Package: release.debian.org Severity: normal X-Debbugs-Cc: [email protected], Guilhem Moulin <[email protected]> Control: affects -1 + src:libxml2 User: [email protected] Usertags: unblock
Please unblock package libxml2 CVE-2025-6170 fix, already accepted into bookworm-pu in #1109947. unblock libxml2/2.12.7+dfsg+really2.9.14-2.1
diffstat for libxml2-2.12.7+dfsg+really2.9.14 libxml2-2.12.7+dfsg+really2.9.14 changelog | 8 +++ patches/CVE-2025-6170.patch | 100 ++++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 109 insertions(+) diff -Nru libxml2-2.12.7+dfsg+really2.9.14/debian/changelog libxml2-2.12.7+dfsg+really2.9.14/debian/changelog --- libxml2-2.12.7+dfsg+really2.9.14/debian/changelog 2025-07-17 18:09:57.000000000 +0300 +++ libxml2-2.12.7+dfsg+really2.9.14/debian/changelog 2025-07-27 01:59:51.000000000 +0300 @@ -1,3 +1,11 @@ +libxml2 (2.12.7+dfsg+really2.9.14-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix CVE-2025-6170: Potential buffer overflows in the interactive shell + (Closes: #1107938). + + -- Guilhem Moulin <[email protected]> Sun, 27 Jul 2025 00:59:51 +0200 + libxml2 (2.12.7+dfsg+really2.9.14-2) unstable; urgency=medium * Security fixes: diff -Nru libxml2-2.12.7+dfsg+really2.9.14/debian/patches/CVE-2025-6170.patch libxml2-2.12.7+dfsg+really2.9.14/debian/patches/CVE-2025-6170.patch --- libxml2-2.12.7+dfsg+really2.9.14/debian/patches/CVE-2025-6170.patch 1970-01-01 02:00:00.000000000 +0200 +++ libxml2-2.12.7+dfsg+really2.9.14/debian/patches/CVE-2025-6170.patch 2025-07-27 01:59:51.000000000 +0300 @@ -0,0 +1,100 @@ +From: Michael Mann <[email protected]> +Date: Fri, 20 Jun 2025 23:05:00 -0400 +Subject: Fix potential buffer overflows of interactive shell + +Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/5e9ec5c107d3f5b5179c3dbc19df43df041cd55b +Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/941 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2025-6170 +Bug-Debian: https://bugs.debian.org/1107938 +--- + debugXML.c | 15 ++++++++++----- + result/scripts/long_command | 8 ++++++++ + test/scripts/long_command.script | 6 ++++++ + test/scripts/long_command.xml | 1 + + 4 files changed, 25 insertions(+), 5 deletions(-) + create mode 100644 result/scripts/long_command + create mode 100644 test/scripts/long_command.script + create mode 100644 test/scripts/long_command.xml + +diff --git a/debugXML.c b/debugXML.c +index 7a2ca47..dfde58e 100644 +--- a/debugXML.c ++++ b/debugXML.c +@@ -1050,6 +1050,10 @@ xmlCtxtDumpOneNode(xmlDebugCtxtPtr ctxt, xmlNodePtr node) + xmlCtxtGenericNodeCheck(ctxt, node); + } + ++#define MAX_PROMPT_SIZE 500 ++#define MAX_ARG_SIZE 400 ++#define MAX_COMMAND_SIZE 100 ++ + /** + * xmlCtxtDumpNode: + * @output: the FILE * for the output +@@ -2802,10 +2806,10 @@ void + xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input, + FILE * output) + { +- char prompt[500] = "/ > "; ++ char prompt[MAX_PROMPT_SIZE] = "/ > "; + char *cmdline = NULL, *cur; +- char command[100]; +- char arg[400]; ++ char command[MAX_COMMAND_SIZE]; ++ char arg[MAX_ARG_SIZE]; + int i; + xmlShellCtxtPtr ctxt; + xmlXPathObjectPtr list; +@@ -2863,7 +2867,8 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input, + cur++; + i = 0; + while ((*cur != ' ') && (*cur != '\t') && +- (*cur != '\n') && (*cur != '\r')) { ++ (*cur != '\n') && (*cur != '\r') && ++ (i < (MAX_COMMAND_SIZE - 1))) { + if (*cur == 0) + break; + command[i++] = *cur++; +@@ -2878,7 +2883,7 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input, + while ((*cur == ' ') || (*cur == '\t')) + cur++; + i = 0; +- while ((*cur != '\n') && (*cur != '\r') && (*cur != 0)) { ++ while ((*cur != '\n') && (*cur != '\r') && (*cur != 0) && (i < (MAX_ARG_SIZE-1))) { + if (*cur == 0) + break; + arg[i++] = *cur++; +diff --git a/result/scripts/long_command b/result/scripts/long_command +new file mode 100644 +index 0000000..e6f0070 +--- /dev/null ++++ b/result/scripts/long_command +@@ -0,0 +1,8 @@ ++/ > b > b > Object is a Node Set : ++Set contains 1 nodes: ++1 ELEMENT a:c ++b > Unknown command This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_comm ++b > b > Unknown command ess_currents_of_time_and_existence ++b > <?xml version="1.0"?> ++<a xmlns:a="bar"><b xmlns:a="foo">Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_prof</b></a> ++b > +\ No newline at end of file +diff --git a/test/scripts/long_command.script b/test/scripts/long_command.script +new file mode 100644 +index 0000000..00f6df0 +--- /dev/null ++++ b/test/scripts/long_command.script +@@ -0,0 +1,6 @@ ++cd a/b ++set <a:c/> ++xpath //*[namespace-uri()="foo"] ++This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_command_please_dont_crash foo ++set Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_profound_emotion_and_every_grand_aspiration_that_propels_our_species_ever_onward_through_the_relentless_currents_of_time_and_existence ++save - +diff --git a/test/scripts/long_command.xml b/test/scripts/long_command.xml +new file mode 100644 +index 0000000..1ba4401 +--- /dev/null ++++ b/test/scripts/long_command.xml +@@ -0,0 +1 @@ ++<a xmlns:a="bar"><b xmlns:a="foo"/></a> diff -Nru libxml2-2.12.7+dfsg+really2.9.14/debian/patches/series libxml2-2.12.7+dfsg+really2.9.14/debian/patches/series --- libxml2-2.12.7+dfsg+really2.9.14/debian/patches/series 2025-07-17 18:09:57.000000000 +0300 +++ libxml2-2.12.7+dfsg+really2.9.14/debian/patches/series 2025-07-27 01:59:51.000000000 +0300 @@ -23,3 +23,4 @@ CVE-2025-32415.patch CVE-2025-6021.patch CVE-2025-49794_49796.patch +CVE-2025-6170.patch
