diff -Nru libxml2-2.9.1+dfsg1/debian/changelog libxml2-2.9.1+dfsg1/debian/changelog --- libxml2-2.9.1+dfsg1/debian/changelog 2015-11-13 13:58:39.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/changelog 2015-12-09 17:00:30.000000000 +0000 @@ -1,3 +1,41 @@ +libxml2 (2.9.1+dfsg1-3ubuntu4.6) trusty-security; urgency=medium + + * SECURITY UPDATE: denial of service via entity expansion issue + - debian/patches/CVE-2015-5312.patch: properly exit when entity + expansion is detected in parser.c. + - CVE-2015-5312 + * SECURITY UPDATE: heap buffer overflow in xmlDictComputeFastQKey + - debian/patches/CVE-2015-7497.patch: check offset in dict.c. + - CVE-2015-7497 + * SECURITY UPDATE: denial of service via encoding conversion failures + - debian/patches/CVE-2015-7498.patch: avoid processing entities after + encoding conversion failures in parser.c. + - CVE-2015-7498 + * SECURITY UPDATE: out of bounds read in xmlGROW + - debian/patches/CVE-2015-7499-1.patch: add xmlHaltParser() to stop the + parser in parser.c. + - debian/patches/CVE-2015-7499-2.patch: check input in parser.c. + - CVE-2015-7499 + * SECURITY UPDATE: out of bounds read in xmlParseMisc + - debian/patches/CVE-2015-7500.patch: check entity boundaries in + parser.c. + - CVE-2015-7500 + * SECURITY UPDATE: denial of service via extra processing of MarkupDecl + - debian/patches/CVE-2015-8241.patch: add extra EOF check in parser.c. + - CVE-2015-8241 + * SECURITY UPDATE: buffer overead with HTML parser in push mode + - debian/patches/CVE-2015-8242.patch: use pointer in the input in + HTMLparser.c. + - CVE-2015-8242 + * SECURITY UPDATE: denial of service via encoding failures + - debian/patches/CVE-2015-8317-1.patch: do not process encoding values + if the declaration is broken in parser.c. + - debian/patches/CVE-2015-8317-2.patch: fail parsing if the encoding + conversion failed in parser.c. + - CVE-2015-8317 + + -- Marc Deslauriers Wed, 09 Dec 2015 12:00:30 -0500 + libxml2 (2.9.1+dfsg1-3ubuntu4.5) trusty-security; urgency=medium * SECURITY UPDATE: denial of service via XEE attack diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-5312.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-5312.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-5312.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-5312.patch 2015-12-09 16:58:09.000000000 +0000 @@ -0,0 +1,29 @@ +From 69030714cde66d525a8884bda01b9e8f0abf8e1e Mon Sep 17 00:00:00 2001 +From: David Drysdale +Date: Fri, 20 Nov 2015 11:13:45 +0800 +Subject: CVE-2015-5312 Another entity expansion issue + +For https://bugzilla.gnome.org/show_bug.cgi?id=756733 +It is one case where the code in place to detect entities expansions +failed to exit when the situation was detected, leading to DoS +Problem reported by Kostya Serebryany @ Google +Patch provided by David Drysdale @ Google +--- + parser.c | 4 ++++ + 1 file changed, 4 insertions(+) + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2015-12-09 11:58:07.110986471 -0500 ++++ libxml2-2.9.1+dfsg1/parser.c 2015-12-09 11:58:07.110986471 -0500 +@@ -2801,6 +2801,10 @@ + 0, 0, 0); + ctxt->depth--; + ++ if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) || ++ (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR)) ++ goto int_error; ++ + if (rep != NULL) { + current = rep; + while (*current != 0) { /* non input consuming loop */ diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7497.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7497.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7497.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7497.patch 2015-12-09 16:58:15.000000000 +0000 @@ -0,0 +1,32 @@ +From 6360a31a84efe69d155ed96306b9a931a40beab9 Mon Sep 17 00:00:00 2001 +From: David Drysdale +Date: Fri, 20 Nov 2015 10:47:12 +0800 +Subject: CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey + +For https://bugzilla.gnome.org/show_bug.cgi?id=756528 +It was possible to hit a negative offset in the name indexing +used to randomize the dictionary key generation +Reported and fix provided by David Drysdale @ Google +--- + dict.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/dict.c b/dict.c +index 5f71d55..8c8f931 100644 +--- a/dict.c ++++ b/dict.c +@@ -486,7 +486,10 @@ xmlDictComputeFastQKey(const xmlChar *prefix, int plen, + value += 30 * (*prefix); + + if (len > 10) { +- value += name[len - (plen + 1 + 1)]; ++ int offset = len - (plen + 1 + 1); ++ if (offset < 0) ++ offset = len - (10 + 1); ++ value += name[offset]; + len = 10; + if (plen > 10) + plen = 10; +-- +cgit v0.11.2 + diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7498.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7498.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7498.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7498.patch 2015-12-09 16:58:25.000000000 +0000 @@ -0,0 +1,79 @@ +From afd27c21f6b36e22682b7da20d726bce2dcb2f43 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Mon, 9 Nov 2015 18:07:18 +0800 +Subject: Avoid processing entities after encoding conversion failures + +For https://bugzilla.gnome.org/show_bug.cgi?id=756527 +and was also raised by Chromium team in the past + +When we hit a convwersion failure when switching encoding +it is bestter to stop parsing there, this was treated as a +fatal error but the parser was continuing to process to extract +more errors, unfortunately that makes little sense as the data +is obviously corrupt and can potentially lead to unexpected behaviour. +--- + parser.c | 7 +++++-- + parserInternals.c | 11 ++++++++++- + 2 files changed, 15 insertions(+), 3 deletions(-) + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2015-12-09 11:58:21.915129571 -0500 ++++ libxml2-2.9.1+dfsg1/parser.c 2015-12-09 11:58:21.903129455 -0500 +@@ -10593,7 +10593,8 @@ + xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, "Blank needed here\n"); + } + xmlParseEncodingDecl(ctxt); +- if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) { ++ if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) || ++ (ctxt->instate == XML_PARSER_EOF)) { + /* + * The XML REC instructs us to stop parsing right here + */ +@@ -10717,6 +10718,7 @@ + + if (CUR == 0) { + xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL); ++ return(-1); + } + + /* +@@ -10734,7 +10736,8 @@ + * Note that we will switch encoding on the fly. + */ + xmlParseXMLDecl(ctxt); +- if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) { ++ if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) || ++ (ctxt->instate == XML_PARSER_EOF)) { + /* + * The XML REC instructs us to stop parsing right here + */ +Index: libxml2-2.9.1+dfsg1/parserInternals.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parserInternals.c 2015-12-09 11:58:21.915129571 -0500 ++++ libxml2-2.9.1+dfsg1/parserInternals.c 2015-12-09 11:58:21.907129494 -0500 +@@ -937,6 +937,7 @@ + { + xmlCharEncodingHandlerPtr handler; + int len = -1; ++ int ret; + + if (ctxt == NULL) return(-1); + switch (enc) { +@@ -1097,7 +1098,15 @@ + if (handler == NULL) + return(-1); + ctxt->charset = XML_CHAR_ENCODING_UTF8; +- return(xmlSwitchToEncodingInt(ctxt, handler, len)); ++ ret = xmlSwitchToEncodingInt(ctxt, handler, len); ++ if ((ret < 0) || (ctxt->errNo == XML_I18N_CONV_FAILED)) { ++ /* ++ * on encoding conversion errors, stop the parser ++ */ ++ xmlStopParser(ctxt); ++ ctxt->errNo = XML_I18N_CONV_FAILED; ++ } ++ return(ret); + } + + /** diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7499-1.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7499-1.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7499-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7499-1.patch 2015-12-09 16:58:34.000000000 +0000 @@ -0,0 +1,78 @@ +From 28cd9cb747a94483f4aea7f0968d202c20bb4cfc Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 20 Nov 2015 14:55:30 +0800 +Subject: Add xmlHaltParser() to stop the parser + +The problem is doing it in a consistent and safe fashion +It's more complex than just setting ctxt->instate = XML_PARSER_EOF +Update the public function to reuse that new internal routine +--- + parser.c | 34 +++++++++++++++++++++++++++++----- + 1 file changed, 29 insertions(+), 5 deletions(-) + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2015-12-09 11:58:32.055227430 -0500 ++++ libxml2-2.9.1+dfsg1/parser.c 2015-12-09 11:58:32.051227393 -0500 +@@ -94,6 +94,8 @@ + xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID, + const xmlChar *base, xmlParserCtxtPtr pctx); + ++static void xmlHaltParser(xmlParserCtxtPtr ctxt); ++ + /************************************************************************ + * * + * Arbitrary limits set in the parser. See XML_PARSE_HUGE * +@@ -12542,25 +12544,47 @@ + #endif /* LIBXML_PUSH_ENABLED */ + + /** +- * xmlStopParser: ++ * xmlHaltParser: + * @ctxt: an XML parser context + * +- * Blocks further parser processing ++ * Blocks further parser processing don't override error ++ * for internal use + */ +-void +-xmlStopParser(xmlParserCtxtPtr ctxt) { ++static void ++xmlHaltParser(xmlParserCtxtPtr ctxt) { + if (ctxt == NULL) + return; + ctxt->instate = XML_PARSER_EOF; +- ctxt->errNo = XML_ERR_USER_STOP; + ctxt->disableSAX = 1; + if (ctxt->input != NULL) { ++ /* ++ * in case there was a specific allocation deallocate before ++ * overriding base ++ */ ++ if (ctxt->input->free != NULL) { ++ ctxt->input->free((xmlChar *) ctxt->input->base); ++ ctxt->input->free = NULL; ++ } + ctxt->input->cur = BAD_CAST""; + ctxt->input->base = ctxt->input->cur; + } + } + + /** ++ * xmlStopParser: ++ * @ctxt: an XML parser context ++ * ++ * Blocks further parser processing ++ */ ++void ++xmlStopParser(xmlParserCtxtPtr ctxt) { ++ if (ctxt == NULL) ++ return; ++ xmlHaltParser(ctxt); ++ ctxt->errNo = XML_ERR_USER_STOP; ++} ++ ++/** + * xmlCreateIOParserCtxt: + * @sax: a SAX handler + * @user_data: The user data returned on SAX callbacks diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7499-2.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7499-2.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7499-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7499-2.patch 2015-12-09 16:58:39.000000000 +0000 @@ -0,0 +1,33 @@ +From 35bcb1d758ed70aa7b257c9c3b3ff55e54e3d0da Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 20 Nov 2015 15:04:09 +0800 +Subject: Detect incoherency on GROW + +the current pointer to the input has to be between the base and end +if not stop everything we have an internal state error. +--- + parser.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2015-12-09 11:58:37.995284698 -0500 ++++ libxml2-2.9.1+dfsg1/parser.c 2015-12-09 11:58:37.995284698 -0500 +@@ -2072,9 +2072,16 @@ + ((ctxt->input->buf) && (ctxt->input->buf->readcallback != (xmlInputReadCallback) xmlNop)) && + ((ctxt->options & XML_PARSE_HUGE) == 0)) { + xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup"); +- ctxt->instate = XML_PARSER_EOF; ++ xmlHaltParser(ctxt); ++ return; + } + xmlParserInputGrow(ctxt->input, INPUT_CHUNK); ++ if ((ctxt->input->cur > ctxt->input->end) || ++ (ctxt->input->cur < ctxt->input->base)) { ++ xmlHaltParser(ctxt); ++ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "cur index out of bound"); ++ return; ++ } + if ((ctxt->input->cur != NULL) && (*ctxt->input->cur == 0) && + (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0)) + xmlPopInput(ctxt); diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7500.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7500.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7500.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7500.patch 2015-12-09 16:58:48.000000000 +0000 @@ -0,0 +1,105 @@ +From f1063fdbe7fa66332bbb76874101c2a7b51b519f Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 20 Nov 2015 16:06:59 +0800 +Subject: CVE-2015-7500 Fix memory access error due to incorrect entities + boundaries + +For https://bugzilla.gnome.org/show_bug.cgi?id=756525 +handle properly the case where we popped out of the current entity +while processing a start tag +Reported by Kostya Serebryany @ Google + +This slightly modifies the output of 754946 in regression tests +--- + parser.c | 28 ++++++++++++++++++++++------ + result/errors/754946.xml.err | 7 +++++-- + 2 files changed, 27 insertions(+), 8 deletions(-) + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2015-12-09 11:58:46.323364918 -0500 ++++ libxml2-2.9.1+dfsg1/parser.c 2015-12-09 11:58:46.319364879 -0500 +@@ -9302,7 +9302,7 @@ + const xmlChar **atts = ctxt->atts; + int maxatts = ctxt->maxatts; + int nratts, nbatts, nbdef; +- int i, j, nbNs, attval, oldline, oldcol; ++ int i, j, nbNs, attval, oldline, oldcol, inputNr; + const xmlChar *base; + unsigned long cur; + int nsNr = ctxt->nsNr; +@@ -9321,6 +9321,7 @@ + SHRINK; + base = ctxt->input->base; + cur = ctxt->input->cur - ctxt->input->base; ++ inputNr = ctxt->inputNr; + oldline = ctxt->input->line; + oldcol = ctxt->input->col; + nbatts = 0; +@@ -9346,7 +9347,8 @@ + */ + SKIP_BLANKS; + GROW; +- if (ctxt->input->base != base) goto base_changed; ++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) ++ goto base_changed; + + while (((RAW != '>') && + ((RAW != '/') || (NXT(1) != '>')) && +@@ -9357,7 +9359,7 @@ + + attname = xmlParseAttribute2(ctxt, prefix, localname, + &aprefix, &attvalue, &len, &alloc); +- if (ctxt->input->base != base) { ++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) { + if ((attvalue != NULL) && (alloc != 0)) + xmlFree(attvalue); + attvalue = NULL; +@@ -9486,7 +9488,8 @@ + skip_ns: + if (alloc != 0) xmlFree(attvalue); + SKIP_BLANKS; +- if (ctxt->input->base != base) goto base_changed; ++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) ++ goto base_changed; + continue; + } + +@@ -9523,7 +9526,8 @@ + GROW + if (ctxt->instate == XML_PARSER_EOF) + break; +- if (ctxt->input->base != base) goto base_changed; ++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) ++ goto base_changed; + if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>')))) + break; + if (!IS_BLANK_CH(RAW)) { +@@ -9539,7 +9543,8 @@ + break; + } + GROW; +- if (ctxt->input->base != base) goto base_changed; ++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) ++ goto base_changed; + } + + /* +@@ -9706,6 +9711,17 @@ + if ((ctxt->attallocs[j] != 0) && (atts[i] != NULL)) + xmlFree((xmlChar *) atts[i]); + } ++ ++ /* ++ * We can't switch from one entity to another in the middle ++ * of a start tag ++ */ ++ if (inputNr != ctxt->inputNr) { ++ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY, ++ "Start tag doesn't start and stop in the same entity\n"); ++ return(NULL); ++ } ++ + ctxt->input->cur = ctxt->input->base + cur; + ctxt->input->line = oldline; + ctxt->input->col = oldcol; diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8241.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8241.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8241.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8241.patch 2015-12-09 17:00:02.000000000 +0000 @@ -0,0 +1,32 @@ +From ab2b9a93ff19cedde7befbf2fcc48c6e352b6cbe Mon Sep 17 00:00:00 2001 +From: Hugh Davenport +Date: Tue, 3 Nov 2015 20:40:49 +0800 +Subject: Avoid extra processing of MarkupDecl when EOF + +For https://bugzilla.gnome.org/show_bug.cgi?id=756263 + +One place where ctxt->instate == XML_PARSER_EOF whic was set up +by entity detection issues doesn't get noticed, and even overrided +--- + parser.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2015-12-09 12:00:00.768078515 -0500 ++++ libxml2-2.9.1+dfsg1/parser.c 2015-12-09 12:00:00.768078515 -0500 +@@ -6969,6 +6969,14 @@ + xmlParsePI(ctxt); + } + } ++ ++ /* ++ * detect requirement to exit there and act accordingly ++ * and avoid having instate overriden later on ++ */ ++ if (ctxt->instate == XML_PARSER_EOF) ++ return; ++ + /* + * This is only for internal subset. On external entities, + * the replacement is done before parsing stage diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8242.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8242.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8242.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8242.patch 2015-12-09 17:00:06.000000000 +0000 @@ -0,0 +1,39 @@ +From 8fb4a770075628d6441fb17a1e435100e2f3b1a2 Mon Sep 17 00:00:00 2001 +From: Hugh Davenport +Date: Fri, 20 Nov 2015 17:16:06 +0800 +Subject: CVE-2015-8242 Buffer overead with HTML parser in push mode + +For https://bugzilla.gnome.org/show_bug.cgi?id=756372 +Error in the code pointing to the codepoint in the stack for the +current char value instead of the pointer in the input that the SAX +callback expects +Reported and fixed by Hugh Davenport +--- + HTMLparser.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +Index: libxml2-2.9.2+zdfsg1/HTMLparser.c +=================================================================== +--- libxml2-2.9.2+zdfsg1.orig/HTMLparser.c 2015-12-09 10:07:19.961212325 -0500 ++++ libxml2-2.9.2+zdfsg1/HTMLparser.c 2015-12-09 10:07:19.961212325 -0500 +@@ -5701,17 +5701,17 @@ + if (ctxt->keepBlanks) { + if (ctxt->sax->characters != NULL) + ctxt->sax->characters( +- ctxt->userData, &cur, 1); ++ ctxt->userData, &in->cur[0], 1); + } else { + if (ctxt->sax->ignorableWhitespace != NULL) + ctxt->sax->ignorableWhitespace( +- ctxt->userData, &cur, 1); ++ ctxt->userData, &in->cur[0], 1); + } + } else { + htmlCheckParagraph(ctxt); + if (ctxt->sax->characters != NULL) + ctxt->sax->characters( +- ctxt->userData, &cur, 1); ++ ctxt->userData, &in->cur[0], 1); + } + } + ctxt->token = 0; diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8317-1.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8317-1.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8317-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8317-1.patch 2015-12-09 17:00:17.000000000 +0000 @@ -0,0 +1,35 @@ +From 9aa37588ee78a06ca1379a9d9356eab16686099c Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Mon, 29 Jun 2015 09:08:25 +0800 +Subject: Do not process encoding values if the declaration if broken + +For https://bugzilla.gnome.org/show_bug.cgi?id=751603 + +If the string is not properly terminated do not try to convert +to the given encoding. +--- + parser.c | 4 ++++ + 1 file changed, 4 insertions(+) + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2015-12-09 12:00:15.124215449 -0500 ++++ libxml2-2.9.1+dfsg1/parser.c 2015-12-09 12:00:15.124215449 -0500 +@@ -10396,6 +10396,8 @@ + encoding = xmlParseEncName(ctxt); + if (RAW != '"') { + xmlFatalErr(ctxt, XML_ERR_STRING_NOT_CLOSED, NULL); ++ xmlFree((xmlChar *) encoding); ++ return(NULL); + } else + NEXT; + } else if (RAW == '\''){ +@@ -10403,6 +10405,8 @@ + encoding = xmlParseEncName(ctxt); + if (RAW != '\'') { + xmlFatalErr(ctxt, XML_ERR_STRING_NOT_CLOSED, NULL); ++ xmlFree((xmlChar *) encoding); ++ return(NULL); + } else + NEXT; + } else { diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8317-2.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8317-2.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8317-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8317-2.patch 2015-12-09 17:00:24.000000000 +0000 @@ -0,0 +1,32 @@ +From 709a952110e98621c9b78c4f26462a9d8333102e Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Mon, 29 Jun 2015 16:10:26 +0800 +Subject: Fail parsing early on if encoding conversion failed + +For https://bugzilla.gnome.org/show_bug.cgi?id=751631 + +If we fail conversing the current input stream while +processing the encoding declaration of the XMLDecl +then it's safer to just abort there and not try to +report further errors. +--- + parser.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2015-12-09 12:00:21.000271438 -0500 ++++ libxml2-2.9.1+dfsg1/parser.c 2015-12-09 12:00:20.996271400 -0500 +@@ -10461,7 +10461,11 @@ + + handler = xmlFindCharEncodingHandler((const char *) encoding); + if (handler != NULL) { +- xmlSwitchToEncoding(ctxt, handler); ++ if (xmlSwitchToEncoding(ctxt, handler) < 0) { ++ /* failed to convert */ ++ ctxt->errNo = XML_ERR_UNSUPPORTED_ENCODING; ++ return(NULL); ++ } + } else { + xmlFatalErrMsgStr(ctxt, XML_ERR_UNSUPPORTED_ENCODING, + "Unsupported encoding %s\n", encoding); diff -Nru libxml2-2.9.1+dfsg1/debian/patches/series libxml2-2.9.1+dfsg1/debian/patches/series --- libxml2-2.9.1+dfsg1/debian/patches/series 2015-11-13 13:58:04.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/series 2015-12-09 17:00:19.000000000 +0000 @@ -14,3 +14,13 @@ CVE-2015-7941.patch CVE-2015-7942.patch CVE-2015-8035.patch +CVE-2015-5312.patch +CVE-2015-7497.patch +CVE-2015-7498.patch +CVE-2015-7499-1.patch +CVE-2015-7499-2.patch +CVE-2015-7500.patch +CVE-2015-8241.patch +CVE-2015-8242.patch +CVE-2015-8317-1.patch +CVE-2015-8317-2.patch