diff -Nru libxml2-2.9.1+dfsg1/debian/changelog libxml2-2.9.1+dfsg1/debian/changelog --- libxml2-2.9.1+dfsg1/debian/changelog 2015-12-09 17:00:30.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/changelog 2016-01-14 18:13:10.000000000 +0000 @@ -1,3 +1,20 @@ +libxml2 (2.9.1+dfsg1-3ubuntu4.7) trusty-security; urgency=medium + + * SECURITY UPDATE: incomplete fix for out of bounds read in xmlGROW + (LP: #1525996) + - add extra commits to this previously-fixed CVE + - debian/patches/CVE-2015-7499-3.patch: reuse xmlHaltParser() where it + makes sense in parser.c. + - debian/patches/CVE-2015-7499-4.patch: do not print error context when + there is none in error.c. + - CVE-2015-7499 + * SECURITY UPDATE: out of bounds memory access via unclosed html comment + - debian/patches/CVE-2015-8710.patch: fix parsing short unclosed + comment uninitialized access in HTMLparser.c. + - CVE-2015-8710 + + -- Marc Deslauriers Thu, 14 Jan 2016 13:13:10 -0500 + libxml2 (2.9.1+dfsg1-3ubuntu4.6) trusty-security; urgency=medium * SECURITY UPDATE: denial of service via entity expansion issue diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7499-3.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7499-3.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7499-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7499-3.patch 2016-01-14 18:12:57.000000000 +0000 @@ -0,0 +1,171 @@ +Backport of: + +From e3b1597421ad7cbeb5939fc3b54f43f141c82366 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 20 Nov 2015 14:59:30 +0800 +Subject: Reuse xmlHaltParser() where it makes sense + +Unify the various place where either xmlStopParser was called +(which resets the error as a side effect) and places where we +used ctxt->instate = XML_PARSER_EOF to stop further processing +--- + parser.c | 37 +++++++++++++++++-------------------- + 1 file changed, 17 insertions(+), 20 deletions(-) + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2016-01-14 13:12:55.384687959 -0500 ++++ libxml2-2.9.1+dfsg1/parser.c 2016-01-14 13:12:55.380687921 -0500 +@@ -1773,7 +1773,7 @@ + xmlFatalErrMsgInt(ctxt, XML_ERR_INTERNAL_ERROR, + "Excessive depth in document: %d use XML_PARSE_HUGE option\n", + xmlParserMaxDepth); +- ctxt->instate = XML_PARSER_EOF; ++ xmlHaltParser(ctxt); + return(-1); + } + ctxt->nodeTab[ctxt->nodeNr] = value; +@@ -5666,7 +5666,7 @@ + if (RAW != '>') { + xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED, + "xmlParseEntityDecl: entity %s not terminated\n", name); +- xmlStopParser(ctxt); ++ xmlHaltParser(ctxt); + } else { + if (input != ctxt->input) { + xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY, +@@ -6778,7 +6778,7 @@ + SKIP_BLANKS; + if (RAW != '[') { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); +- xmlStopParser(ctxt); ++ xmlHaltParser(ctxt); + return; + } else { + if (ctxt->input->id != id) { +@@ -6840,7 +6840,7 @@ + SKIP_BLANKS; + if (RAW != '[') { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); +- xmlStopParser(ctxt); ++ xmlHaltParser(ctxt); + return; + } else { + if (ctxt->input->id != id) { +@@ -6897,7 +6897,7 @@ + + } else { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL); +- xmlStopParser(ctxt); ++ xmlHaltParser(ctxt); + return; + } + +@@ -7108,7 +7108,7 @@ + /* + * The XML REC instructs us to stop parsing right here + */ +- ctxt->instate = XML_PARSER_EOF; ++ xmlHaltParser(ctxt); + return; + } + } +@@ -8094,7 +8094,7 @@ + * The XML REC instructs us to stop parsing + * right here + */ +- ctxt->instate = XML_PARSER_EOF; ++ xmlHaltParser(ctxt); + return; + } + } +@@ -10009,7 +10009,7 @@ + if ((cons == ctxt->input->consumed) && (test == CUR_PTR)) { + xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, + "detected an error in element content\n"); +- ctxt->instate = XML_PARSER_EOF; ++ xmlHaltParser(ctxt); + break; + } + } +@@ -10044,7 +10044,7 @@ + xmlFatalErrMsgInt(ctxt, XML_ERR_INTERNAL_ERROR, + "Excessive depth in document: %d use XML_PARSE_HUGE option\n", + xmlParserMaxDepth); +- ctxt->instate = XML_PARSER_EOF; ++ xmlHaltParser(ctxt); + return; + } + +@@ -11368,7 +11368,7 @@ + ctxt->sax->setDocumentLocator(ctxt->userData, + &xmlDefaultSAXLocator); + xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL); +- ctxt->instate = XML_PARSER_EOF; ++ xmlHaltParser(ctxt); + #ifdef DEBUG_PUSH + xmlGenericError(xmlGenericErrorContext, + "PP: entering EOF\n"); +@@ -11401,7 +11401,7 @@ + * The XML REC instructs us to stop parsing right + * here + */ +- ctxt->instate = XML_PARSER_EOF; ++ xmlHaltParser(ctxt); + return(0); + } + ctxt->standalone = ctxt->input->standalone; +@@ -11457,7 +11457,7 @@ + cur = ctxt->input->cur[0]; + if (cur != '<') { + xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL); +- ctxt->instate = XML_PARSER_EOF; ++ xmlHaltParser(ctxt); + if ((ctxt->sax) && (ctxt->sax->endDocument != NULL)) + ctxt->sax->endDocument(ctxt->userData); + goto done; +@@ -11489,7 +11489,7 @@ + goto done; + if (name == NULL) { + spacePop(ctxt); +- ctxt->instate = XML_PARSER_EOF; ++ xmlHaltParser(ctxt); + if ((ctxt->sax) && (ctxt->sax->endDocument != NULL)) + ctxt->sax->endDocument(ctxt->userData); + goto done; +@@ -11656,7 +11656,7 @@ + if ((cons == ctxt->input->consumed) && (test == CUR_PTR)) { + xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, + "detected an error in element content\n"); +- ctxt->instate = XML_PARSER_EOF; ++ xmlHaltParser(ctxt); + break; + } + break; +@@ -11977,7 +11977,7 @@ + goto done; + } else { + xmlFatalErr(ctxt, XML_ERR_DOCUMENT_END, NULL); +- ctxt->instate = XML_PARSER_EOF; ++ xmlHaltParser(ctxt); + #ifdef DEBUG_PUSH + xmlGenericError(xmlGenericErrorContext, + "PP: entering EOF\n"); +@@ -12341,7 +12341,7 @@ + res = xmlParserInputBufferPush(ctxt->input->buf, size, chunk); + if (res < 0) { + ctxt->errNo = XML_PARSER_EOF; +- ctxt->disableSAX = 1; ++ xmlHaltParser(ctxt); + return (XML_PARSER_EOF); + } + xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input, base, cur); +@@ -12395,7 +12395,7 @@ + ((ctxt->input->cur - ctxt->input->base) > XML_MAX_LOOKUP_LIMIT)) && + ((ctxt->options & XML_PARSE_HUGE) == 0)) { + xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup"); +- ctxt->instate = XML_PARSER_EOF; ++ xmlHaltParser(ctxt); + } + if ((ctxt->errNo != XML_ERR_OK) && (ctxt->disableSAX == 1)) + return(ctxt->errNo); diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7499-4.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7499-4.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7499-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7499-4.patch 2016-01-14 18:13:00.000000000 +0000 @@ -0,0 +1,28 @@ +From ce0b0d0d81fdbb5f722a890432b52d363e4de57b Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 20 Nov 2015 15:01:22 +0800 +Subject: Do not print error context when there is none + +Which now happens more frequently du to xmlHaltParser use +--- + error.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/error.c b/error.c +index cbcf5c9..9c45040 100644 +--- a/error.c ++++ b/error.c +@@ -177,7 +177,9 @@ xmlParserPrintFileContextInternal(xmlParserInputPtr input , + xmlChar content[81]; /* space for 80 chars + line terminator */ + xmlChar *ctnt; + +- if (input == NULL) return; ++ if ((input == NULL) || (input->cur == NULL) || ++ (*input->cur == 0)) return; ++ + cur = input->cur; + base = input->base; + /* skip backwards over any end-of-lines */ +-- +cgit v0.11.2 + diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8710.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8710.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8710.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8710.patch 2016-01-14 18:13:07.000000000 +0000 @@ -0,0 +1,62 @@ +From e724879d964d774df9b7969fc846605aa1bac54c Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 30 Oct 2015 21:14:55 +0800 +Subject: Fix parsing short unclosed comment uninitialized access + +For https://bugzilla.gnome.org/show_bug.cgi?id=746048 +The HTML parser was too optimistic when processing comments and +didn't check for the end of the stream on the first 2 characters +--- + HTMLparser.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +Index: libxml2-2.9.2+zdfsg1/HTMLparser.c +=================================================================== +--- libxml2-2.9.2+zdfsg1.orig/HTMLparser.c 2016-01-14 08:59:21.702167883 -0500 ++++ libxml2-2.9.2+zdfsg1/HTMLparser.c 2016-01-14 08:59:21.698167840 -0500 +@@ -3245,12 +3245,17 @@ + ctxt->instate = state; + return; + } ++ len = 0; ++ buf[len] = 0; + q = CUR_CHAR(ql); ++ if (!IS_CHAR(q)) ++ goto unfinished; + NEXTL(ql); + r = CUR_CHAR(rl); ++ if (!IS_CHAR(r)) ++ goto unfinished; + NEXTL(rl); + cur = CUR_CHAR(l); +- len = 0; + while (IS_CHAR(cur) && + ((cur != '>') || + (r != '-') || (q != '-'))) { +@@ -3281,18 +3286,20 @@ + } + } + buf[len] = 0; +- if (!IS_CHAR(cur)) { +- htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, +- "Comment not terminated \n