Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: libx...@packages.debian.org, car...@debian.org Control: affects -1 + src:libxml2
Hi stable release managers, [ Reason ] libxml2 in bookworm and older is affected by CVE-2022-2309. The issue does not warrant a DSA, so I prepared an update to be included in the next point release. [ Impact ] CVE-2022-2309 remains open for bookworm. [ Tests ] None specifically. [ Risks ] The two commits are isolated. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The two commits from upstream do reset ctxt->nsNr to 0 in xmlCtxtReset (the original report) and as well in htmlCtxtReset to address the issue in libxml2. [ Other info ] None. Thanks for considering accepting the update as well for bookworm. I'm aiming as well to do the same for bullseye-pu, but this has not been done yet. Regards, Salvatore
diff -Nru libxml2-2.9.14+dfsg/debian/changelog libxml2-2.9.14+dfsg/debian/changelog --- libxml2-2.9.14+dfsg/debian/changelog 2023-04-15 16:25:06.000000000 +0200 +++ libxml2-2.9.14+dfsg/debian/changelog 2023-07-10 21:58:07.000000000 +0200 @@ -1,3 +1,17 @@ +libxml2 (2.9.14+dfsg-1.3~deb12u1) bookworm; urgency=medium + + * Rebuild for bookworm + + -- Salvatore Bonaccorso <car...@debian.org> Mon, 10 Jul 2023 21:58:07 +0200 + +libxml2 (2.9.14+dfsg-1.3) unstable; urgency=medium + + * Non-maintainer upload. + * Reset nsNr in xmlCtxtReset (CVE-2022-2309) (Closes: #1039991) + * Also reset nsNr in htmlCtxtReset (CVE-2022-2309) (Closes: #1039991) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 08 Jul 2023 21:18:29 +0200 + libxml2 (2.9.14+dfsg-1.2) unstable; urgency=medium * Non-maintainer upload. diff -Nru libxml2-2.9.14+dfsg/debian/patches/Also-reset-nsNr-in-htmlCtxtReset.patch libxml2-2.9.14+dfsg/debian/patches/Also-reset-nsNr-in-htmlCtxtReset.patch --- libxml2-2.9.14+dfsg/debian/patches/Also-reset-nsNr-in-htmlCtxtReset.patch 1970-01-01 01:00:00.000000000 +0100 +++ libxml2-2.9.14+dfsg/debian/patches/Also-reset-nsNr-in-htmlCtxtReset.patch 2023-07-10 21:58:07.000000000 +0200 @@ -0,0 +1,27 @@ +From: Nick Wellnhofer <wellnho...@aevum.de> +Date: Thu, 28 Jul 2022 21:35:17 +0200 +Subject: Also reset nsNr in htmlCtxtReset +origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/a82ea25fc83f563c574ddb863d6c17d9c5abdbd2 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-2309 +Bug-Debian: https://bugs.debian.org/1039991 + +--- + HTMLparser.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/HTMLparser.c b/HTMLparser.c +index 9079fa8aa52d..1520663ba2af 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -6743,6 +6743,8 @@ htmlCtxtReset(htmlParserCtxtPtr ctxt) + ctxt->nameNr = 0; + ctxt->name = NULL; + ++ ctxt->nsNr = 0; ++ + DICT_FREE(ctxt->version); + ctxt->version = NULL; + DICT_FREE(ctxt->encoding); +-- +2.40.1 + diff -Nru libxml2-2.9.14+dfsg/debian/patches/Reset-nsNr-in-xmlCtxtReset.patch libxml2-2.9.14+dfsg/debian/patches/Reset-nsNr-in-xmlCtxtReset.patch --- libxml2-2.9.14+dfsg/debian/patches/Reset-nsNr-in-xmlCtxtReset.patch 1970-01-01 01:00:00.000000000 +0100 +++ libxml2-2.9.14+dfsg/debian/patches/Reset-nsNr-in-xmlCtxtReset.patch 2023-07-10 21:58:07.000000000 +0200 @@ -0,0 +1,27 @@ +From: Nick Wellnhofer <wellnho...@aevum.de> +Date: Mon, 18 Jul 2022 20:59:45 +0200 +Subject: Reset nsNr in xmlCtxtReset +origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/5930fe01963136ab92125feec0c6204d9c9225dc +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-2309 +Bug-Debian: https://bugs.debian.org/1039991 + +--- + parser.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/parser.c b/parser.c +index d278638dd6d4..e660b0a7d499 100644 +--- a/parser.c ++++ b/parser.c +@@ -14820,6 +14820,8 @@ xmlCtxtReset(xmlParserCtxtPtr ctxt) + ctxt->nameNr = 0; + ctxt->name = NULL; + ++ ctxt->nsNr = 0; ++ + DICT_FREE(ctxt->version); + ctxt->version = NULL; + DICT_FREE(ctxt->encoding); +-- +2.40.1 + diff -Nru libxml2-2.9.14+dfsg/debian/patches/series libxml2-2.9.14+dfsg/debian/patches/series --- libxml2-2.9.14+dfsg/debian/patches/series 2023-04-15 16:25:06.000000000 +0200 +++ libxml2-2.9.14+dfsg/debian/patches/series 2023-07-10 21:58:07.000000000 +0200 @@ -6,3 +6,5 @@ schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch +Reset-nsNr-in-xmlCtxtReset.patch +Also-reset-nsNr-in-htmlCtxtReset.patch