diff -Nru libxml2-2.9.1+dfsg1/debian/changelog libxml2-2.9.1+dfsg1/debian/changelog --- libxml2-2.9.1+dfsg1/debian/changelog 2016-01-14 18:13:10.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/changelog 2016-06-03 16:33:08.000000000 +0000 @@ -1,3 +1,72 @@ +libxml2 (2.9.1+dfsg1-3ubuntu4.8) trusty-security; urgency=medium + + * SECURITY UPDATE: heap-based buffer overread in xmlNextChar + - debian/patches/CVE-2016-1762.patch: return after error in parser.c. + - CVE-2016-1762 + * SECURITY UPDATE: heap-based buffer overread in htmlCurrentChar + - debian/patches/CVE-2016-1833-pre.patch: clear up NULL deref in + parserInternals.c. + - debian/patches/CVE-2016-1833-pre2.patch: handle 0-length entities in + parserInternals.c. + - debian/patches/CVE-2016-1833.patch: fix tests in parserInternals.c. + - CVE-2016-1833 + * SECURITY UPDATE: heap-buffer-overflow in xmlStrncat + - debian/patches/CVE-2016-1834.patch: check for negative lengths in + xmlstring.c. + - CVE-2016-1834 + * SECURITY UPDATE: heap use-after-free in xmlSAX2AttributeNs + - debian/patches/CVE-2016-1835.patch: add check to parser.c, add tests + to result/errors/759020.xml.err, result/errors/759020.xml.str, + test/errors/759020.xml. + - CVE-2016-1835 + * SECURITY UPDATE: heap use-after-free in xmlDictComputeFastKey + - debian/patches/CVE-2016-1836.patch: prevent stale pointer usage in + parser.c, added tests to result/errors/759398.xml.err, + result/errors/759398.xml.str, test/errors/759398.xml. + - CVE-2016-1836 + * SECURITY UPDATE: heap use-after-free in htmlParsePubidLiteral and + htmlParseSystemiteral + - debian/patches/CVE-2016-1837.patch: prevent stable pointer usage in + HTMLparser.c. + - CVE-2016-1837 + * SECURITY UPDATE: heap-based buffer overread in + xmlParserPrintFileContextInternal + - debian/patches/CVE-2016-1838.patch: add bounds check to parser.c, + add tests to result/errors/758588.xml.err, + result/errors/758588.xml.str, test/errors/758588.xml. + - CVE-2016-1838 + * SECURITY UPDATE: heap-based buffer overread in xmlDictAddString + - debian/patches/CVE-2016-1839.patch: add bounds check to HTMLparser.c. + - CVE-2015-8806 + - CVE-2016-1839 + - CVE-2016-2073 + * SECURITY UPDATE: heap-buffer-overflow in xmlFAParsePosCharGroup + - debian/patches/CVE-2016-1840.patch: properly handle error in + xmlregexp.c. + - CVE-2016-1840 + * SECURITY UPDATE: avoid building recursive entities + - debian/patches/CVE-2016-3627.patch: properly handle recursion in + parser.c, tree.c. + - CVE-2016-3627 + * SECURITY UPDATE: recursion depth counter issue + - debian/patches/CVE-2016-3705.patch: properly could recursion depth in + parser.c. + - CVE-2016-3705 + * SECURITY UPDATE: heap-based buffer-underreads due to xmlParseName + - debian/patches/CVE-2016-4447.patch: improve error handling in + parser.c. + - CVE-2016-4447 + * SECURITY UPDATE: inappropriate fetch of entities content + - debian/patches/CVE-2016-4449.patch: fix another external entity fetch + in parser.c. + - CVE-2016-4449 + * SECURITY UPDATE: out of bound access when serializing malformed strings + - debian/patches/CVE-2016-4483.patch: improve string handling in + xmlsave.c. + - CVE-2016-4483 + + -- Marc Deslauriers Fri, 03 Jun 2016 08:59:55 -0400 + libxml2 (2.9.1+dfsg1-3ubuntu4.7) trusty-security; urgency=medium * SECURITY UPDATE: incomplete fix for out of bounds read in xmlGROW diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1762.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1762.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1762.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1762.patch 2016-06-03 12:56:25.000000000 +0000 @@ -0,0 +1,30 @@ +From a7a94612aa3b16779e2c74e1fa353b5d9786c602 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Tue, 9 Feb 2016 12:55:29 +0100 +Subject: Heap-based buffer overread in xmlNextChar + +For https://bugzilla.gnome.org/show_bug.cgi?id=759671 + +when the end of the internal subset isn't properly detected +xmlParseInternalSubset should just return instead of trying +to process input further. +--- + parser.c | 1 + + result/errors/754946.xml.err | 10 +++++----- + result/errors/content1.xml.err | 2 +- + result/valid/t8.xml.err | 2 +- + result/valid/t8a.xml.err | 2 +- + 5 files changed, 9 insertions(+), 8 deletions(-) + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2016-06-03 08:56:22.395000156 -0400 ++++ libxml2-2.9.1+dfsg1/parser.c 2016-06-03 08:56:22.395000156 -0400 +@@ -8449,6 +8449,7 @@ + */ + if (RAW != '>') { + xmlFatalErr(ctxt, XML_ERR_DOCTYPE_NOT_FINISHED, NULL); ++ return; + } + NEXT; + } diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1833.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1833.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1833.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1833.patch 2016-06-03 12:56:29.000000000 +0000 @@ -0,0 +1,247 @@ +From 0bcd05c5cd83dec3406c8f68b769b1d610c72f76 Mon Sep 17 00:00:00 2001 +From: Pranjal Jumde +Date: Tue, 1 Mar 2016 15:18:04 -0800 +Subject: Heap-based buffer overread in htmlCurrentChar + +For https://bugzilla.gnome.org/show_bug.cgi?id=758606 + +* parserInternals.c: +(xmlNextChar): Add an test to catch other issues on ctxt->input +corruption proactively. +For non-UTF-8 charsets, xmlNextChar() failed to check for the end +of the input buffer and would continuing reading. Fix this by +pulling out the check for the end of the input buffer into common +code, and return if we reach the end of the input buffer +prematurely. +* result/HTML/758606.html: Added. +* result/HTML/758606.html.err: Added. +* result/HTML/758606.html.sax: Added. +* result/HTML/758606_2.html: Added. +* result/HTML/758606_2.html.err: Added. +* result/HTML/758606_2.html.sax: Added. +* test/HTML/758606.html: Added test case. +* test/HTML/758606_2.html: Added test case. +--- + parserInternals.c | 172 ++++++++++++++++++++++-------------------- + result/HTML/758606.html | 2 + + result/HTML/758606.html.err | 16 ++++ + result/HTML/758606.html.sax | 10 +++ + result/HTML/758606_2.html | 2 + + result/HTML/758606_2.html.err | 16 ++++ + result/HTML/758606_2.html.sax | 17 +++++ + test/HTML/758606.html | 1 + + test/HTML/758606_2.html | 1 + + 9 files changed, 154 insertions(+), 83 deletions(-) + create mode 100644 result/HTML/758606.html + create mode 100644 result/HTML/758606.html.err + create mode 100644 result/HTML/758606.html.sax + create mode 100644 result/HTML/758606_2.html + create mode 100644 result/HTML/758606_2.html.err + create mode 100644 result/HTML/758606_2.html.sax + create mode 100644 test/HTML/758606.html + create mode 100644 test/HTML/758606_2.html + +diff --git a/parserInternals.c b/parserInternals.c +index 8c79678..bfc778a 100644 +--- a/parserInternals.c ++++ b/parserInternals.c +@@ -55,6 +55,10 @@ + #include + #include + ++#define CUR(ctxt) ctxt->input->cur ++#define END(ctxt) ctxt->input->end ++#define VALID_CTXT(ctxt) (CUR(ctxt) <= END(ctxt)) ++ + #include "buf.h" + #include "enc.h" + +@@ -422,103 +426,105 @@ xmlNextChar(xmlParserCtxtPtr ctxt) + (ctxt->input == NULL)) + return; + +- if (ctxt->charset == XML_CHAR_ENCODING_UTF8) { +- if ((*ctxt->input->cur == 0) && +- (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0) && +- (ctxt->instate != XML_PARSER_COMMENT)) { +- /* +- * If we are at the end of the current entity and +- * the context allows it, we pop consumed entities +- * automatically. +- * the auto closing should be blocked in other cases +- */ ++ if (!(VALID_CTXT(ctxt))) { ++ xmlErrInternal(ctxt, "Parser input data memory error\n", NULL); ++ ctxt->errNo = XML_ERR_INTERNAL_ERROR; ++ xmlStopParser(ctxt); ++ return; ++ } ++ ++ if ((*ctxt->input->cur == 0) && ++ (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0)) { ++ if ((ctxt->instate != XML_PARSER_COMMENT)) + xmlPopInput(ctxt); +- } else { +- const unsigned char *cur; +- unsigned char c; ++ return; ++ } + +- /* +- * 2.11 End-of-Line Handling +- * the literal two-character sequence "#xD#xA" or a standalone +- * literal #xD, an XML processor must pass to the application +- * the single character #xA. +- */ +- if (*(ctxt->input->cur) == '\n') { +- ctxt->input->line++; ctxt->input->col = 1; +- } else +- ctxt->input->col++; ++ if (ctxt->charset == XML_CHAR_ENCODING_UTF8) { ++ const unsigned char *cur; ++ unsigned char c; + +- /* +- * We are supposed to handle UTF8, check it's valid +- * From rfc2044: encoding of the Unicode values on UTF-8: +- * +- * UCS-4 range (hex.) UTF-8 octet sequence (binary) +- * 0000 0000-0000 007F 0xxxxxxx +- * 0000 0080-0000 07FF 110xxxxx 10xxxxxx +- * 0000 0800-0000 FFFF 1110xxxx 10xxxxxx 10xxxxxx +- * +- * Check for the 0x110000 limit too +- */ +- cur = ctxt->input->cur; ++ /* ++ * 2.11 End-of-Line Handling ++ * the literal two-character sequence "#xD#xA" or a standalone ++ * literal #xD, an XML processor must pass to the application ++ * the single character #xA. ++ */ ++ if (*(ctxt->input->cur) == '\n') { ++ ctxt->input->line++; ctxt->input->col = 1; ++ } else ++ ctxt->input->col++; + +- c = *cur; +- if (c & 0x80) { +- if (c == 0xC0) +- goto encoding_error; +- if (cur[1] == 0) { ++ /* ++ * We are supposed to handle UTF8, check it's valid ++ * From rfc2044: encoding of the Unicode values on UTF-8: ++ * ++ * UCS-4 range (hex.) UTF-8 octet sequence (binary) ++ * 0000 0000-0000 007F 0xxxxxxx ++ * 0000 0080-0000 07FF 110xxxxx 10xxxxxx ++ * 0000 0800-0000 FFFF 1110xxxx 10xxxxxx 10xxxxxx ++ * ++ * Check for the 0x110000 limit too ++ */ ++ cur = ctxt->input->cur; ++ ++ c = *cur; ++ if (c & 0x80) { ++ if (c == 0xC0) ++ goto encoding_error; ++ if (cur[1] == 0) { ++ xmlParserInputGrow(ctxt->input, INPUT_CHUNK); ++ cur = ctxt->input->cur; ++ } ++ if ((cur[1] & 0xc0) != 0x80) ++ goto encoding_error; ++ if ((c & 0xe0) == 0xe0) { ++ unsigned int val; ++ ++ if (cur[2] == 0) { + xmlParserInputGrow(ctxt->input, INPUT_CHUNK); + cur = ctxt->input->cur; + } +- if ((cur[1] & 0xc0) != 0x80) ++ if ((cur[2] & 0xc0) != 0x80) + goto encoding_error; +- if ((c & 0xe0) == 0xe0) { +- unsigned int val; +- +- if (cur[2] == 0) { ++ if ((c & 0xf0) == 0xf0) { ++ if (cur[3] == 0) { + xmlParserInputGrow(ctxt->input, INPUT_CHUNK); + cur = ctxt->input->cur; + } +- if ((cur[2] & 0xc0) != 0x80) ++ if (((c & 0xf8) != 0xf0) || ++ ((cur[3] & 0xc0) != 0x80)) + goto encoding_error; +- if ((c & 0xf0) == 0xf0) { +- if (cur[3] == 0) { +- xmlParserInputGrow(ctxt->input, INPUT_CHUNK); +- cur = ctxt->input->cur; +- } +- if (((c & 0xf8) != 0xf0) || +- ((cur[3] & 0xc0) != 0x80)) +- goto encoding_error; +- /* 4-byte code */ +- ctxt->input->cur += 4; +- val = (cur[0] & 0x7) << 18; +- val |= (cur[1] & 0x3f) << 12; +- val |= (cur[2] & 0x3f) << 6; +- val |= cur[3] & 0x3f; +- } else { +- /* 3-byte code */ +- ctxt->input->cur += 3; +- val = (cur[0] & 0xf) << 12; +- val |= (cur[1] & 0x3f) << 6; +- val |= cur[2] & 0x3f; +- } +- if (((val > 0xd7ff) && (val < 0xe000)) || +- ((val > 0xfffd) && (val < 0x10000)) || +- (val >= 0x110000)) { +- xmlErrEncodingInt(ctxt, XML_ERR_INVALID_CHAR, +- "Char 0x%X out of allowed range\n", +- val); +- } +- } else +- /* 2-byte code */ +- ctxt->input->cur += 2; ++ /* 4-byte code */ ++ ctxt->input->cur += 4; ++ val = (cur[0] & 0x7) << 18; ++ val |= (cur[1] & 0x3f) << 12; ++ val |= (cur[2] & 0x3f) << 6; ++ val |= cur[3] & 0x3f; ++ } else { ++ /* 3-byte code */ ++ ctxt->input->cur += 3; ++ val = (cur[0] & 0xf) << 12; ++ val |= (cur[1] & 0x3f) << 6; ++ val |= cur[2] & 0x3f; ++ } ++ if (((val > 0xd7ff) && (val < 0xe000)) || ++ ((val > 0xfffd) && (val < 0x10000)) || ++ (val >= 0x110000)) { ++ xmlErrEncodingInt(ctxt, XML_ERR_INVALID_CHAR, ++ "Char 0x%X out of allowed range\n", ++ val); ++ } + } else +- /* 1-byte code */ +- ctxt->input->cur++; ++ /* 2-byte code */ ++ ctxt->input->cur += 2; ++ } else ++ /* 1-byte code */ ++ ctxt->input->cur++; + +- ctxt->nbChars++; +- if (*ctxt->input->cur == 0) +- xmlParserInputGrow(ctxt->input, INPUT_CHUNK); +- } ++ ctxt->nbChars++; ++ if (*ctxt->input->cur == 0) ++ xmlParserInputGrow(ctxt->input, INPUT_CHUNK); + } else { + /* + * Assume it's a fixed length encoding (1) with diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1833-pre2.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1833-pre2.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1833-pre2.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1833-pre2.patch 2016-06-03 16:32:11.000000000 +0000 @@ -0,0 +1,27 @@ +From fdfeecc1b73b0318466f0d61f0b8881ed9d92dd2 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 20 Nov 2015 15:07:38 +0800 +Subject: Bug on creating new stream from entity + +sometimes the entity could have a lenght of 0, i.e. it wasn't +parsed or used yet, and we ended up with an incoherent input state +--- + parserInternals.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/parserInternals.c b/parserInternals.c +index c8230c1..2b8646c 100644 +--- a/parserInternals.c ++++ b/parserInternals.c +@@ -1459,6 +1459,8 @@ xmlNewEntityInputStream(xmlParserCtxtPtr ctxt, xmlEntityPtr entity) { + if (entity->URI != NULL) + input->filename = (char *) xmlStrdup((xmlChar *) entity->URI); + input->base = entity->content; ++ if (entity->length == 0) ++ entity->length = xmlStrlen(entity->content); + input->cur = entity->content; + input->length = entity->length; + input->end = &entity->content[input->length]; +-- +cgit v0.12 + diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1833-pre.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1833-pre.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1833-pre.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1833-pre.patch 2016-06-03 16:21:39.000000000 +0000 @@ -0,0 +1,27 @@ +From ff76eb28c75451bc56e3b93f44dac155ca29e7f5 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Sat, 3 Aug 2013 22:25:13 +0800 +Subject: Clear up a potential NULL dereference + +https://bugzilla.gnome.org/show_bug.cgi?id=705399 + +if ctxt->node_seq.buffer is null then ctxt->node_seq.maximum ought +to be zero but it's better to clarify the check in the code directly. +--- + parserInternals.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Index: libxml2-2.9.1+dfsg1/parserInternals.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parserInternals.c 2016-06-03 12:21:37.899991664 -0400 ++++ libxml2-2.9.1+dfsg1/parserInternals.c 2016-06-03 12:21:37.899991664 -0400 +@@ -1999,7 +1999,8 @@ + + /* Otherwise, we need to add new node to buffer */ + else { +- if (ctxt->node_seq.length + 1 > ctxt->node_seq.maximum) { ++ if ((ctxt->node_seq.length + 1 > ctxt->node_seq.maximum) || ++ (ctxt->node_seq.buffer == NULL)) { + xmlParserNodeInfo *tmp_buffer; + unsigned int byte_size; + diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1834.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1834.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1834.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1834.patch 2016-06-03 12:56:33.000000000 +0000 @@ -0,0 +1,50 @@ +From 8fbbf5513d609c1770b391b99e33314cd0742704 Mon Sep 17 00:00:00 2001 +From: Pranjal Jumde +Date: Tue, 8 Mar 2016 17:29:00 -0800 +Subject: Bug 763071: heap-buffer-overflow in xmlStrncat + + +* xmlstring.c: +(xmlStrncat): Return NULL if xmlStrlen returns a negative length. +(xmlStrncatNew): Ditto. +--- + xmlstring.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/xmlstring.c b/xmlstring.c +index b89c9e9..00287d4 100644 +--- a/xmlstring.c ++++ b/xmlstring.c +@@ -457,6 +457,8 @@ xmlStrncat(xmlChar *cur, const xmlChar *add, int len) { + return(xmlStrndup(add, len)); + + size = xmlStrlen(cur); ++ if (size < 0) ++ return(NULL); + ret = (xmlChar *) xmlRealloc(cur, (size + len + 1) * sizeof(xmlChar)); + if (ret == NULL) { + xmlErrMemory(NULL, NULL); +@@ -484,14 +486,19 @@ xmlStrncatNew(const xmlChar *str1, const xmlChar *str2, int len) { + int size; + xmlChar *ret; + +- if (len < 0) ++ if (len < 0) { + len = xmlStrlen(str2); ++ if (len < 0) ++ return(NULL); ++ } + if ((str2 == NULL) || (len == 0)) + return(xmlStrdup(str1)); + if (str1 == NULL) + return(xmlStrndup(str2, len)); + + size = xmlStrlen(str1); ++ if (size < 0) ++ return(NULL); + ret = (xmlChar *) xmlMalloc((size + len + 1) * sizeof(xmlChar)); + if (ret == NULL) { + xmlErrMemory(NULL, NULL); +-- +cgit v0.12 + diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1835.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1835.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1835.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1835.patch 2016-06-03 12:58:00.000000000 +0000 @@ -0,0 +1,135 @@ +Backport of: + +From 38eae571111db3b43ffdeb05487c9f60551906fb Mon Sep 17 00:00:00 2001 +From: Pranjal Jumde +Date: Mon, 7 Mar 2016 14:04:08 -0800 +Subject: Heap use-after-free in xmlSAX2AttributeNs + +For https://bugzilla.gnome.org/show_bug.cgi?id=759020 + +* parser.c: +(xmlParseStartTag2): Attribute strings are only valid if the +base does not change, so add another check where the base may +change. Make sure to set 'attvalue' to NULL after freeing it. +* result/errors/759020.xml: Added. +* result/errors/759020.xml.err: Added. +* result/errors/759020.xml.str: Added. +* test/errors/759020.xml: Added test case. +--- + parser.c | 12 ++++++++++-- + result/errors/759020.xml | 0 + result/errors/759020.xml.err | 6 ++++++ + result/errors/759020.xml.str | 7 +++++++ + test/errors/759020.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 69 insertions(+), 2 deletions(-) + create mode 100644 result/errors/759020.xml + create mode 100644 result/errors/759020.xml.err + create mode 100644 result/errors/759020.xml.str + create mode 100644 test/errors/759020.xml + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2016-06-03 08:56:43.215265543 -0400 ++++ libxml2-2.9.1+dfsg1/parser.c 2016-06-03 08:57:36.535944954 -0400 +@@ -9422,8 +9422,13 @@ + else + if (nsPush(ctxt, NULL, URL) > 0) nbNs++; + skip_default_ns: +- if (alloc != 0) xmlFree(attvalue); ++ if ((attvalue != NULL) && (alloc != 0)) { ++ xmlFree(attvalue); ++ attvalue = NULL; ++ } + SKIP_BLANKS; ++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) ++ goto base_changed; + continue; + } + if (aprefix == ctxt->str_xmlns) { +@@ -9495,7 +9500,10 @@ + else + if (nsPush(ctxt, attname, URL) > 0) nbNs++; + skip_ns: +- if (alloc != 0) xmlFree(attvalue); ++ if ((attvalue != NULL) && (alloc != 0)) { ++ xmlFree(attvalue); ++ attvalue = NULL; ++ } + SKIP_BLANKS; + if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) + goto base_changed; +Index: libxml2-2.9.1+dfsg1/result/errors/759020.xml.err +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ libxml2-2.9.1+dfsg1/result/errors/759020.xml.err 2016-06-03 08:56:43.211265492 -0400 +@@ -0,0 +1,6 @@ ++./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute ++0000000000000000000000000000000000000000000000000000000000000000000000000000000' ++ ^ ++./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00 line 2 ++ ++ ^ +Index: libxml2-2.9.1+dfsg1/result/errors/759020.xml.str +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ libxml2-2.9.1+dfsg1/result/errors/759020.xml.str 2016-06-03 08:56:43.211265492 -0400 +@@ -0,0 +1,7 @@ ++./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute ++0000000000000000000000000000000000000000000000000000000000000000000000000000000' ++ ^ ++./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00 ++ ++ ^ ++./test/errors/759020.xml : failed to parse +Index: libxml2-2.9.1+dfsg1/test/errors/759020.xml +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ libxml2-2.9.1+dfsg1/test/errors/759020.xml 2016-06-03 08:56:43.211265492 -0400 +@@ -0,0 +1,46 @@ ++ ++ +Date: Thu, 3 Mar 2016 11:50:34 -0800 +Subject: Bug 759398: Heap use-after-free in xmlDictComputeFastKey + + +* parser.c: +(xmlParseNCNameComplex): Store start position instead of a +pointer to the name since the underlying buffer may change, +resulting in a stale pointer being used. +* result/errors/759398.xml: Added. +* result/errors/759398.xml.err: Added. +* result/errors/759398.xml.str: Added. +* test/errors/759398.xml: Added test case. +--- + parser.c | 9 +- + result/errors/759398.xml | 0 + result/errors/759398.xml.err | 9 ++ + result/errors/759398.xml.str | 5 + + test/errors/759398.xml | 326 +++++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 344 insertions(+), 5 deletions(-) + create mode 100644 result/errors/759398.xml + create mode 100644 result/errors/759398.xml.err + create mode 100644 result/errors/759398.xml.str + create mode 100755 test/errors/759398.xml + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2016-06-03 08:58:10.916382845 -0400 ++++ libxml2-2.9.1+dfsg1/parser.c 2016-06-03 08:58:10.916382845 -0400 +@@ -2008,6 +2008,7 @@ + #define CUR (*ctxt->input->cur) + #define NXT(val) ctxt->input->cur[(val)] + #define CUR_PTR ctxt->input->cur ++#define BASE_PTR ctxt->input->base + + #define CMP4( s, c1, c2, c3, c4 ) \ + ( ((unsigned char *) s)[ 0 ] == c1 && ((unsigned char *) s)[ 1 ] == c2 && \ +@@ -3463,7 +3464,7 @@ + int len = 0, l; + int c; + int count = 0; +- const xmlChar *end; /* needed because CUR_CHAR() can move cur on \r\n */ ++ size_t startPosition = 0; + + #ifdef DEBUG + nbParseNCNameComplex++; +@@ -3473,7 +3474,7 @@ + * Handler for more complex cases + */ + GROW; +- end = ctxt->input->cur; ++ startPosition = CUR_PTR - BASE_PTR; + c = CUR_CHAR(l); + if ((c == ' ') || (c == '>') || (c == '/') || /* accelerators */ + (!xmlIsNameStartChar(ctxt, c) || (c == ':'))) { +@@ -3495,14 +3496,12 @@ + } + len += l; + NEXTL(l); +- end = ctxt->input->cur; + c = CUR_CHAR(l); + if (c == 0) { + count = 0; + GROW; + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); +- end = ctxt->input->cur; + c = CUR_CHAR(l); + } + } +@@ -3511,7 +3510,7 @@ + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); + return(NULL); + } +- return(xmlDictLookup(ctxt->dict, end - len, len)); ++ return(xmlDictLookup(ctxt->dict, (BASE_PTR + startPosition), len)); + } + + /** +Index: libxml2-2.9.1+dfsg1/result/errors/759398.xml.err +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ libxml2-2.9.1+dfsg1/result/errors/759398.xml.err 2016-06-03 08:58:10.916382845 -0400 +@@ -0,0 +1,9 @@ ++./test/errors/759398.xml:210: parser error : StartTag: invalid element name ++need to worry about parsers whi ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++"> ++ ++'"> ++ ++ ++ ++ ++ ++ ++ ++ ++ ++amp, ++lt, ++gt, ++apos, ++quot"> ++ ++ ++ ++ ++ ++]> ++ ++ ++ ++ ++ ++
++Extensible Markup Language (XML) 1.0 ++ ++REC-xml-&iso6.doc.date; ++W3C Recommendation ++&draft.day;&draft.month;&draft.year; ++ ++ ++ ++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date; ++ ++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.xml ++ ++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.html ++ ++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.pdf ++ ++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.ps ++ ++ ++ ++httwww.w3.org/TR/REC-xml ++ ++ ++ ++http://www.w3.org/TR/PR-xml-971208 ++ ++ ++ ++Tim Bray ++Textuality and Netscape ++tbray@textuality.com ++Jean Paoli ++Microsoft ++jeanpa@microsoft.com ++C. M. Sperberg-McQueen ++University of Illinois at Chicago ++cmsmcq@uic.edu ++ ++ ++

The Extensible Markup Language (XML) is a subset of ++SGML that is completely described in this document. Its goal is to ++enable generic SGML to be served, received, and processed on the Web ++in the way that is now possible with HTML. XML has been designed for ++ease of implementation and for interoperability with both SGML and ++HTML.

++ ++ ++

This document has been reviewed by W3C Members and ++other interested parties and has been endorsed by the ++Director as a W3C Recommendation. It is a stable ++document and may be used as reference material or cited ++as a normative reference from another document. W3C's ++role in making the Recommendation is to draw attention ++to the spPcification and to promote its widespread ++deployment. This enhances the functionality and ++interoperability of the Web.

++

++This document specifies a syntax created by subsetting an existing, ++widely used international text processing standard (Standard ++Generalized Markup Language, ISO 8879:1986(E) as amended and ++corrected) for use on the World Wide Web. It is a product of the W3C ++XML Activity, details of which can be found at http://www.w3.org/XML. A list of ++current W3C Recommendations and other technical documents can be found ++at http://www.w3.org/TR. ++

++

This specification uses the term URI, which is defined by , a work in progress expected to update and . ++

++

The list of known errors in this specification is ++available at ++http://www.w3.org/XML/xml-19980210-errata.

++

Please report errors in this document to ++xml-editor@w3.org. ++

++ ++ ++ ++ ++

Chicago, Vancouver, Mountain View, et al.: ++World-Wide Web Consortium, XML Working Group, 1996, 1997.

++ ++ ++

Created in electronic form.

++ ++ ++English ++Extended Backus-Naur Form (formal grammar) ++ ++ ++ ++1997-12-03 : CMSMcQ : yet further changes ++1997-12-02 : TB : further changes (see TB to XML WG, ++2 December 1997) ++1997-12-02 : CMSMcQ : deal with as many corrections and ++comments from the proofreaders as possible: ++entify hard-coded document date in pubdate element, ++change expansion of entity WebSGML, ++update status description as per Dan Connolly (am not sure ++about refernece to Berners-Lee et al.), ++add 'The' to abstract as per WG decision, ++move Relationship to Existing Standards to back matter and ++combine with References, ++re-order back matter so normative appendices come first, ++re-tag back matter so informative appendices are tagged informdiv1, ++remove XXX XXX from list of 'normative' specs in prose, ++move some references from Other References to Normative References, ++add RFC 1738, 1808, and 2141 to Other References (they are not ++normative since we do not require the processor to enforce any ++rules based on them), ++add reference to 'Fielding draft' (Berners-Lee et al.), ++move notation section to end of body, ++drop URIchar non-terminal and use SkipLit instead, ++lose stray reference to defunct nonterminal 'markupdecls', ++move reference to Aho et al. into appendix (Tim's right), ++add prose note saying that hash marks and fragment identifiers are ++NOT part of the URI formally speaking, and are NOT legal in ++system identifiers (processor 'may' signal an error). ++Work through: ++Tim Bray reacting to James Clark, ++Tim Bray on his own, ++Eve Maler, ++ ++NOT DONE YET: ++change binary / text to unparsed / parsed. ++handle James's suggestion about < in attriubte values ++uppercase hex characters, ++namechar list, ++ ++1997-12-01 : JB : add some column-width parameters ++1997-12-01 : CMSMcQ : begin round of changes to incorporate ++recent WG decisions and other corrections: ++binding sources of character encoding info (27 Aug / 3 Sept), ++correct wording of Faust quotation (restore dropped line), ++drop SDD from EncodingDecl, ++change text at version number 1.0, ++drop misleading (wrong!) sentence about ignorables and extenders, ++modify definxamples with Byte Order Mark. ++Add content model as a term and clarify that it applies to both ++mixed and element content. ++ ++1997-06-30 : CMSMcQ : change date, some cosmetic changes, ++changes to productions for choice, seq, Mixed, NotationType, ++Enumeration. Follow James Clark's suggestion and prohibit ++conditional sections in internal subset. TO DO: simplify ++production for ignored sections as a result, since we don't ++need to worry about parsers whi ++1997-06-29 : TB : various edits ++1997-06-29 : CMSMcQ : further changes: ++Suppress old FINAL EDIT comments and some dead material. ++Revise occurrences of % in grammar to exploit Henry Thompson's pun, ++especially markupdecl and attdef. ++Remove RMD requirement relating to element content (?). ++ ++1997-06-28 : CMSMcQ : Various changes for 1 July draft: ++Add text for draconian error handling (introduce ++the term Fatal Error). ++RE deleta est (changing wording from ++original announcement to restrict the requirement to validating ++parsers). ++Tag definition of validawwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww it meant 'may or may not'. ++1997-03-21 : TB : massive changes on plane flight from Chicago ++to Vancouver ++1997-03-21 : CMSMcQ : correct as many reported errors as possible. ++ ++1997-03-20 : CMSMcQ : correct typos listed in CMSMcQ hand copy of spec. ++1997 James Clark: ++Define the set of characters from which [^abc] subtracts. ++Charref should use just [0-9] not Digit. ++Location info needs cleaner treatment: remove? (ERB ++question). ++One example of a PI has wrong pic. ++Clarify discussion of encoding names. ++Encoding failure should lead to unspecified results; don't ++prescribe error recovery. ++Don't require exposure of entity boundaries. ++Ignore white space in element content. ++Reserve entity names of the form u-NNNN. ++Clarify relative URLs. ++And some of my own: ++Correct productions for content model: model cannot ++consist of a name, so "elements ::= cp" is no good. ++ ++1996-11-11 : CMSMcQ : revise for style. ++Add new rhs to entity declaration, for parameter entities. ++1996-11-10 : CMSMcQ : revise for style. ++Fix / complete section on names, characters. ++Add sections on parameter entities, conditional sections. ++Still to do: Add compatibility note on deterministic content models. ++Finish stylistic revision. ++1996-10-31 : TB : Add Entity Handling section ++1996-10-30 : TB : Clean up term & termdef. Slip in ++ERB decision re EMPTY. ++1996-10-28 : TB : Change DTD. Implement some of Michael's ++suggestions. Change comments back to //. Introduce language for ++XML namespace reservation. Add section on white-space handling. ++Lots more cleanup. ++1996-10-24 : CMSMcQ : quick tweaks, implement some ERB ++decisions. Characters are not integers. Comments are /* */ not //. ++Add bibliographic refs to 10646, HyTime, Unicode. ++Rename old Cdata as MsData since it's only seen ++in marked sections. Call them attribute-value pairs not ++name-value pairs, except once. Internal subset is optional, needs ++'?'. Implied attributes should be signaled to the app, not ++have values supplied by processor. ++1996-10-16 : TB : track down & excise all DSD references; ++introduce some EBNF for entity declarations. ++1996-10-?? nsistency check, fix up scraps so ++they all parse, get formatter working, correct a few productions. ++1996-10-10/11 : CMSMcQ : various maintenance, stylistic, and ++organizational changes: ++Replace a few literals with xmlpio and ++pi""entities, to make them consistent and ensure we can change pic ++reliably when the ERB votes. ++Drop paragraph on recognizers from notation section. ++Add match, exact match to terminology. ++Move old 2.2 XML Processors and Apps into intro. ++Mention comments, PIs, and marked sections in discussion of ++delimiter escaping. ++Streamline discussion of doctype decl syntax. ++Drop old section of 'PI syntax' for doctype decl, and add ++section on partial-DTD summary PIs to end of Logical Structures ++section. ++Revise DSD syntax section to use Tim's subset-in-a-PI ++mechanism. ++1996-10-10 : TB : eliminate name recognizers (and more?) ++1996-10-09 : CMSMcQ : revise for style, consistency through 2.3 ++(Characters) ++1996-10-09 : CMSMcQ : re-unite everything for convenience, ++at least temporarily, and revise quickly ++1996-10-08 : TB : first major homogenization pass ++1996-10-08 : TB : turn "current" attribute on div type into ++CDATA ++1996-10-02 : TB : remould into skeleton + entities ++1996-09-30 : CMSMcQ : add a few more sections prior to exchange ++ with Tim. ++1996-09-20 : CMSMcQ : finish transcribing notes. ++1996-09-19 : CMSMcQ : begin transcribing notes for draft. ++1996-09-13 : CMSMcQ : made outline from notes of 09-06, ++do some housekeeping ++ ++ ++
++ is used to read XML documents ++and provide access to their content and structure. It is @ssumed that an XML processor is ++doing its work on behalf of another module, called the ++application. This specification describes the ++required beh\vior of an XML processor in terms of how it must read XML ++data and the information it must provide to the application.

++ ++ ++Origin and Goals ++

XML was developed by an XML Working Group (orisable over the ++Internet.

++

XML shall support a wide variey of applications.

 ++

XML shall be compatible with SGML.

 ++

It shall be easy to write programs which process XML ++documents.

 ++

The number of optional features in XML is to be kept to the ++absolute minimum, ideally zero.

 ++

XML documents shou +\ No newline at end of file diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1837.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1837.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1837.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1837.patch 2016-06-03 12:58:17.000000000 +0000 @@ -0,0 +1,137 @@ +From 11ed4a7a90d5ce156a18980a4ad4e53e77384852 Mon Sep 17 00:00:00 2001 +From: Pranjal Jumde +Date: Wed, 2 Mar 2016 15:52:24 -0800 +Subject: Heap use-after-free in htmlParsePubidLiteral and + htmlParseSystemiteral + +For https://bugzilla.gnome.org/show_bug.cgi?id=760263 + +* HTMLparser.c: Add BASE_PTR convenience macro. +(htmlParseSystemLiteral): Store length and start position instead +of a pointer while iterating through the public identifier since +the underlying buffer may change, resulting in a stale pointer +being used. +(htmlParsePubidLiteral): Ditto. +--- + HTMLparser.c | 58 +++++++++++++++++++++++++++++++++++++++++++--------------- + 1 file changed, 43 insertions(+), 15 deletions(-) + +Index: libxml2-2.9.3+dfsg1/HTMLparser.c +=================================================================== +--- libxml2-2.9.3+dfsg1.orig/HTMLparser.c 2016-06-03 08:00:33.892487010 -0400 ++++ libxml2-2.9.3+dfsg1/HTMLparser.c 2016-06-03 08:00:33.888486962 -0400 +@@ -303,6 +303,7 @@ + #define UPP(val) (toupper(ctxt->input->cur[(val)])) + + #define CUR_PTR ctxt->input->cur ++#define BASE_PTR ctxt->input->base + + #define SHRINK if ((ctxt->input->cur - ctxt->input->base > 2 * INPUT_CHUNK) && \ + (ctxt->input->end - ctxt->input->cur < 2 * INPUT_CHUNK)) \ +@@ -2765,31 +2766,43 @@ + + static xmlChar * + htmlParseSystemLiteral(htmlParserCtxtPtr ctxt) { +- const xmlChar *q; ++ size_t len = 0, startPosition = 0; + xmlChar *ret = NULL; + + if (CUR == '"') { + NEXT; +- q = CUR_PTR; +- while ((IS_CHAR_CH(CUR)) && (CUR != '"')) ++ ++ if (CUR_PTR < BASE_PTR) ++ return(ret); ++ startPosition = CUR_PTR - BASE_PTR; ++ ++ while ((IS_CHAR_CH(CUR)) && (CUR != '"')) { + NEXT; ++ len++; ++ } + if (!IS_CHAR_CH(CUR)) { + htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED, + "Unfinished SystemLiteral\n", NULL, NULL); + } else { +- ret = xmlStrndup(q, CUR_PTR - q); ++ ret = xmlStrndup((BASE_PTR+startPosition), len); + NEXT; + } + } else if (CUR == '\'') { + NEXT; +- q = CUR_PTR; +- while ((IS_CHAR_CH(CUR)) && (CUR != '\'')) ++ ++ if (CUR_PTR < BASE_PTR) ++ return(ret); ++ startPosition = CUR_PTR - BASE_PTR; ++ ++ while ((IS_CHAR_CH(CUR)) && (CUR != '\'')) { + NEXT; ++ len++; ++ } + if (!IS_CHAR_CH(CUR)) { + htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED, + "Unfinished SystemLiteral\n", NULL, NULL); + } else { +- ret = xmlStrndup(q, CUR_PTR - q); ++ ret = xmlStrndup((BASE_PTR+startPosition), len); + NEXT; + } + } else { +@@ -2813,32 +2826,47 @@ + + static xmlChar * + htmlParsePubidLiteral(htmlParserCtxtPtr ctxt) { +- const xmlChar *q; ++ size_t len = 0, startPosition = 0; + xmlChar *ret = NULL; + /* + * Name ::= (Letter | '_') (NameChar)* + */ + if (CUR == '"') { + NEXT; +- q = CUR_PTR; +- while (IS_PUBIDCHAR_CH(CUR)) NEXT; ++ ++ if (CUR_PTR < BASE_PTR) ++ return(ret); ++ startPosition = CUR_PTR - BASE_PTR; ++ ++ while (IS_PUBIDCHAR_CH(CUR)) { ++ len++; ++ NEXT; ++ } ++ + if (CUR != '"') { + htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED, + "Unfinished PubidLiteral\n", NULL, NULL); + } else { +- ret = xmlStrndup(q, CUR_PTR - q); ++ ret = xmlStrndup((BASE_PTR + startPosition), len); + NEXT; + } + } else if (CUR == '\'') { + NEXT; +- q = CUR_PTR; +- while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\'')) +- NEXT; ++ ++ if (CUR_PTR < BASE_PTR) ++ return(ret); ++ startPosition = CUR_PTR - BASE_PTR; ++ ++ while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\'')){ ++ len++; ++ NEXT; ++ } ++ + if (CUR != '\'') { + htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED, + "Unfinished PubidLiteral\n", NULL, NULL); + } else { +- ret = xmlStrndup(q, CUR_PTR - q); ++ ret = xmlStrndup((BASE_PTR + startPosition), len); + NEXT; + } + } else { diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1838.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1838.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1838.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1838.patch 2016-06-03 12:58:26.000000000 +0000 @@ -0,0 +1,90 @@ +From db07dd613e461df93dde7902c6505629bf0734e9 Mon Sep 17 00:00:00 2001 +From: David Kilzer +Date: Fri, 12 Feb 2016 09:58:29 -0800 +Subject: Bug 758588: Heap-based buffer overread in + xmlParserPrintFileContextInternal + + +* parser.c: +(xmlParseEndTag2): Add bounds checks before dereferencing +ctxt->input->cur past the end of the buffer, or incrementing the +pointer past the end of the buffer. + +* result/errors/758588.xml: Add test result. +* result/errors/758588.xml.err: Ditto. +* result/errors/758588.xml.str: Ditto. +* test/errors/758588.xml: Add regression test. +--- + parser.c | 8 ++++++-- + result/errors/758588.xml | 0 + result/errors/758588.xml.err | 9 +++++++++ + result/errors/758588.xml.str | 10 ++++++++++ + test/errors/758588.xml | 1 + + 5 files changed, 26 insertions(+), 2 deletions(-) + create mode 100644 result/errors/758588.xml + create mode 100644 result/errors/758588.xml.err + create mode 100644 result/errors/758588.xml.str + create mode 100644 test/errors/758588.xml + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2016-06-03 08:58:22.736533361 -0400 ++++ libxml2-2.9.1+dfsg1/parser.c 2016-06-03 08:58:22.732533310 -0400 +@@ -9766,6 +9766,7 @@ + xmlParseEndTag2(xmlParserCtxtPtr ctxt, const xmlChar *prefix, + const xmlChar *URI, int line, int nsNr, int tlen) { + const xmlChar *name; ++ size_t curLength; + + GROW; + if ((RAW != '<') || (NXT(1) != '/')) { +@@ -9774,8 +9775,11 @@ + } + SKIP(2); + +- if ((tlen > 0) && (xmlStrncmp(ctxt->input->cur, ctxt->name, tlen) == 0)) { +- if (ctxt->input->cur[tlen] == '>') { ++ curLength = ctxt->input->end - ctxt->input->cur; ++ if ((tlen > 0) && (curLength >= (size_t)tlen) && ++ (xmlStrncmp(ctxt->input->cur, ctxt->name, tlen) == 0)) { ++ if ((curLength >= (size_t)(tlen + 1)) && ++ (ctxt->input->cur[tlen] == '>')) { + ctxt->input->cur += tlen + 1; + goto done; + } +Index: libxml2-2.9.1+dfsg1/result/errors/758588.xml.err +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ libxml2-2.9.1+dfsg1/result/errors/758588.xml.err 2016-06-03 08:58:22.732533310 -0400 +@@ -0,0 +1,9 @@ ++./test/errors/758588.xml:1: namespace error : Namespace prefix a-340282366920938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867261d on a is not defined ++63472597946867209384634725979468672093846347259794686720938463472597946867261d:a ++ ^ ++./test/errors/758588.xml:1: parser error : expected '>' ++2597946867209384634725979468672093846347259794686720938463472597946867261d:a>' ++2597946867209384634725979468672093846347259794686720938463472597946867261d:a> +Date: Tue, 1 Mar 2016 11:34:04 -0800 +Subject: Bug 758605: Heap-based buffer overread in xmlDictAddString + + +Reviewed by David Kilzer. + +* HTMLparser.c: +(htmlParseName): Add bounds check. +(htmlParseNameComplex): Ditto. +* result/HTML/758605.html: Added. +* result/HTML/758605.html.err: Added. +* result/HTML/758605.html.sax: Added. +* runtest.c: +(pushParseTest): The input for the new test case was so small +(4 bytes) that htmlParseChunk() was never called after +htmlCreatePushParserCtxt(), thereby creating a false positive +test failure. Fixed by using a do-while loop so we always call +htmlParseChunk() at least once. +* test/HTML/758605.html: Added. +--- + HTMLparser.c | 8 ++++++++ + result/HTML/758605.html | 3 +++ + result/HTML/758605.html.err | 3 +++ + result/HTML/758605.html.sax | 13 +++++++++++++ + runtest.c | 4 ++-- + test/HTML/758605.html | 1 + + 6 files changed, 30 insertions(+), 2 deletions(-) + create mode 100644 result/HTML/758605.html + create mode 100644 result/HTML/758605.html.err + create mode 100644 result/HTML/758605.html.sax + create mode 100644 test/HTML/758605.html + +Index: libxml2-2.9.3+dfsg1/HTMLparser.c +=================================================================== +--- libxml2-2.9.3+dfsg1.orig/HTMLparser.c 2016-06-03 08:00:49.064670606 -0400 ++++ libxml2-2.9.3+dfsg1/HTMLparser.c 2016-06-03 08:00:49.060670558 -0400 +@@ -2472,6 +2472,10 @@ + (*in == '_') || (*in == '-') || + (*in == ':') || (*in == '.')) + in++; ++ ++ if (in == ctxt->input->end) ++ return(NULL); ++ + if ((*in > 0) && (*in < 0x80)) { + count = in - ctxt->input->cur; + ret = xmlDictLookup(ctxt->dict, ctxt->input->cur, count); +@@ -2515,6 +2519,10 @@ + NEXTL(l); + c = CUR_CHAR(l); + } ++ ++ if (ctxt->input->base > ctxt->input->cur - len) ++ return(NULL); ++ + return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); + } + diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1840.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1840.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1840.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1840.patch 2016-06-03 12:59:12.000000000 +0000 @@ -0,0 +1,32 @@ +From cbb271655cadeb8dbb258a64701d9a3a0c4835b4 Mon Sep 17 00:00:00 2001 +From: Pranjal Jumde +Date: Mon, 7 Mar 2016 06:34:26 -0800 +Subject: Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup + + +* xmlregexp.c: +(xmlFAParseCharRange): Only advance to the next character if +there is no error. Advancing to the next character in case of +an error while parsing regexp leads to an out of bounds access. +--- + xmlregexp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Index: libxml2-2.9.1+dfsg1/xmlregexp.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/xmlregexp.c 2016-06-03 08:59:10.053135718 -0400 ++++ libxml2-2.9.1+dfsg1/xmlregexp.c 2016-06-03 08:59:10.053135718 -0400 +@@ -5050,11 +5050,12 @@ + ERROR("Expecting the end of a char range"); + return; + } +- NEXTL(len); ++ + /* TODO check that the values are acceptable character ranges for XML */ + if (end < start) { + ERROR("End of range is before start of range"); + } else { ++ NEXTL(len); + xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg, + XML_REGEXP_CHARVAL, start, end, NULL); + } diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-3627.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-3627.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-3627.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-3627.patch 2016-06-03 12:59:52.000000000 +0000 @@ -0,0 +1,56 @@ +From bdd66182ef53fe1f7209ab6535fda56366bd7ac9 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Mon, 23 May 2016 12:27:58 +0800 +Subject: Avoid building recursive entities + +For https://bugzilla.gnome.org/show_bug.cgi?id=762100 + +When we detect a recusive entity we should really not +build the associated data, moreover if someone bypass +libxml2 fatal errors and still tries to serialize a broken +entity make sure we don't risk to get ito a recursion + +* parser.c: xmlParserEntityCheck() don't build if entity loop + were found and remove the associated text content +* tree.c: xmlStringGetNodeList() avoid a potential recursion +--- + parser.c | 6 +++++- + tree.c | 1 + + 2 files changed, 6 insertions(+), 1 deletion(-) + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2016-06-03 08:59:49.753640913 -0400 ++++ libxml2-2.9.1+dfsg1/parser.c 2016-06-03 08:59:49.749640863 -0400 +@@ -138,7 +138,8 @@ + * entities problems + */ + if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) && +- (ent->content != NULL) && (ent->checked == 0)) { ++ (ent->content != NULL) && (ent->checked == 0) && ++ (ctxt->errNo != XML_ERR_ENTITY_LOOP)) { + unsigned long oldnbent = ctxt->nbentities; + xmlChar *rep; + +@@ -148,6 +149,9 @@ + rep = xmlStringDecodeEntities(ctxt, ent->content, + XML_SUBSTITUTE_REF, 0, 0, 0); + --ctxt->depth; ++ if (ctxt->errNo == XML_ERR_ENTITY_LOOP) { ++ ent->content[0] = 0; ++ } + + ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; + if (rep != NULL) { +Index: libxml2-2.9.1+dfsg1/tree.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/tree.c 2016-06-03 08:59:49.753640913 -0400 ++++ libxml2-2.9.1+dfsg1/tree.c 2016-06-03 08:59:49.749640863 -0400 +@@ -1588,6 +1588,7 @@ + else if ((ent != NULL) && (ent->children == NULL)) { + xmlNodePtr temp; + ++ ent->children = (xmlNodePtr) -1; + ent->children = xmlStringGetNodeList(doc, + (const xmlChar*)node->content); + ent->owner = 1; diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-3705.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-3705.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-3705.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-3705.patch 2016-06-03 12:59:21.000000000 +0000 @@ -0,0 +1,65 @@ +From 8f30bdff69edac9075f4663ce3b56b0c52d48ce6 Mon Sep 17 00:00:00 2001 +From: Peter Simons +Date: Fri, 15 Apr 2016 11:56:55 +0200 +Subject: Add missing increments of recursion depth counter to XML parser. + +For https://bugzilla.gnome.org/show_bug.cgi?id=765207 +CVE-2016-3705 +The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call +xmlStringDecodeEntities() in a recursive context without incrementing the +'depth' counter in the parser context. Because of that omission, the parser +failed to detect attribute recursions in certain documents before running out +of stack space. +--- + parser.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2016-06-03 08:59:18.205239470 -0400 ++++ libxml2-2.9.1+dfsg1/parser.c 2016-06-03 08:59:18.205239470 -0400 +@@ -144,8 +144,10 @@ + + ent->checked = 1; + ++ ++ctxt->depth; + rep = xmlStringDecodeEntities(ctxt, ent->content, + XML_SUBSTITUTE_REF, 0, 0, 0); ++ --ctxt->depth; + + ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; + if (rep != NULL) { +@@ -3947,8 +3949,10 @@ + * an entity declaration, it is bypassed and left as is. + * so XML_SUBSTITUTE_REF is not set here. + */ ++ ++ctxt->depth; + ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF, + 0, 0, 0); ++ --ctxt->depth; + if (orig != NULL) + *orig = buf; + else +@@ -4073,9 +4077,11 @@ + } else if ((ent != NULL) && + (ctxt->replaceEntities != 0)) { + if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) { ++ ++ctxt->depth; + rep = xmlStringDecodeEntities(ctxt, ent->content, + XML_SUBSTITUTE_REF, + 0, 0, 0); ++ --ctxt->depth; + if (rep != NULL) { + current = rep; + while (*current != 0) { /* non input consuming */ +@@ -4111,8 +4117,10 @@ + (ent->content != NULL) && (ent->checked == 0)) { + unsigned long oldnbent = ctxt->nbentities; + ++ ++ctxt->depth; + rep = xmlStringDecodeEntities(ctxt, ent->content, + XML_SUBSTITUTE_REF, 0, 0, 0); ++ --ctxt->depth; + + ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; + if (rep != NULL) { diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4447.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4447.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4447.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4447.patch 2016-06-03 12:59:30.000000000 +0000 @@ -0,0 +1,64 @@ +From 00906759053986b8079985644172085f74331f83 Mon Sep 17 00:00:00 2001 +From: David Kilzer +Date: Tue, 26 Jan 2016 16:57:03 -0800 +Subject: Heap-based buffer-underreads due to xmlParseName + +For https://bugzilla.gnome.org/show_bug.cgi?id=759573 + +* parser.c: +(xmlParseElementDecl): Return early on invalid input to fix +non-minimized test case (759573-2.xml). Otherwise the parser +gets into a bad state in SKIP(3) at the end of the function. +(xmlParseConditionalSections): Halt parsing when hitting invalid +input that would otherwise caused xmlParserHandlePEReference() +to recurse unexpectedly. This fixes the minimized test case +(759573.xml). + +* result/errors/759573-2.xml: Add. +* result/errors/759573-2.xml.err: Add. +* result/errors/759573-2.xml.str: Add. +* result/errors/759573.xml: Add. +* result/errors/759573.xml.err: Add. +* result/errors/759573.xml.str: Add. +* test/errors/759573-2.xml: Add. +* test/errors/759573.xml: Add. +--- + parser.c | 2 ++ + result/errors/759573-2.xml | 0 + result/errors/759573-2.xml.err | 58 ++++++++++++++++++++++++++++++++++++++++++ + result/errors/759573-2.xml.str | 4 +++ + result/errors/759573.xml | 0 + result/errors/759573.xml.err | 31 ++++++++++++++++++++++ + result/errors/759573.xml.str | 4 +++ + test/errors/759573-2.xml | 9 +++++++ + test/errors/759573.xml | 1 + + 9 files changed, 109 insertions(+) + create mode 100644 result/errors/759573-2.xml + create mode 100644 result/errors/759573-2.xml.err + create mode 100644 result/errors/759573-2.xml.str + create mode 100644 result/errors/759573.xml + create mode 100644 result/errors/759573.xml.err + create mode 100644 result/errors/759573.xml.str + create mode 100644 test/errors/759573-2.xml + create mode 100644 test/errors/759573.xml + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2016-06-03 08:59:27.601359045 -0400 ++++ libxml2-2.9.1+dfsg1/parser.c 2016-06-03 08:59:27.601359045 -0400 +@@ -6675,6 +6675,7 @@ + if (!IS_BLANK_CH(CUR)) { + xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, + "Space required after 'ELEMENT'\n"); ++ return(-1); + } + SKIP_BLANKS; + name = xmlParseName(ctxt); +@@ -6826,6 +6827,7 @@ + + if ((CUR_PTR == check) && (cons == ctxt->input->consumed)) { + xmlFatalErr(ctxt, XML_ERR_EXT_SUBSET_NOT_FINISHED, NULL); ++ xmlHaltParser(ctxt); + break; + } + } diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4449.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4449.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4449.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4449.patch 2016-06-03 12:59:37.000000000 +0000 @@ -0,0 +1,41 @@ +From b1d34de46a11323fccffa9fadeb33be670d602f5 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Mon, 14 Mar 2016 17:19:44 +0800 +Subject: Fix inappropriate fetch of entities content + +For https://bugzilla.gnome.org/show_bug.cgi?id=761430 + +libfuzzer regression testing exposed another case where the parser would +fetch content of an external entity while not in validating mode. +Plug that hole +--- + parser.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2016-06-03 08:59:34.933452346 -0400 ++++ libxml2-2.9.1+dfsg1/parser.c 2016-06-03 08:59:34.933452346 -0400 +@@ -2854,7 +2854,21 @@ + ctxt->nbentities += ent->checked / 2; + if (ent != NULL) { + if (ent->content == NULL) { +- xmlLoadEntityContent(ctxt, ent); ++ /* ++ * Note: external parsed entities will not be loaded, ++ * it is not required for a non-validating parser to ++ * complete external PEreferences coming from the ++ * internal subset ++ */ ++ if (((ctxt->options & XML_PARSE_NOENT) != 0) || ++ ((ctxt->options & XML_PARSE_DTDVALID) != 0) || ++ (ctxt->validate != 0)) { ++ xmlLoadEntityContent(ctxt, ent); ++ } else { ++ xmlWarningMsg(ctxt, XML_ERR_ENTITY_PROCESSING, ++ "not validating will not read content for PE entity %s\n", ++ ent->name, NULL); ++ } + } + ctxt->depth++; + rep = xmlStringDecodeEntities(ctxt, ent->content, what, diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4483.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4483.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4483.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4483.patch 2016-06-03 12:59:41.000000000 +0000 @@ -0,0 +1,49 @@ +From c97750d11bb8b6f3303e7131fe526a61ac65bcfd Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Mon, 23 May 2016 13:39:13 +0800 +Subject: Avoid an out of bound access when serializing malformed strings + +For https://bugzilla.gnome.org/show_bug.cgi?id=766414 + +* xmlsave.c: xmlBufAttrSerializeTxtContent() if an attribute value + is not UTF-8 be more careful when serializing it as we may do an + out of bound access as a result. +--- + xmlsave.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/xmlsave.c b/xmlsave.c +index 774404b..4a8e3f3 100644 +--- a/xmlsave.c ++++ b/xmlsave.c +@@ -2097,8 +2097,8 @@ xmlBufAttrSerializeTxtContent(xmlBufPtr buf, xmlDocPtr doc, + xmlBufAdd(buf, BAD_CAST "&", 5); + cur++; + base = cur; +- } else if ((*cur >= 0x80) && ((doc == NULL) || +- (doc->encoding == NULL))) { ++ } else if ((*cur >= 0x80) && (cur[1] != 0) && ++ ((doc == NULL) || (doc->encoding == NULL))) { + /* + * We assume we have UTF-8 content. + */ +@@ -2121,14 +2121,14 @@ xmlBufAttrSerializeTxtContent(xmlBufPtr buf, xmlDocPtr doc, + val <<= 6; + val |= (cur[1]) & 0x3F; + l = 2; +- } else if (*cur < 0xF0) { ++ } else if ((*cur < 0xF0) && (cur [2] != 0)) { + val = (cur[0]) & 0x0F; + val <<= 6; + val |= (cur[1]) & 0x3F; + val <<= 6; + val |= (cur[2]) & 0x3F; + l = 3; +- } else if (*cur < 0xF8) { ++ } else if ((*cur < 0xF8) && (cur [2] != 0) && (cur[3] != 0)) { + val = (cur[0]) & 0x07; + val <<= 6; + val |= (cur[1]) & 0x3F; +-- +cgit v0.12 + diff -Nru libxml2-2.9.1+dfsg1/debian/patches/series libxml2-2.9.1+dfsg1/debian/patches/series --- libxml2-2.9.1+dfsg1/debian/patches/series 2016-01-14 18:13:07.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/series 2016-06-03 16:32:11.000000000 +0000 @@ -27,3 +27,19 @@ CVE-2015-7499-3.patch CVE-2015-7499-4.patch CVE-2015-8710.patch +CVE-2016-1762.patch +CVE-2016-1833-pre.patch +CVE-2016-1833-pre2.patch +CVE-2016-1833.patch +CVE-2016-1834.patch +CVE-2016-1835.patch +CVE-2016-1836.patch +CVE-2016-1837.patch +CVE-2016-1838.patch +CVE-2016-1839.patch +CVE-2016-1840.patch +CVE-2016-3705.patch +CVE-2016-4447.patch +CVE-2016-4449.patch +CVE-2016-4483.patch +CVE-2016-3627.patch