tags 652352 + patch
tags 652352 + pending
thanks
Dear maintainer,
I've prepared an NMU for libxml2 (versioned as 2.7.8.dfsg-5.1) and
uploaded it to DELAYED/02 fixing the two outstanding security issues.
Please feel free to tell me if I should delay it longer.
Cheers
Luk
diff -u libxml2-2.7.8.dfsg/debian/changelog libxml2-2.7.8.dfsg/debian/changelog
--- libxml2-2.7.8.dfsg/debian/changelog
+++ libxml2-2.7.8.dfsg/debian/changelog
@@ -1,3 +1,13 @@
+libxml2 (2.7.8.dfsg-5.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * encoding.c: Fix off by one error. CVE-2011-0216.
+ * parser.c: Make sure parser returns when getting a Stop order.
+ CVE-2011-3905.
+ * Both closes: #652352.
+
+ -- Luk Claes <l...@debian.org> Fri, 30 Dec 2011 18:31:13 +0100
+
libxml2 (2.7.8.dfsg-5) unstable; urgency=low
* xpath.c, xpointer.c, include/libxml/xpath.h: Hardening of XPath evaluation.
only in patch2:
unchanged:
--- libxml2-2.7.8.dfsg.orig/parser.c
+++ libxml2-2.7.8.dfsg/parser.c
@@ -4949,7 +4949,8 @@
(ctxt->sax->processingInstruction != NULL))
ctxt->sax->processingInstruction(ctxt->userData,
target, NULL);
- ctxt->instate = state;
+ if (ctxt->instate != XML_PARSER_EOF)
+ ctxt->instate = state;
return;
}
buf = (xmlChar *) xmlMallocAtomic(size * sizeof(xmlChar));
@@ -5029,7 +5030,8 @@
} else {
xmlFatalErr(ctxt, XML_ERR_PI_NOT_STARTED, NULL);
}
- ctxt->instate = state;
+ if (ctxt->instate != XML_PARSER_EOF)
+ ctxt->instate = state;
}
}
@@ -9588,6 +9590,8 @@
else
name = xmlParseStartTag(ctxt);
#endif /* LIBXML_SAX1_ENABLED */
+ if (ctxt->instate == XML_PARSER_EOF)
+ return;
if (name == NULL) {
spacePop(ctxt);
return;
@@ -10967,6 +10971,8 @@
else
name = xmlParseStartTag(ctxt);
#endif /* LIBXML_SAX1_ENABLED */
+ if (ctxt->instate == XML_PARSER_EOF)
+ goto done;
if (name == NULL) {
spacePop(ctxt);
ctxt->instate = XML_PARSER_EOF;
@@ -11153,7 +11159,9 @@
else
xmlParseEndTag1(ctxt, 0);
#endif /* LIBXML_SAX1_ENABLED */
- if (ctxt->nameNr == 0) {
+ if (ctxt->instate == XML_PARSER_EOF) {
+ /* Nothing */
+ } else if (ctxt->nameNr == 0) {
ctxt->instate = XML_PARSER_EPILOG;
} else {
ctxt->instate = XML_PARSER_CONTENT;
only in patch2:
unchanged:
--- libxml2-2.7.8.dfsg.orig/encoding.c
+++ libxml2-2.7.8.dfsg/encoding.c
@@ -1928,7 +1928,7 @@
if (in == NULL) return(-1);
/* calculate space available */
- written = out->size - out->use;
+ written = out->size - out->use - 1; /* count '\0' */
toconv = in->use;
/*
* echo '<?xml version="1.0" encoding="UCS4"?>' | wc -c => 38
@@ -2059,7 +2059,7 @@
toconv = in->use;
if (toconv == 0)
return (0);
- written = out->size - out->use;
+ written = out->size - out->use - 1; /* count '\0' */
if (toconv * 2 >= written) {
xmlBufferGrow(out, out->size + toconv * 2);
written = out->size - out->use - 1;
