Control: tags 855001 + patch Control: tags 855001 + pending Control: tags 878684 + patch Control: tags 878684 + pending Control: tags 880000 + pending
Dear maintainer, I've prepared an NMU for libxml2 (versioned as 2.9.4+dfsg1-5.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru libxml2-2.9.4+dfsg1/debian/changelog libxml2-2.9.4+dfsg1/debian/changelog --- libxml2-2.9.4+dfsg1/debian/changelog 2017-10-15 02:18:26.000000000 +0200 +++ libxml2-2.9.4+dfsg1/debian/changelog 2017-11-18 16:39:04.000000000 +0100 @@ -1,3 +1,15 @@ +libxml2 (2.9.4+dfsg1-5.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix NULL pointer deref in xmlDumpElementContent (CVE-2017-5969) + (Closes: #855001) + * Check for integer overflow in memory debug code (CVE-2017-5130) + (Closes: #880000) + * Fix copy-paste errors in error messages + * python: remove single use of _PyVerify_fd (Closes: #878684) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 18 Nov 2017 16:39:04 +0100 + libxml2 (2.9.4+dfsg1-5) unstable; urgency=medium * Team upload. diff -Nru libxml2-2.9.4+dfsg1/debian/patches/0014-Fix-NULL-pointer-deref-in-xmlDumpElementContent.patch libxml2-2.9.4+dfsg1/debian/patches/0014-Fix-NULL-pointer-deref-in-xmlDumpElementContent.patch --- libxml2-2.9.4+dfsg1/debian/patches/0014-Fix-NULL-pointer-deref-in-xmlDumpElementContent.patch 1970-01-01 01:00:00.000000000 +0100 +++ libxml2-2.9.4+dfsg1/debian/patches/0014-Fix-NULL-pointer-deref-in-xmlDumpElementContent.patch 2017-11-18 16:39:04.000000000 +0100 @@ -0,0 +1,65 @@ +From: Daniel Veillard <veill...@redhat.com> +Date: Wed, 7 Jun 2017 16:47:36 +0200 +Subject: Fix NULL pointer deref in xmlDumpElementContent +Origin: https://git.gnome.org/browse/libxml2/commit/?id=94691dc884d1a8ada39f073408b4bb92fe7fe882 +Bug-Debian: https://bugs.debian.org/855001 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5969 + +Can only be triggered in recovery mode. + +Fixes bug 758422 (CVE-2017-5969). +--- + valid.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +diff --git a/valid.c b/valid.c +index 9b2df56a..8075d3a0 100644 +--- a/valid.c ++++ b/valid.c +@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlElementContentPtr content, int glob) + xmlBufferWriteCHAR(buf, content->name); + break; + case XML_ELEMENT_CONTENT_SEQ: +- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || +- (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) ++ if ((content->c1 != NULL) && ++ ((content->c1->type == XML_ELEMENT_CONTENT_OR) || ++ (content->c1->type == XML_ELEMENT_CONTENT_SEQ))) + xmlDumpElementContent(buf, content->c1, 1); + else + xmlDumpElementContent(buf, content->c1, 0); + xmlBufferWriteChar(buf, " , "); +- if ((content->c2->type == XML_ELEMENT_CONTENT_OR) || +- ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) && +- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))) ++ if ((content->c2 != NULL) && ++ ((content->c2->type == XML_ELEMENT_CONTENT_OR) || ++ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) && ++ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))) + xmlDumpElementContent(buf, content->c2, 1); + else + xmlDumpElementContent(buf, content->c2, 0); + break; + case XML_ELEMENT_CONTENT_OR: +- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || +- (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) ++ if ((content->c1 != NULL) && ++ ((content->c1->type == XML_ELEMENT_CONTENT_OR) || ++ (content->c1->type == XML_ELEMENT_CONTENT_SEQ))) + xmlDumpElementContent(buf, content->c1, 1); + else + xmlDumpElementContent(buf, content->c1, 0); + xmlBufferWriteChar(buf, " | "); +- if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) || +- ((content->c2->type == XML_ELEMENT_CONTENT_OR) && +- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))) ++ if ((content->c2 != NULL) && ++ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) || ++ ((content->c2->type == XML_ELEMENT_CONTENT_OR) && ++ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))) + xmlDumpElementContent(buf, content->c2, 1); + else + xmlDumpElementContent(buf, content->c2, 0); +-- +2.15.0 + diff -Nru libxml2-2.9.4+dfsg1/debian/patches/0015-Check-for-integer-overflow-in-memory-debug-code.patch libxml2-2.9.4+dfsg1/debian/patches/0015-Check-for-integer-overflow-in-memory-debug-code.patch --- libxml2-2.9.4+dfsg1/debian/patches/0015-Check-for-integer-overflow-in-memory-debug-code.patch 1970-01-01 01:00:00.000000000 +0100 +++ libxml2-2.9.4+dfsg1/debian/patches/0015-Check-for-integer-overflow-in-memory-debug-code.patch 2017-11-18 16:39:04.000000000 +0100 @@ -0,0 +1,63 @@ +From: Nick Wellnhofer <wellnho...@aevum.de> +Date: Tue, 6 Jun 2017 13:21:14 +0200 +Subject: Check for integer overflow in memory debug code +Origin: https://git.gnome.org/browse/libxml2/commit/?id=897dffbae322b46b83f99a607d527058a72c51ed +Bug-Debian: https://bugs.debian.org/880000 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5130 + +Fixes bug 783026. + +Thanks to Pranjal Jumde for the report. +--- + xmlmemory.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/xmlmemory.c b/xmlmemory.c +index f08c8c3d..c53141fb 100644 +--- a/xmlmemory.c ++++ b/xmlmemory.c +@@ -172,6 +172,13 @@ xmlMallocLoc(size_t size, const char * file, int line) + + TEST_POINT + ++ if (size > (MAX_SIZE_T - RESERVE_SIZE)) { ++ xmlGenericError(xmlGenericErrorContext, ++ "xmlMallocLoc : Unsigned overflow\n"); ++ xmlMemoryDump(); ++ return(NULL); ++ } ++ + p = (MEMHDR *) malloc(RESERVE_SIZE+size); + + if (!p) { +@@ -352,6 +359,13 @@ xmlReallocLoc(void *ptr,size_t size, const char * file, int line) + #endif + xmlMutexUnlock(xmlMemMutex); + ++ if (size > (MAX_SIZE_T - RESERVE_SIZE)) { ++ xmlGenericError(xmlGenericErrorContext, ++ "xmlMallocLoc : Unsigned overflow\n"); ++ xmlMemoryDump(); ++ return(NULL); ++ } ++ + tmp = (MEMHDR *) realloc(p,RESERVE_SIZE+size); + if (!tmp) { + free(p); +@@ -499,6 +513,13 @@ xmlMemStrdupLoc(const char *str, const char *file, int line) + if (!xmlMemInitialized) xmlInitMemory(); + TEST_POINT + ++ if (size > (MAX_SIZE_T - RESERVE_SIZE)) { ++ xmlGenericError(xmlGenericErrorContext, ++ "xmlMallocLoc : Unsigned overflow\n"); ++ xmlMemoryDump(); ++ return(NULL); ++ } ++ + p = (MEMHDR *) malloc(RESERVE_SIZE+size); + if (!p) { + goto error; +-- +2.15.0 + diff -Nru libxml2-2.9.4+dfsg1/debian/patches/0016-Fix-copy-paste-errors-in-error-messages.patch libxml2-2.9.4+dfsg1/debian/patches/0016-Fix-copy-paste-errors-in-error-messages.patch --- libxml2-2.9.4+dfsg1/debian/patches/0016-Fix-copy-paste-errors-in-error-messages.patch 1970-01-01 01:00:00.000000000 +0100 +++ libxml2-2.9.4+dfsg1/debian/patches/0016-Fix-copy-paste-errors-in-error-messages.patch 2017-11-18 16:39:04.000000000 +0100 @@ -0,0 +1,46 @@ +From: Nick Wellnhofer <wellnho...@aevum.de> +Date: Sun, 11 Jun 2017 17:12:21 +0200 +Subject: Fix copy-paste errors in error messages +Origin: https://git.gnome.org/browse/libxml2/commit/?id=ed48d65b4d6c5cec7be035ad5eebeba873b4b955 +Bug-Debian: https://bugs.debian.org/880000 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5130 + +Thanks to David Kilzer for the review. +--- + xmlmemory.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/xmlmemory.c b/xmlmemory.c +index c53141fb..58de2eda 100644 +--- a/xmlmemory.c ++++ b/xmlmemory.c +@@ -250,7 +250,7 @@ xmlMallocAtomicLoc(size_t size, const char * file, int line) + + if (size > (MAX_SIZE_T - RESERVE_SIZE)) { + xmlGenericError(xmlGenericErrorContext, +- "xmlMallocAtomicLoc : Unsigned overflow prevented\n"); ++ "xmlMallocAtomicLoc : Unsigned overflow\n"); + xmlMemoryDump(); + return(NULL); + } +@@ -361,7 +361,7 @@ xmlReallocLoc(void *ptr,size_t size, const char * file, int line) + + if (size > (MAX_SIZE_T - RESERVE_SIZE)) { + xmlGenericError(xmlGenericErrorContext, +- "xmlMallocLoc : Unsigned overflow\n"); ++ "xmlReallocLoc : Unsigned overflow\n"); + xmlMemoryDump(); + return(NULL); + } +@@ -515,7 +515,7 @@ xmlMemStrdupLoc(const char *str, const char *file, int line) + + if (size > (MAX_SIZE_T - RESERVE_SIZE)) { + xmlGenericError(xmlGenericErrorContext, +- "xmlMallocLoc : Unsigned overflow\n"); ++ "xmlMemStrdupLoc : Unsigned overflow\n"); + xmlMemoryDump(); + return(NULL); + } +-- +2.15.0 + diff -Nru libxml2-2.9.4+dfsg1/debian/patches/0017-python-remove-single-use-of-_PyVerify_fd.patch libxml2-2.9.4+dfsg1/debian/patches/0017-python-remove-single-use-of-_PyVerify_fd.patch --- libxml2-2.9.4+dfsg1/debian/patches/0017-python-remove-single-use-of-_PyVerify_fd.patch 1970-01-01 01:00:00.000000000 +0100 +++ libxml2-2.9.4+dfsg1/debian/patches/0017-python-remove-single-use-of-_PyVerify_fd.patch 2017-11-18 16:39:04.000000000 +0100 @@ -0,0 +1,32 @@ +From: Patrick Welche <pr...@cam.ac.uk> +Date: Mon, 6 Nov 2017 16:20:25 +0000 +Subject: python: remove single use of _PyVerify_fd +Origin: https://bugzilla.gnome.org/attachment.cgi?id=363064 +Bug: https://bugzilla.gnome.org/show_bug.cgi?id=776815 +Bug-Debian: https://bugs.debian.org/878684 + +_PyVerify_fd disappeared from python with: + + https://hg.python.org/cpython/rev/e88e2049b793 + +https://bugzilla.gnome.org/show_bug.cgi?id=776815 +--- + python/types.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/python/types.c b/python/types.c +index f237677..124af56 100644 +--- a/python/types.c ++++ b/python/types.c +@@ -31,8 +31,6 @@ libxml_PyFileGet(PyObject *f) { + const char *mode; + + fd = PyObject_AsFileDescriptor(f); +- if (!_PyVerify_fd(fd)) +- return(NULL); + /* + * Get the flags on the fd to understand how it was opened + */ +-- +2.15.0 + diff -Nru libxml2-2.9.4+dfsg1/debian/patches/series libxml2-2.9.4+dfsg1/debian/patches/series --- libxml2-2.9.4+dfsg1/debian/patches/series 2017-08-20 13:49:49.000000000 +0200 +++ libxml2-2.9.4+dfsg1/debian/patches/series 2017-11-18 16:39:04.000000000 +0100 @@ -11,3 +11,7 @@ 0011-Fix-handling-of-parameter-entity-references.patch 0012-Fix-buffer-size-checks-in-xmlSnprintfElementContent.patch 0013-Fix-type-confusion-in-xmlValidateOneNamespace.patch +0014-Fix-NULL-pointer-deref-in-xmlDumpElementContent.patch +0015-Check-for-integer-overflow-in-memory-debug-code.patch +0016-Fix-copy-paste-errors-in-error-messages.patch +0017-python-remove-single-use-of-_PyVerify_fd.patch