Your message dated Wed, 30 Jul 2025 21:02:56 +0000
with message-id <[email protected]>
and subject line unblock libxml2
has caused the Debian Bug report #1110152,
regarding unblock: libxml2/2.12.7+dfsg+really2.9.14-2.1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1110152: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110152
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: [email protected], Guilhem Moulin <[email protected]>
Control: affects -1 + src:libxml2
User: [email protected]
Usertags: unblock
Please unblock package libxml2
CVE-2025-6170 fix, already accepted into bookworm-pu in #1109947.
unblock libxml2/2.12.7+dfsg+really2.9.14-2.1
diffstat for libxml2-2.12.7+dfsg+really2.9.14 libxml2-2.12.7+dfsg+really2.9.14
changelog | 8 +++
patches/CVE-2025-6170.patch | 100 ++++++++++++++++++++++++++++++++++++++++++++
patches/series | 1
3 files changed, 109 insertions(+)
diff -Nru libxml2-2.12.7+dfsg+really2.9.14/debian/changelog
libxml2-2.12.7+dfsg+really2.9.14/debian/changelog
--- libxml2-2.12.7+dfsg+really2.9.14/debian/changelog 2025-07-17
18:09:57.000000000 +0300
+++ libxml2-2.12.7+dfsg+really2.9.14/debian/changelog 2025-07-27
01:59:51.000000000 +0300
@@ -1,3 +1,11 @@
+libxml2 (2.12.7+dfsg+really2.9.14-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix CVE-2025-6170: Potential buffer overflows in the interactive shell
+ (Closes: #1107938).
+
+ -- Guilhem Moulin <[email protected]> Sun, 27 Jul 2025 00:59:51 +0200
+
libxml2 (2.12.7+dfsg+really2.9.14-2) unstable; urgency=medium
* Security fixes:
diff -Nru libxml2-2.12.7+dfsg+really2.9.14/debian/patches/CVE-2025-6170.patch
libxml2-2.12.7+dfsg+really2.9.14/debian/patches/CVE-2025-6170.patch
--- libxml2-2.12.7+dfsg+really2.9.14/debian/patches/CVE-2025-6170.patch
1970-01-01 02:00:00.000000000 +0200
+++ libxml2-2.12.7+dfsg+really2.9.14/debian/patches/CVE-2025-6170.patch
2025-07-27 01:59:51.000000000 +0300
@@ -0,0 +1,100 @@
+From: Michael Mann <[email protected]>
+Date: Fri, 20 Jun 2025 23:05:00 -0400
+Subject: Fix potential buffer overflows of interactive shell
+
+Origin:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/5e9ec5c107d3f5b5179c3dbc19df43df041cd55b
+Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/941
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2025-6170
+Bug-Debian: https://bugs.debian.org/1107938
+---
+ debugXML.c | 15 ++++++++++-----
+ result/scripts/long_command | 8 ++++++++
+ test/scripts/long_command.script | 6 ++++++
+ test/scripts/long_command.xml | 1 +
+ 4 files changed, 25 insertions(+), 5 deletions(-)
+ create mode 100644 result/scripts/long_command
+ create mode 100644 test/scripts/long_command.script
+ create mode 100644 test/scripts/long_command.xml
+
+diff --git a/debugXML.c b/debugXML.c
+index 7a2ca47..dfde58e 100644
+--- a/debugXML.c
++++ b/debugXML.c
+@@ -1050,6 +1050,10 @@ xmlCtxtDumpOneNode(xmlDebugCtxtPtr ctxt, xmlNodePtr
node)
+ xmlCtxtGenericNodeCheck(ctxt, node);
+ }
+
++#define MAX_PROMPT_SIZE 500
++#define MAX_ARG_SIZE 400
++#define MAX_COMMAND_SIZE 100
++
+ /**
+ * xmlCtxtDumpNode:
+ * @output: the FILE * for the output
+@@ -2802,10 +2806,10 @@ void
+ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
+ FILE * output)
+ {
+- char prompt[500] = "/ > ";
++ char prompt[MAX_PROMPT_SIZE] = "/ > ";
+ char *cmdline = NULL, *cur;
+- char command[100];
+- char arg[400];
++ char command[MAX_COMMAND_SIZE];
++ char arg[MAX_ARG_SIZE];
+ int i;
+ xmlShellCtxtPtr ctxt;
+ xmlXPathObjectPtr list;
+@@ -2863,7 +2867,8 @@ xmlShell(xmlDocPtr doc, char *filename,
xmlShellReadlineFunc input,
+ cur++;
+ i = 0;
+ while ((*cur != ' ') && (*cur != '\t') &&
+- (*cur != '\n') && (*cur != '\r')) {
++ (*cur != '\n') && (*cur != '\r') &&
++ (i < (MAX_COMMAND_SIZE - 1))) {
+ if (*cur == 0)
+ break;
+ command[i++] = *cur++;
+@@ -2878,7 +2883,7 @@ xmlShell(xmlDocPtr doc, char *filename,
xmlShellReadlineFunc input,
+ while ((*cur == ' ') || (*cur == '\t'))
+ cur++;
+ i = 0;
+- while ((*cur != '\n') && (*cur != '\r') && (*cur != 0)) {
++ while ((*cur != '\n') && (*cur != '\r') && (*cur != 0) && (i <
(MAX_ARG_SIZE-1))) {
+ if (*cur == 0)
+ break;
+ arg[i++] = *cur++;
+diff --git a/result/scripts/long_command b/result/scripts/long_command
+new file mode 100644
+index 0000000..e6f0070
+--- /dev/null
++++ b/result/scripts/long_command
+@@ -0,0 +1,8 @@
++/ > b > b > Object is a Node Set :
++Set contains 1 nodes:
++1 ELEMENT a:c
++b > Unknown command
This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_comm
++b > b > Unknown command ess_currents_of_time_and_existence
++b > <?xml version="1.0"?>
++<a xmlns:a="bar"><b
xmlns:a="foo">Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_prof</b></a>
++b >
+\ No newline at end of file
+diff --git a/test/scripts/long_command.script
b/test/scripts/long_command.script
+new file mode 100644
+index 0000000..00f6df0
+--- /dev/null
++++ b/test/scripts/long_command.script
+@@ -0,0 +1,6 @@
++cd a/b
++set <a:c/>
++xpath //*[namespace-uri()="foo"]
++This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_command_please_dont_crash
foo
++set
Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_profound_emotion_and_every_grand_aspiration_that_propels_our_species_ever_onward_through_the_relentless_currents_of_time_and_existence
++save -
+diff --git a/test/scripts/long_command.xml b/test/scripts/long_command.xml
+new file mode 100644
+index 0000000..1ba4401
+--- /dev/null
++++ b/test/scripts/long_command.xml
+@@ -0,0 +1 @@
++<a xmlns:a="bar"><b xmlns:a="foo"/></a>
diff -Nru libxml2-2.12.7+dfsg+really2.9.14/debian/patches/series
libxml2-2.12.7+dfsg+really2.9.14/debian/patches/series
--- libxml2-2.12.7+dfsg+really2.9.14/debian/patches/series 2025-07-17
18:09:57.000000000 +0300
+++ libxml2-2.12.7+dfsg+really2.9.14/debian/patches/series 2025-07-27
01:59:51.000000000 +0300
@@ -23,3 +23,4 @@
CVE-2025-32415.patch
CVE-2025-6021.patch
CVE-2025-49794_49796.patch
+CVE-2025-6170.patch
--- End Message ---
--- Begin Message ---
Unblocked libxml2.
--- End Message ---
