subject:"Bug#1109947\: bookworm\-pu\: package libxml2\/2.9.14\+dfsg\-1.3\~deb12u3"

Bug#1109947: bookworm-pu: package libxml2/2.9.14+dfsg-1.3~deb12u3

2025-07-28 Thread Guilhem Moulin

Control: tag -1 - moreinfo

> [ Other info ]
>
> The fix for CVE-2025-6170 is not fixed in sid yet, tagging #-1 as
> moreinfo in the meantime.  debdiff sent to maintainer, will NMU if no
> one objects to it.  The other CVEs are fixed in sid already.

NMU'ed a fix for CVE-2025-6170 with the maintainer's blessing, so hereby
removing the moreinfo tag.

-- 
Guilhem.


signature.asc
Description: PGP signature

Bug#1109947: bookworm-pu: package libxml2/2.9.14+dfsg-1.3~deb12u3

2025-07-26 Thread Guilhem Moulin

On Sun, 27 Jul 2025 at 02:00:30 +0200, Guilhem Moulin wrote:
> [x] attach debdiff against the package in stable

(Oops, here it comes)

-- 
Guilhem.
diffstat for libxml2-2.9.14+dfsg libxml2-2.9.14+dfsg

 changelog   |   14 ++
 patches/CVE-2025-49794_CVE-2025-49796.patch |  187 
 patches/CVE-2025-6021.patch |   49 +++
 patches/CVE-2025-6170.patch |  100 ++
 patches/series  |3 
 salsa-ci.yml|8 +
 6 files changed, 361 insertions(+)

diff -Nru libxml2-2.9.14+dfsg/debian/changelog 
libxml2-2.9.14+dfsg/debian/changelog
--- libxml2-2.9.14+dfsg/debian/changelog2025-06-06 10:50:13.0 
+0200
+++ libxml2-2.9.14+dfsg/debian/changelog2025-07-27 01:15:48.0 
+0200
@@ -1,3 +1,17 @@
+libxml2 (2.9.14+dfsg-1.3~deb12u3) bookworm; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2025-6021: Integer overflow issue in xmlBuildQName. (Closes:
+#1107720).
+  * Fix CVE-2025-6170: Potential buffer overflows in the interactive shell
+(Closes: #1107938).
+  * Fix CVE-2025-49794: Use-after-free issue in xmlSchematronReportOutput
+(Closes: #1107755).
+  * Fix CVE-2025-49796: Type confusion issue in xmlSchematronReportOutput
+(Closes: #1107752).
+
+ -- Guilhem Moulin   Sun, 27 Jul 2025 01:15:48 +0200
+
 libxml2 (2.9.14+dfsg-1.3~deb12u2) bookworm-security; urgency=high
 
   * Security fixes:
diff -Nru 
libxml2-2.9.14+dfsg/debian/patches/CVE-2025-49794_CVE-2025-49796.patch 
libxml2-2.9.14+dfsg/debian/patches/CVE-2025-49794_CVE-2025-49796.patch
--- libxml2-2.9.14+dfsg/debian/patches/CVE-2025-49794_CVE-2025-49796.patch  
1970-01-01 01:00:00.0 +0100
+++ libxml2-2.9.14+dfsg/debian/patches/CVE-2025-49794_CVE-2025-49796.patch  
2025-07-27 01:15:48.0 +0200
@@ -0,0 +1,187 @@
+From: Nick Wellnhofer 
+Date: Fri, 4 Jul 2025 14:28:26 +0200
+Subject: schematron: Fix memory safety issues in xmlSchematronReportOutput
+
+Fix use-after-free (CVE-2025-49794) and type confusion (CVE-2025-49796)
+in xmlSchematronReportOutput.
+
+Origin: 
https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5b5aec2acdf5707e57a6db0c8d1d0abca
+Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/931
+Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/933
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2025-49794
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2025-49796
+Bug-Debian: https://bugs.debian.org/1107752
+Bug-Debian: https://bugs.debian.org/1107755
+---
+ result/schematron/cve-2025-49794_0.err |  3 ++
+ result/schematron/cve-2025-49796_0.err |  3 ++
+ schematron.c   | 54 ++
+ test/schematron/cve-2025-49794.sct | 10 +++
+ test/schematron/cve-2025-49794_0.xml   |  6 
+ test/schematron/cve-2025-49796.sct |  9 ++
+ test/schematron/cve-2025-49796_0.xml   |  3 ++
+ 7 files changed, 63 insertions(+), 25 deletions(-)
+ create mode 100644 result/schematron/cve-2025-49794_0.err
+ create mode 100644 result/schematron/cve-2025-49796_0.err
+ create mode 100644 test/schematron/cve-2025-49794.sct
+ create mode 100644 test/schematron/cve-2025-49794_0.xml
+ create mode 100644 test/schematron/cve-2025-49796.sct
+ create mode 100644 test/schematron/cve-2025-49796_0.xml
+
+diff --git a/result/schematron/cve-2025-49794_0.err 
b/result/schematron/cve-2025-49794_0.err
+new file mode 100644
+index 000..618ae11
+--- /dev/null
 b/result/schematron/cve-2025-49794_0.err
+@@ -0,0 +1,3 @@
++Pattern: 
++/librar0/boo0 line 2:  
++./test/schematron/cve-2025-49794_0.xml fails to validate
+diff --git a/result/schematron/cve-2025-49796_0.err 
b/result/schematron/cve-2025-49796_0.err
+new file mode 100644
+index 000..0d0146b
+--- /dev/null
 b/result/schematron/cve-2025-49796_0.err
+@@ -0,0 +1,3 @@
++Pattern: 
++/librar0/boo0 line 2:  
++./test/schematron/cve-2025-49796_0.xml fails to validate
+diff --git a/schematron.c b/schematron.c
+index ddbb069..5782636 100644
+--- a/schematron.c
 b/schematron.c
+@@ -1239,27 +1239,16 @@ exit:
+  **
+  /
+ 
+-static xmlNodePtr
++static xmlXPathObjectPtr
+ xmlSchematronGetNode(xmlSchematronValidCtxtPtr ctxt,
+  xmlNodePtr cur, const xmlChar *xpath) {
+-xmlNodePtr node = NULL;
+-xmlXPathObjectPtr ret;
+-
+ if ((ctxt == NULL) || (cur == NULL) || (xpath == NULL))
+ return(NULL);
+ 
+ ctxt->xctxt->doc = cur->doc;
+ ctxt->xctxt->node = cur;
+-ret = xmlXPathEval(xpath, ctxt->xctxt);
+-if (ret == NULL)
+-return(NULL);
+-
+-if ((ret->type == XPATH_NODESET) &&
+-(ret->nodesetval != NULL) && (ret->nodesetval->nodeNr > 0))
+-  node = ret->nodesetval->nodeTab[0];
+ 
+-xmlXPathFreeObject(ret

Bug#1109947: bookworm-pu: package libxml2/2.9.14+dfsg-1.3~deb12u3

2025-07-26 Thread Guilhem Moulin

Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:libxml2
User: [email protected]
Usertags: pu

[ Reason ]

Fix  security issues CVE-2025-6021, CVE-2025-6170,
CVE-2025-49794 and CVE-2025-49796.

[ Impact ]

User will remain vulnerable to the aforementioned issues.  Upgrading
users might regress as the issues are fixed in Bullseye LTS.

[ Tests ]

Manual bound checks, manual run of the upstream test suite and
schematron tests.

[ Risks ]

Low risk: all patches come from upstream and the versions backported to
upstream's 2.13 branch trivially applies to 2.9.14+dfsg-1.3~deb12u2.

[ Checklist ]

  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [ ] the issue is verified as fixed in unstable

[ Changes ]

  * Fix CVE-2025-6021: Integer overflow issue in xmlBuildQName.
  * Fix CVE-2025-6170: Potential buffer overflows in the interactive shell.
  * Fix CVE-2025-49794: Use-after-free issue in xmlSchematronReportOutput.
  * Fix CVE-2025-49796: Type confusion issue in xmlSchematronReportOutput.

[ Other info ]

The fix for CVE-2025-6170 is not fixed in sid yet, tagging #-1 as
moreinfo in the meantime.  debdiff sent to maintainer, will NMU if no
one objects to it.  The other CVEs are fixed in sid already.

-- 
Guilhem.


signature.asc
Description: PGP signature

Bug#1109947: bookworm-pu: package libxml2/2.9.14+dfsg-1.3~deb12u3

Bug#1109947: bookworm-pu: package libxml2/2.9.14+dfsg-1.3~deb12u3

Bug#1109947: bookworm-pu: package libxml2/2.9.14+dfsg-1.3~deb12u3

3 matches

Site Navigation

Mail list logo

Footer information