 1 + 1 - 0 !
python/Makefile.in | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 fix python multiarch includes


0003 Fix NULL pointer deref in XPointer range to.patch | (download)

result/XPath/xptr/viderror | 4 4 + 0 - 0 !
test/XPath/xptr/viderror | 1 1 + 0 - 0 !
xpath.c | 7 6 + 1 - 0 !
3 files changed, 11 insertions(+), 1 deletion(-)

 fix null pointer deref in xpointer range-to

- Check for errors after evaluating first operand.
- Add sanity check for empty stack.

Found with afl-fuzz.

0004 Fix comparison with root node in xmlXPathCmpNodes.patch | (download)

xpath.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch] fix comparison with root node in xmlxpathcmpnodes

This change has already been made in xmlXPathCmpNodesExt but not in
xmlXPathCmpNodes.

0005 Fix XPointer paths beginning with range to.patch | (download)

xpath.c | 7 6 + 1 - 0 !
xpointer.c | 76 6 + 70 - 0 !
2 files changed, 12 insertions(+), 71 deletions(-)

 [patch] fix xpointer paths beginning with range-to

The old code would invoke the broken xmlXPtrRangeToFunction. range-to
isn't really a function but a special kind of location step. Remove
this function and always handle range-to in the XPath code.

The old xmlXPtrRangeToFunction could also be abused to trigger a
use-after-free error with the potential for remote code execution.

Found with afl-fuzz.

Fixes CVE-2016-5131.

0006 Disallow namespace nodes in XPointer ranges.patch | (download)

xpointer.c | 149 56 + 93 - 0 !
1 file changed, 56 insertions(+), 93 deletions(-)

 [patch] disallow namespace nodes in xpointer ranges

Namespace nodes must be copied to avoid use-after-free errors.
But they don't necessarily have a physical representation in a
document, so simply disallow them in XPointer ranges.

Found with afl-fuzz.

Fixes CVE-2016-4658.

0007 Fix more NULL pointer derefs in xpointer.c.patch | (download)

xpointer.c | 12 7 + 5 - 0 !
1 file changed, 7 insertions(+), 5 deletions(-)

 [patch] fix more null pointer derefs in xpointer.c

Found with afl-fuzz.

0008 Fix attribute decoding during XML schema validation.patch | (download)

xmlschemas.c | 30 25 + 5 - 0 !
1 file changed, 25 insertions(+), 5 deletions(-)

 [patch] fix attribute decoding during xml schema validation

For https://bugzilla.gnome.org/show_bug.cgi?id=766834

vctxt->parserCtxt is always NULL in xmlSchemaSAXHandleStartElementNs,
so this function can't call xmlStringLenDecodeEntities to decode the
entities.

0009 Increase buffer space for port in HTTP redirect supp.patch | (download)

nanohttp.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 increase buffer space for port in http redirect support
0010 Prevent unwanted external entity reference.patch | (download)

parser.c | 9 9 + 0 - 0 !
1 file changed, 9 insertions(+)

 prevent unwanted external entity reference
0011 Fix handling of parameter entity references.patch | (download)

Makefile.am | 18 18 + 0 - 0 !
parser.c | 18 10 + 8 - 0 !
result/errors10/781205.xml.err | 21 21 + 0 - 0 !
result/errors10/781361.xml.err | 13 13 + 0 - 0 !
result/valid/766956.xml.err | 9 9 + 0 - 0 !
result/valid/766956.xml.err.rdr | 10 10 + 0 - 0 !
runtest.c | 3 3 + 0 - 0 !
test/errors10/781205.xml | 3 3 + 0 - 0 !
test/errors10/781361.xml | 3 3 + 0 - 0 !
test/valid/766956.xml | 2 2 + 0 - 0 !
test/valid/dtds/766956.dtd | 2 2 + 0 - 0 !
11 files changed, 94 insertions(+), 8 deletions(-)

 fix handling of parameter-entity references
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
0012 Fix buffer size checks in xmlSnprintfElementContent.patch | (download)

result/valid/781333.xml | 5 5 + 0 - 0 !
result/valid/781333.xml.err | 3 3 + 0 - 0 !
result/valid/781333.xml.err.rdr | 6 6 + 0 - 0 !
test/valid/781333.xml | 4 4 + 0 - 0 !
valid.c | 20 11 + 9 - 0 !
5 files changed, 29 insertions(+), 9 deletions(-)

 fix buffer size checks in xmlsnprintfelementcontent
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
0013 Fix type confusion in xmlValidateOneNamespace.patch | (download)

valid.c | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 fix type confusion in xmlvalidateonenamespace
0014 Fix NULL pointer deref in xmlDumpElementContent.patch | (download)

valid.c | 24 14 + 10 - 0 !
1 file changed, 14 insertions(+), 10 deletions(-)

 fix null pointer deref in xmldumpelementcontent
0015 Check for integer overflow in memory debug code.patch | (download)

xmlmemory.c | 21 21 + 0 - 0 !
1 file changed, 21 insertions(+)

 check for integer overflow in memory debug code
0016 Fix copy paste errors in error messages.patch | (download)

xmlmemory.c | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 fix copy-paste errors in error messages
0017 python remove single use of _PyVerify_fd.patch | (download)

python/types.c | 2 0 + 2 - 0 !
1 file changed, 2 deletions(-)

 python: remove single use of _pyverify_fd
0018 Fix XPath stack frame logic.patch | (download)

xpath.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 fix xpath stack frame logic
0019 CVE 2017 8872.patch | (download)

parser.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 out-of-bounds read in htmlparsetryorfinish
0020 CVE 2017 18258.patch | (download)

xzlib.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] set memory limit for lzma decompression

Otherwise malicious LZMA compressed files could consume large amounts
of memory when decompressed.

According to the xz man page, files compressed with `xz -9` currently
require 65 MB to decompress, so set the limit to 100 MB.

Should fix bug 786696.
0021 CVE 2018 14404.patch | (download)

xpath.c | 10 4 + 6 - 0 !
1 file changed, 4 insertions(+), 6 deletions(-)

 [patch] fix nullptr deref with xpath logic ops

If the XPath stack is corrupted, for example by a misbehaving extension
function, the "and" and "or" XPath operators could dereference NULL
pointers. Check that the XPath stack isn't empty and optimize the
logic operators slightly.

Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5

Also see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
https://bugzilla.redhat.com/show_bug.cgi?id=1595985

This is CVE-2018-14404.

Thanks to Guy Inbar for the report.
0022 CVE 2018 14567.patch | (download)

xzlib.c | 9 9 + 0 - 0 !
1 file changed, 9 insertions(+)

 [patch] fix infinite loop in lzma decompression
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Check the liblzma error code more thoroughly to avoid infinite loops.

Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13
Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914

This is CVE-2018-9251 and CVE-2018-14567.

Thanks to Dongliang Mu and Simon W├Ârner for the reports.
0023 CVE 2019 19956.patch | (download)

parser.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch] fix memory leak in xmlparsebalancedchunkmemoryrecover

When doc is NULL, namespace created in xmlTreeEnsureXMLDecl
is bind to newDoc->oldNs, in this case, set newDoc->oldNs to
NULL and free newDoc will cause a memory leak.

Found with libFuzzer.

Closes #82.

0024 CVE 2019 20388.patch | (download)

xmlschemas.c | 1 0 + 1 - 0 !
1 file changed, 1 deletion(-)

 [patch] fix memory leak in xmlschemavalidatestream

When ctxt->schema is NULL, xmlSchemaSAXPlug->xmlSchemaPreRun
alloc a new schema for ctxt->schema and set vctxt->xsiAssemble
to 1. Then xmlSchemaVStart->xmlSchemaPreRun initialize
vctxt->xsiAssemble to 0 again which cause the alloced schema
can not be freed anymore.

Found with libFuzzer.

Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>

0025 CVE 2020 7595.patch | (download)

parser.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch] fix infinite loop in xmlstringlendecodeentities

When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef
return NULL which cause a infinite loop in xmlStringLenDecodeEntities

Found with libFuzzer.

Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>

Fix out of bounds read with xmllint htmlout.patch | (download)

xmllint.c | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 fix out-of-bounds read with 'xmllint --htmlout'
Fix use after free with xmllint html push.patch | (download)

xmllint.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix use-after-free with `xmllint --html --push`
Validate UTF8 in xmlEncodeEntities.patch | (download)

entities.c | 16 15 + 1 - 0 !
1 file changed, 15 insertions(+), 1 deletion(-)

 validate utf8 in xmlencodeentities
Fix user after free with xmllint xinclude dropdtd.patch | (download)

xinclude.c | 5 2 + 3 - 0 !
1 file changed, 2 insertions(+), 3 deletions(-)

 fix user-after-free with `xmllint --xinclude --dropdtd`
Propagate error in xmlParseElementChildrenContentDec.patch | (download)

parser.c | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 propagate error in xmlparseelementchildrencontentdeclpriv
Patch for security issue CVE 2021 3541.patch | (download)

parser.c | 26 26 + 0 - 0 !
1 file changed, 26 insertions(+)

 patch for security issue cve-2021-3541