Your message dated Sat, 21 Feb 2015 11:38:05 +0100 with message-id <[email protected]> and subject line Re: Bug#776748: (pre-approval) unblock: libxml2/2.9.1+dfsg1-5 (via t-p-u) has caused the Debian Bug report #776748, regarding (pre-approval) unblock: libxml2/2.9.1+dfsg1-5 (via t-p-u) to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 776748: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776748 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---
- To: [email protected]
- Subject: (pre-approval) unblock: libxml2/2.9.1+dfsg1-5 (via t-p-u)
- From: Aron Xu <[email protected]>
- Date: Sun, 1 Feb 2015 16:24:28 +0800
- Message-id: <[🔎] 20150201082428.GA10094@aron-pc>
Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock jessie-pu libxml2 in Jessie has CVE-2014-3600 pending to be addressed and this update includes the related regression fix as well. Also, I would like to apply some more upstream memory related patches from 2.9.2, mostly NULL checks, because there are quite a lot deeper issues hiding in libxml2's code base and those fixes shall be deemed beneficial to our support cycle. Regards, Aron Xudiff -Nru libxml2-2.9.1+dfsg1/debian/changelog libxml2-2.9.1+dfsg1/debian/changelog --- libxml2-2.9.1+dfsg1/debian/changelog 2014-07-09 06:49:45.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/changelog 2015-02-01 13:51:11.000000000 +0800 @@ -1,3 +1,12 @@ +libxml2 (2.9.1+dfsg1-5) testing; urgency=medium + + * Add pkg-config to B-D + * Use -O3 for normal builds + * Cherry-pick upstream memory related fixes + - Including CVE-2014-3660 (Closes: #765722, #768089) + + -- Aron Xu <[email protected]> Sun, 01 Feb 2015 13:48:36 +0800 + libxml2 (2.9.1+dfsg1-4) unstable; urgency=low [ Christian Svensson ] diff -Nru libxml2-2.9.1+dfsg1/debian/control libxml2-2.9.1+dfsg1/debian/control --- libxml2-2.9.1+dfsg1/debian/control 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/control 2015-02-01 13:42:06.000000000 +0800 @@ -4,7 +4,7 @@ Maintainer: Debian XML/SGML Group <[email protected]> Uploaders: Aron Xu <[email protected]>, YunQiang Su <[email protected]> Standards-Version: 3.9.5 -Build-Depends: debhelper (>= 9), dh-autoreconf, autotools-dev, +Build-Depends: debhelper (>= 9), dh-autoreconf, autotools-dev, pkg-config, libpython-all-dev, libpython-all-dbg, python-all-dev:any (>= 2.7.5-5~), python-all-dbg:any, zlib1g-dev | libz-dev, liblzma-dev diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0001-modify-xml2-config-and-pkgconfig-behaviour.patch libxml2-2.9.1+dfsg1/debian/patches/0001-modify-xml2-config-and-pkgconfig-behaviour.patch --- libxml2-2.9.1+dfsg1/debian/patches/0001-modify-xml2-config-and-pkgconfig-behaviour.patch 2014-07-09 05:31:33.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0001-modify-xml2-config-and-pkgconfig-behaviour.patch 2015-02-01 13:50:27.000000000 +0800 @@ -3,11 +3,11 @@ Subject: modify xml2-config and pkgconfig behaviour --- - configure.in | 2 +- - libxml-2.0-uninstalled.pc.in | 3 ++- - libxml-2.0.pc.in | 2 +- - xml2-config.1 | 4 ++++ - xml2-config.in | 22 ++++++++++------------ + configure.in | 2 +- + libxml-2.0-uninstalled.pc.in | 3 ++- + libxml-2.0.pc.in | 2 +- + xml2-config.1 | 4 ++++ + xml2-config.in | 22 ++++++++++------------ 5 files changed, 18 insertions(+), 15 deletions(-) diff --git a/configure.in b/configure.in diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0002-fix-python-multiarch-includes.patch libxml2-2.9.1+dfsg1/debian/patches/0002-fix-python-multiarch-includes.patch --- libxml2-2.9.1+dfsg1/debian/patches/0002-fix-python-multiarch-includes.patch 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0002-fix-python-multiarch-includes.patch 2015-02-01 13:50:27.000000000 +0800 @@ -3,8 +3,8 @@ Subject: fix python multiarch includes --- - python/Makefile.am | 2 +- - python/Makefile.in | 2 +- + python/Makefile.am | 2 +- + python/Makefile.in | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/python/Makefile.am b/python/Makefile.am diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0003-Fix-an-error-in-xmlCleanupParser.patch libxml2-2.9.1+dfsg1/debian/patches/0003-Fix-an-error-in-xmlCleanupParser.patch --- libxml2-2.9.1+dfsg1/debian/patches/0003-Fix-an-error-in-xmlCleanupParser.patch 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0003-Fix-an-error-in-xmlCleanupParser.patch 2015-02-01 13:50:27.000000000 +0800 @@ -8,7 +8,7 @@ xmlResetLastError() but the later reallocate the global data freed by previous call. Just swap the two calls. --- - parser.c | 2 +- + parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/parser.c b/parser.c diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0004-Fix-missing-break-on-last-function-for-attributes.patch libxml2-2.9.1+dfsg1/debian/patches/0004-Fix-missing-break-on-last-function-for-attributes.patch --- libxml2-2.9.1+dfsg1/debian/patches/0004-Fix-missing-break-on-last-function-for-attributes.patch 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0004-Fix-missing-break-on-last-function-for-attributes.patch 2015-02-01 13:50:27.000000000 +0800 @@ -4,7 +4,7 @@ pointed out by cppcheck --- - python/libxml.c | 1 + + python/libxml.c | 1 + 1 file changed, 1 insertion(+) diff --git a/python/libxml.c b/python/libxml.c diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0005-xmllint-memory-should-fail-on-empty-files.patch libxml2-2.9.1+dfsg1/debian/patches/0005-xmllint-memory-should-fail-on-empty-files.patch --- libxml2-2.9.1+dfsg1/debian/patches/0005-xmllint-memory-should-fail-on-empty-files.patch 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0005-xmllint-memory-should-fail-on-empty-files.patch 2015-02-01 13:50:27.000000000 +0800 @@ -5,7 +5,7 @@ Exposed by https://bugzilla.gnome.org/show_bug.cgi?id=699896 when doing analysis but a priori unrelated. --- - xmllint.c | 5 ++++- + xmllint.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/xmllint.c b/xmllint.c diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0006-properly-quote-the-namespace-uris-written-out-during.patch libxml2-2.9.1+dfsg1/debian/patches/0006-properly-quote-the-namespace-uris-written-out-during.patch --- libxml2-2.9.1+dfsg1/debian/patches/0006-properly-quote-the-namespace-uris-written-out-during.patch 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0006-properly-quote-the-namespace-uris-written-out-during.patch 2015-02-01 13:50:27.000000000 +0800 @@ -3,7 +3,7 @@ Subject: properly quote the namespace uris written out during c14n --- - c14n.c | 9 +++++---- + c14n.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/c14n.c b/c14n.c diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0007-Fix-a-parsing-bug-on-non-ascii-element-and-CR-LF-usa.patch libxml2-2.9.1+dfsg1/debian/patches/0007-Fix-a-parsing-bug-on-non-ascii-element-and-CR-LF-usa.patch --- libxml2-2.9.1+dfsg1/debian/patches/0007-Fix-a-parsing-bug-on-non-ascii-element-and-CR-LF-usa.patch 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0007-Fix-a-parsing-bug-on-non-ascii-element-and-CR-LF-usa.patch 2015-02-01 13:50:27.000000000 +0800 @@ -8,7 +8,7 @@ slightly when encountering CR/LF, which led to a bug when parsing document with non-ascii Names --- - parser.c | 6 +++++- + parser.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/parser.c b/parser.c diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0008-missing-else-in-xlink.c.patch libxml2-2.9.1+dfsg1/debian/patches/0008-missing-else-in-xlink.c.patch --- libxml2-2.9.1+dfsg1/debian/patches/0008-missing-else-in-xlink.c.patch 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0008-missing-else-in-xlink.c.patch 2015-02-01 13:50:27.000000000 +0800 @@ -4,7 +4,7 @@ Obviously forgotten --- - xlink.c | 2 +- + xlink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xlink.c b/xlink.c diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0009-Catch-malloc-error-and-exit-accordingly.patch libxml2-2.9.1+dfsg1/debian/patches/0009-Catch-malloc-error-and-exit-accordingly.patch --- libxml2-2.9.1+dfsg1/debian/patches/0009-Catch-malloc-error-and-exit-accordingly.patch 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0009-Catch-malloc-error-and-exit-accordingly.patch 2015-02-01 13:50:27.000000000 +0800 @@ -4,7 +4,7 @@ As pointed privately by Bill Parker <[email protected]> --- - xmllint.c | 4 ++++ + xmllint.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/xmllint.c b/xmllint.c diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0010-Fix-handling-of-mmap-errors.patch libxml2-2.9.1+dfsg1/debian/patches/0010-Fix-handling-of-mmap-errors.patch --- libxml2-2.9.1+dfsg1/debian/patches/0010-Fix-handling-of-mmap-errors.patch 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0010-Fix-handling-of-mmap-errors.patch 2015-02-01 13:50:27.000000000 +0800 @@ -6,7 +6,7 @@ as raised by Gaurav <[email protected]> --- - xmllint.c | 13 +++++++++++-- + xmllint.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/xmllint.c b/xmllint.c diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0011-Avoid-crash-if-allocation-fails.patch libxml2-2.9.1+dfsg1/debian/patches/0011-Avoid-crash-if-allocation-fails.patch --- libxml2-2.9.1+dfsg1/debian/patches/0011-Avoid-crash-if-allocation-fails.patch 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0011-Avoid-crash-if-allocation-fails.patch 2015-02-01 13:50:27.000000000 +0800 @@ -5,7 +5,7 @@ https://bugzilla.gnome.org/show_bug.cgi?id=704527 xmlSchemaNewValue() may fail on OOM error --- - xmlschemastypes.c | 4 ++++ + xmlschemastypes.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/xmlschemastypes.c b/xmlschemastypes.c diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0012-Fix-a-possible-NULL-dereference.patch libxml2-2.9.1+dfsg1/debian/patches/0012-Fix-a-possible-NULL-dereference.patch --- libxml2-2.9.1+dfsg1/debian/patches/0012-Fix-a-possible-NULL-dereference.patch 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0012-Fix-a-possible-NULL-dereference.patch 2015-02-01 13:50:27.000000000 +0800 @@ -6,7 +6,7 @@ In case of allocation error the pointer was dereferenced before the test for a failure --- - SAX2.c | 4 ++-- + SAX2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SAX2.c b/SAX2.c diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0013-Clear-up-a-potential-NULL-dereference.patch libxml2-2.9.1+dfsg1/debian/patches/0013-Clear-up-a-potential-NULL-dereference.patch --- libxml2-2.9.1+dfsg1/debian/patches/0013-Clear-up-a-potential-NULL-dereference.patch 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0013-Clear-up-a-potential-NULL-dereference.patch 2015-02-01 13:50:27.000000000 +0800 @@ -7,7 +7,7 @@ if ctxt->node_seq.buffer is null then ctxt->node_seq.maximum ought to be zero but it's better to clarify the check in the code directly. --- - parserInternals.c | 3 ++- + parserInternals.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/parserInternals.c b/parserInternals.c diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0014-Fix-XPath-optimization-with-predicates.patch libxml2-2.9.1+dfsg1/debian/patches/0014-Fix-XPath-optimization-with-predicates.patch --- libxml2-2.9.1+dfsg1/debian/patches/0014-Fix-XPath-optimization-with-predicates.patch 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0014-Fix-XPath-optimization-with-predicates.patch 2015-02-01 13:50:27.000000000 +0800 @@ -6,7 +6,7 @@ regression reported in bug #695699. This commit disables the optimization for expressions of the form '//foo[predicate]'. --- - xpath.c | 5 +++-- + xpath.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/xpath.c b/xpath.c diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0015-xmllint-pretty-crashed-without-following-numeric-arg.patch libxml2-2.9.1+dfsg1/debian/patches/0015-xmllint-pretty-crashed-without-following-numeric-arg.patch --- libxml2-2.9.1+dfsg1/debian/patches/0015-xmllint-pretty-crashed-without-following-numeric-arg.patch 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0015-xmllint-pretty-crashed-without-following-numeric-arg.patch 2015-02-01 13:50:27.000000000 +0800 @@ -6,7 +6,7 @@ We need to check for NULL argument before calling atoi() --- - xmllint.c | 12 +++++++----- + xmllint.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/xmllint.c b/xmllint.c diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0016-Fix-potential-NULL-pointer-dereferences-in-regexp-co.patch libxml2-2.9.1+dfsg1/debian/patches/0016-Fix-potential-NULL-pointer-dereferences-in-regexp-co.patch --- libxml2-2.9.1+dfsg1/debian/patches/0016-Fix-potential-NULL-pointer-dereferences-in-regexp-co.patch 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0016-Fix-potential-NULL-pointer-dereferences-in-regexp-co.patch 2015-02-01 13:50:27.000000000 +0800 @@ -6,7 +6,7 @@ Fix 3 cases where we might dereference NULL --- - xmlregexp.c | 8 +++++--- + xmlregexp.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/xmlregexp.c b/xmlregexp.c diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0017-Fix-a-potential-NULL-dereference-in-tree-code.patch libxml2-2.9.1+dfsg1/debian/patches/0017-Fix-a-potential-NULL-dereference-in-tree-code.patch --- libxml2-2.9.1+dfsg1/debian/patches/0017-Fix-a-potential-NULL-dereference-in-tree-code.patch 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0017-Fix-a-potential-NULL-dereference-in-tree-code.patch 2015-02-01 13:50:27.000000000 +0800 @@ -7,7 +7,7 @@ Also reported by Gaurav, simple fix to check the pointer before dereference --- - tree.c | 3 ++- + tree.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tree.c b/tree.c diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0018-Fix-pointer-dereferenced-before-null-check.patch libxml2-2.9.1+dfsg1/debian/patches/0018-Fix-pointer-dereferenced-before-null-check.patch --- libxml2-2.9.1+dfsg1/debian/patches/0018-Fix-pointer-dereferenced-before-null-check.patch 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0018-Fix-pointer-dereferenced-before-null-check.patch 2015-02-01 13:50:27.000000000 +0800 @@ -7,7 +7,7 @@ xmlValidateElementContent is a private function but should still check the ctxt argument before dereferencing --- - valid.c | 2 +- + valid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/valid.c b/valid.c diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0019-Fix-a-bug-loading-some-compressed-files.patch libxml2-2.9.1+dfsg1/debian/patches/0019-Fix-a-bug-loading-some-compressed-files.patch --- libxml2-2.9.1+dfsg1/debian/patches/0019-Fix-a-bug-loading-some-compressed-files.patch 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0019-Fix-a-bug-loading-some-compressed-files.patch 2015-02-01 13:50:27.000000000 +0800 @@ -13,7 +13,7 @@ xz_avail which uses the state->strm stream info. This causes gz_next4 to signal a premature EOF if the data it is fetching crosses a 1024 byte boundary. --- - xzlib.c | 26 ++++++++++++++++++++++---- + xzlib.c | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/xzlib.c b/xzlib.c diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0020-Avoid-a-possibility-of-dangling-encoding-handler.patch libxml2-2.9.1+dfsg1/debian/patches/0020-Avoid-a-possibility-of-dangling-encoding-handler.patch --- libxml2-2.9.1+dfsg1/debian/patches/0020-Avoid-a-possibility-of-dangling-encoding-handler.patch 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0020-Avoid-a-possibility-of-dangling-encoding-handler.patch 2015-02-01 13:50:27.000000000 +0800 @@ -11,7 +11,7 @@ hanldlers[i] as dangling. This may lead to crash issues at places where handlers is read. --- - encoding.c | 16 ++++++++++++++-- + encoding.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/encoding.c b/encoding.c diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0021-Fix-a-couple-of-missing-NULL-checks.patch libxml2-2.9.1+dfsg1/debian/patches/0021-Fix-a-couple-of-missing-NULL-checks.patch --- libxml2-2.9.1+dfsg1/debian/patches/0021-Fix-a-couple-of-missing-NULL-checks.patch 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0021-Fix-a-couple-of-missing-NULL-checks.patch 2015-02-01 13:50:27.000000000 +0800 @@ -4,7 +4,7 @@ For https://bugzilla.gnome.org/show_bug.cgi?id=708681 --- - tree.c | 2 ++ + tree.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tree.c b/tree.c diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch libxml2-2.9.1+dfsg1/debian/patches/0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch --- libxml2-2.9.1+dfsg1/debian/patches/0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch 2015-02-01 13:50:27.000000000 +0800 @@ -6,8 +6,8 @@ some call had it other didn't, clean it up and add to all missing ones --- - HTMLparser.c | 6 ++++++ - parser.c | 10 ++++++++++ + HTMLparser.c | 6 ++++++ + parser.c | 10 ++++++++++ 2 files changed, 16 insertions(+) diff --git a/HTMLparser.c b/HTMLparser.c diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0023-Handling-of-XPath-function-arguments-in-error-case.patch libxml2-2.9.1+dfsg1/debian/patches/0023-Handling-of-XPath-function-arguments-in-error-case.patch --- libxml2-2.9.1+dfsg1/debian/patches/0023-Handling-of-XPath-function-arguments-in-error-case.patch 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0023-Handling-of-XPath-function-arguments-in-error-case.patch 2015-02-01 13:50:27.000000000 +0800 @@ -14,7 +14,7 @@ * Bail out early when evaluation of XPath function arguments fails. * Make sure that there are 'nargs' arguments in the current call frame. --- - xpath.c | 9 +++++++-- + xpath.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/xpath.c b/xpath.c diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0024-Missing-initialization-for-the-catalog-module.patch libxml2-2.9.1+dfsg1/debian/patches/0024-Missing-initialization-for-the-catalog-module.patch --- libxml2-2.9.1+dfsg1/debian/patches/0024-Missing-initialization-for-the-catalog-module.patch 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0024-Missing-initialization-for-the-catalog-module.patch 2015-02-01 13:50:27.000000000 +0800 @@ -3,7 +3,7 @@ Subject: Missing initialization for the catalog module --- - parser.c | 3 +++ + parser.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/parser.c b/parser.c diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0025-Fix-an-fd-leak-in-an-error-case.patch libxml2-2.9.1+dfsg1/debian/patches/0025-Fix-an-fd-leak-in-an-error-case.patch --- libxml2-2.9.1+dfsg1/debian/patches/0025-Fix-an-fd-leak-in-an-error-case.patch 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0025-Fix-an-fd-leak-in-an-error-case.patch 2015-02-01 13:50:27.000000000 +0800 @@ -3,7 +3,7 @@ Subject: Fix an fd leak in an error case --- - catalog.c | 5 +++++ + catalog.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/catalog.c b/catalog.c diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0026-fixing-a-ptotential-uninitialized-access.patch libxml2-2.9.1+dfsg1/debian/patches/0026-fixing-a-ptotential-uninitialized-access.patch --- libxml2-2.9.1+dfsg1/debian/patches/0026-fixing-a-ptotential-uninitialized-access.patch 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0026-fixing-a-ptotential-uninitialized-access.patch 2015-02-01 13:50:27.000000000 +0800 @@ -3,7 +3,7 @@ Subject: fixing a ptotential uninitialized access --- - valid.c | 2 +- + valid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/valid.c b/valid.c diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0027-Fix-xmlTextWriterWriteElement-when-a-null-content-is.patch libxml2-2.9.1+dfsg1/debian/patches/0027-Fix-xmlTextWriterWriteElement-when-a-null-content-is.patch --- libxml2-2.9.1+dfsg1/debian/patches/0027-Fix-xmlTextWriterWriteElement-when-a-null-content-is.patch 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0027-Fix-xmlTextWriterWriteElement-when-a-null-content-is.patch 2015-02-01 13:50:27.000000000 +0800 @@ -3,7 +3,7 @@ Subject: Fix xmlTextWriterWriteElement when a null content is given --- - xmlwriter.c | 10 ++++++---- + xmlwriter.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/xmlwriter.c b/xmlwriter.c diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0028-Avoid-a-possible-NULL-pointer-dereference.patch libxml2-2.9.1+dfsg1/debian/patches/0028-Avoid-a-possible-NULL-pointer-dereference.patch --- libxml2-2.9.1+dfsg1/debian/patches/0028-Avoid-a-possible-NULL-pointer-dereference.patch 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0028-Avoid-a-possible-NULL-pointer-dereference.patch 2015-02-01 13:50:27.000000000 +0800 @@ -4,7 +4,7 @@ For https://bugzilla.gnome.org/show_bug.cgi?id=708355 --- - xmlmodule.c | 2 +- + xmlmodule.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xmlmodule.c b/xmlmodule.c diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0029-Do-not-fetch-external-parameter-entities.patch libxml2-2.9.1+dfsg1/debian/patches/0029-Do-not-fetch-external-parameter-entities.patch --- libxml2-2.9.1+dfsg1/debian/patches/0029-Do-not-fetch-external-parameter-entities.patch 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0029-Do-not-fetch-external-parameter-entities.patch 2015-02-01 13:50:27.000000000 +0800 @@ -5,7 +5,7 @@ Unless explicitely asked for when validating or replacing entities with their value. Problem pointed out by Daniel Berrange <[email protected]> --- - parser.c | 14 ++++++++++++++ + parser.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/parser.c b/parser.c diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0030-Avoid-Possible-null-pointer-dereference-in-memory-de.patch libxml2-2.9.1+dfsg1/debian/patches/0030-Avoid-Possible-null-pointer-dereference-in-memory-de.patch --- libxml2-2.9.1+dfsg1/debian/patches/0030-Avoid-Possible-null-pointer-dereference-in-memory-de.patch 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0030-Avoid-Possible-null-pointer-dereference-in-memory-de.patch 2015-02-01 13:50:27.000000000 +0800 @@ -5,7 +5,7 @@ Fix a use before check on pointer For https://bugzilla.gnome.org/show_bug.cgi?id=729849 --- - xmlmemory.c | 6 ++++-- + xmlmemory.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/xmlmemory.c b/xmlmemory.c diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0031-xmllint-was-not-parsing-the-c14n11-flag.patch libxml2-2.9.1+dfsg1/debian/patches/0031-xmllint-was-not-parsing-the-c14n11-flag.patch --- libxml2-2.9.1+dfsg1/debian/patches/0031-xmllint-was-not-parsing-the-c14n11-flag.patch 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0031-xmllint-was-not-parsing-the-c14n11-flag.patch 2015-02-01 13:50:27.000000000 +0800 @@ -1,10 +1,10 @@ -From: =?UTF-8?q?S=C3=A9rgio=20Batista?= <[email protected]> +From: =?utf-8?q?S=C3=A9rgio_Batista?= <[email protected]> Date: Mon, 9 Jun 2014 22:10:15 +0800 Subject: xmllint was not parsing the --c14n11 flag Cut and paste error, using the wrong variable --- - xmllint.c | 2 +- + xmllint.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xmllint.c b/xmllint.c diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0032-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch libxml2-2.9.1+dfsg1/debian/patches/0032-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch --- libxml2-2.9.1+dfsg1/debian/patches/0032-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0032-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch 2015-02-01 13:50:27.000000000 +0800 @@ -8,7 +8,7 @@ https://bugzilla.gnome.org/show_bug.cgi?id=730290 and other reports on list, off-list and on Red Hat bugzilla --- - parser.c | 13 +++++++++++-- + parser.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/parser.c b/parser.c diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0033-Adding-some-missing-NULL-checks.patch libxml2-2.9.1+dfsg1/debian/patches/0033-Adding-some-missing-NULL-checks.patch --- libxml2-2.9.1+dfsg1/debian/patches/0033-Adding-some-missing-NULL-checks.patch 1970-01-01 08:00:00.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0033-Adding-some-missing-NULL-checks.patch 2015-02-01 13:50:27.000000000 +0800 @@ -0,0 +1,57 @@ +From: Gaurav <[email protected]> +Date: Fri, 13 Jun 2014 14:45:20 +0800 +Subject: Adding some missing NULL checks + +in SAX2 DOM building code and in the HTML parser +--- + HTMLparser.c | 4 ++-- + SAX2.c | 9 +++++++++ + 2 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index 44c1a3c..79b1adf 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -3671,13 +3671,13 @@ htmlParseStartTag(htmlParserCtxtPtr ctxt) { + int i; + int discardtag = 0; + +- if (ctxt->instate == XML_PARSER_EOF) +- return(-1); + if ((ctxt == NULL) || (ctxt->input == NULL)) { + htmlParseErr(ctxt, XML_ERR_INTERNAL_ERROR, + "htmlParseStartTag: context error\n", NULL, NULL); + return -1; + } ++ if (ctxt->instate == XML_PARSER_EOF) ++ return(-1); + if (CUR != '<') return -1; + NEXT; + +diff --git a/SAX2.c b/SAX2.c +index 33d167e..76b7158 100644 +--- a/SAX2.c ++++ b/SAX2.c +@@ -1177,6 +1177,12 @@ xmlSAX2AttributeInternal(void *ctx, const xmlChar *fullname, + val = xmlStringDecodeEntities(ctxt, value, XML_SUBSTITUTE_REF, + 0,0,0); + ctxt->depth--; ++ if (val == NULL) { ++ xmlSAX2ErrMemory(ctxt, "xmlSAX2StartElement"); ++ if (name != NULL) ++ xmlFree(name); ++ return; ++ } + } else { + val = (xmlChar *) value; + } +@@ -2570,6 +2576,9 @@ xmlSAX2Characters(void *ctx, const xmlChar *ch, int len) + (xmlDictOwns(ctxt->dict, lastChild->content))) { + lastChild->content = xmlStrdup(lastChild->content); + } ++ if (lastChild->content == NULL) { ++ xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: xmlStrdup returned NULL"); ++ } + if (((size_t)ctxt->nodelen + (size_t)len > XML_MAX_TEXT_LENGTH) && + ((ctxt->options & XML_PARSE_HUGE) == 0)) { + xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: huge text node"); diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0034-xmlSaveUri-incorrectly-recomposes-URIs-with-rootless.patch libxml2-2.9.1+dfsg1/debian/patches/0034-xmlSaveUri-incorrectly-recomposes-URIs-with-rootless.patch --- libxml2-2.9.1+dfsg1/debian/patches/0034-xmlSaveUri-incorrectly-recomposes-URIs-with-rootless.patch 1970-01-01 08:00:00.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0034-xmlSaveUri-incorrectly-recomposes-URIs-with-rootless.patch 2015-02-01 13:50:27.000000000 +0800 @@ -0,0 +1,27 @@ +From: Dennis Filder <[email protected]> +Date: Fri, 13 Jun 2014 14:56:14 +0800 +Subject: xmlSaveUri() incorrectly recomposes URIs with rootless paths + +For https://bugzilla.gnome.org/show_bug.cgi?id=731063 + +xmlSaveUri() of libxml2 (snapshot 2014-05-31 and earlier) returns +bogus values when called with URIs that have rootless paths +(e.g. "urx:b:b" becomes "urx://b%3Ab" where "urx:b%3Ab" would be +correct) +--- + uri.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/uri.c b/uri.c +index 4ab0ce2..d4dcd2f 100644 +--- a/uri.c ++++ b/uri.c +@@ -1194,8 +1194,6 @@ xmlSaveUri(xmlURIPtr uri) { + if (temp == NULL) goto mem_error; + ret = temp; + } +- ret[len++] = '/'; +- ret[len++] = '/'; + } + if (uri->path != NULL) { + p = uri->path; diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0035-Adding-a-check-in-case-of-allocation-error.patch libxml2-2.9.1+dfsg1/debian/patches/0035-Adding-a-check-in-case-of-allocation-error.patch --- libxml2-2.9.1+dfsg1/debian/patches/0035-Adding-a-check-in-case-of-allocation-error.patch 1970-01-01 08:00:00.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0035-Adding-a-check-in-case-of-allocation-error.patch 2015-02-01 13:50:27.000000000 +0800 @@ -0,0 +1,28 @@ +From: Gaurav Gupta <[email protected]> +Date: Mon, 14 Jul 2014 16:01:10 +0800 +Subject: Adding a check in case of allocation error + +For https://bugzilla.gnome.org/show_bug.cgi?id=733043 + +There is missing Null condition in xmlRelaxNGValidateInterleave of +relaxng.c +Dereferencing it may cause a crash. +--- + relaxng.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/relaxng.c b/relaxng.c +index 370e314..3d8524d 100644 +--- a/relaxng.c ++++ b/relaxng.c +@@ -9409,6 +9409,10 @@ xmlRelaxNGValidateInterleave(xmlRelaxNGValidCtxtPtr ctxt, + oldstate = ctxt->state; + for (i = 0; i < nbgroups; i++) { + ctxt->state = xmlRelaxNGCopyValidState(ctxt, oldstate); ++ if (ctxt->state == NULL) { ++ ret = -1; ++ break; ++ } + group = partitions->groups[i]; + if (lasts[i] != NULL) { + last = lasts[i]->next; diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0036-Add-a-missing-argument-check.patch libxml2-2.9.1+dfsg1/debian/patches/0036-Add-a-missing-argument-check.patch --- libxml2-2.9.1+dfsg1/debian/patches/0036-Add-a-missing-argument-check.patch 1970-01-01 08:00:00.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0036-Add-a-missing-argument-check.patch 2015-02-01 13:50:27.000000000 +0800 @@ -0,0 +1,24 @@ +From: Gaurav Gupta <[email protected]> +Date: Mon, 14 Jul 2014 16:08:28 +0800 +Subject: Add a missing argument check + +For https://bugzilla.gnome.org/show_bug.cgi?id=733042 + +the states argument of xmlRelaxNGAddStates() ought to be checked too +--- + relaxng.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/relaxng.c b/relaxng.c +index 3d8524d..89fcc4e 100644 +--- a/relaxng.c ++++ b/relaxng.c +@@ -1095,7 +1095,7 @@ xmlRelaxNGAddStates(xmlRelaxNGValidCtxtPtr ctxt, + { + int i; + +- if (state == NULL) { ++ if (state == NULL || states == NULL) { + return (-1); + } + if (states->nbState >= states->maxState) { diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0037-Add-a-couple-of-misisng-check-in-xmlRelaxNGCleanupTr.patch libxml2-2.9.1+dfsg1/debian/patches/0037-Add-a-couple-of-misisng-check-in-xmlRelaxNGCleanupTr.patch --- libxml2-2.9.1+dfsg1/debian/patches/0037-Add-a-couple-of-misisng-check-in-xmlRelaxNGCleanupTr.patch 1970-01-01 08:00:00.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0037-Add-a-couple-of-misisng-check-in-xmlRelaxNGCleanupTr.patch 2015-02-01 13:50:27.000000000 +0800 @@ -0,0 +1,43 @@ +From: Gaurav Gupta <[email protected]> +Date: Mon, 14 Jul 2014 16:14:44 +0800 +Subject: Add a couple of misisng check in xmlRelaxNGCleanupTree + +For https://bugzilla.gnome.org/show_bug.cgi?id=733041 + +check cur->parent before dereferencing the pointer even if +a null parent there should not happen +Also fix a typo +--- + relaxng.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/relaxng.c b/relaxng.c +index 89fcc4e..33fc71a 100644 +--- a/relaxng.c ++++ b/relaxng.c +@@ -7346,13 +7346,13 @@ xmlRelaxNGCleanupTree(xmlRelaxNGParserCtxtPtr ctxt, xmlNodePtr root) + if (ns != NULL) + xmlFree(ns); + /* +- * Since we are about to delete cur, if it's nsDef is non-NULL we ++ * Since we are about to delete cur, if its nsDef is non-NULL we + * need to preserve it (it contains the ns definitions for the + * children we just moved). We'll just stick it on to the end + * of cur->parent's list, since it's never going to be re-serialized + * (bug 143738). + */ +- if (cur->nsDef != NULL) { ++ if ((cur->nsDef != NULL) && (cur->parent != NULL)) { + xmlNsPtr parDef = (xmlNsPtr)&cur->parent->nsDef; + while (parDef->next != NULL) + parDef = parDef->next; +@@ -7370,7 +7370,8 @@ xmlRelaxNGCleanupTree(xmlRelaxNGParserCtxtPtr ctxt, xmlNodePtr root) + else if ((cur->type == XML_TEXT_NODE) || + (cur->type == XML_CDATA_SECTION_NODE)) { + if (IS_BLANK_NODE(cur)) { +- if (cur->parent->type == XML_ELEMENT_NODE) { ++ if ((cur->parent != NULL) && ++ (cur->parent->type == XML_ELEMENT_NODE)) { + if ((!xmlStrEqual(cur->parent->name, BAD_CAST "value")) + && + (!xmlStrEqual diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0038-Fix-a-potential-NULL-dereference.patch libxml2-2.9.1+dfsg1/debian/patches/0038-Fix-a-potential-NULL-dereference.patch --- libxml2-2.9.1+dfsg1/debian/patches/0038-Fix-a-potential-NULL-dereference.patch 1970-01-01 08:00:00.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0038-Fix-a-potential-NULL-dereference.patch 2015-02-01 13:50:27.000000000 +0800 @@ -0,0 +1,29 @@ +From: Daniel Veillard <[email protected]> +Date: Mon, 14 Jul 2014 16:39:50 +0800 +Subject: Fix a potential NULL dereference + +For https://bugzilla.gnome.org/show_bug.cgi?id=733040 + +xmlDictLookup() may return NULL in case of allocation error, +though very unlikely it need to be checked. +--- + parser.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/parser.c b/parser.c +index ea0ea65..b02333b 100644 +--- a/parser.c ++++ b/parser.c +@@ -9313,6 +9313,12 @@ reparse: + const xmlChar *URL = xmlDictLookup(ctxt->dict, attvalue, len); + xmlURIPtr uri; + ++ if (URL == NULL) { ++ xmlErrMemory(ctxt, "dictionary allocation failure"); ++ if ((attvalue != NULL) && (alloc != 0)) ++ xmlFree(attvalue); ++ return(NULL); ++ } + if (*URL != 0) { + uri = xmlParseURI((const char *) URL); + if (uri == NULL) { diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0039-Fix-processing-in-SAX2-in-case-of-an-allocation-fail.patch libxml2-2.9.1+dfsg1/debian/patches/0039-Fix-processing-in-SAX2-in-case-of-an-allocation-fail.patch --- libxml2-2.9.1+dfsg1/debian/patches/0039-Fix-processing-in-SAX2-in-case-of-an-allocation-fail.patch 1970-01-01 08:00:00.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0039-Fix-processing-in-SAX2-in-case-of-an-allocation-fail.patch 2015-02-01 13:50:27.000000000 +0800 @@ -0,0 +1,21 @@ +From: Daniel Veillard <[email protected]> +Date: Mon, 14 Jul 2014 20:29:34 +0800 +Subject: Fix processing in SAX2 in case of an allocation failure + +Related to https://bugzilla.gnome.org/show_bug.cgi?id=731360 +--- + SAX2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/SAX2.c b/SAX2.c +index 76b7158..791992c 100644 +--- a/SAX2.c ++++ b/SAX2.c +@@ -2578,6 +2578,7 @@ xmlSAX2Characters(void *ctx, const xmlChar *ch, int len) + } + if (lastChild->content == NULL) { + xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: xmlStrdup returned NULL"); ++ return; + } + if (((size_t)ctxt->nodelen + (size_t)len > XML_MAX_TEXT_LENGTH) && + ((ctxt->options & XML_PARSE_HUGE) == 0)) { diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0040-Avoid-Possible-Null-Pointer-in-trio.c.patch libxml2-2.9.1+dfsg1/debian/patches/0040-Avoid-Possible-Null-Pointer-in-trio.c.patch --- libxml2-2.9.1+dfsg1/debian/patches/0040-Avoid-Possible-Null-Pointer-in-trio.c.patch 1970-01-01 08:00:00.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0040-Avoid-Possible-Null-Pointer-in-trio.c.patch 2015-02-01 13:50:27.000000000 +0800 @@ -0,0 +1,47 @@ +From: Gaurav Gupta <[email protected]> +Date: Mon, 14 Jul 2014 21:22:07 +0800 +Subject: Avoid Possible Null Pointer in trio.c + +For https://bugzilla.gnome.org/show_bug.cgi?id=730005 +While using assert in libxml2 is really not a good idea, it's +still better to assert than crash +--- + trio.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/trio.c b/trio.c +index d885db9..1bf99e3 100644 +--- a/trio.c ++++ b/trio.c +@@ -6418,11 +6418,14 @@ TRIO_ARGS2((self, intPointer), + trio_class_t *self, + int *intPointer) + { +- FILE *file = (FILE *)self->location; ++ FILE *file; + + assert(VALID(self)); ++ assert(VALID(self->location)); + assert(VALID(file)); + ++ file = (FILE *)self->location; ++ + self->current = fgetc(file); + if (self->current == EOF) + { +@@ -6451,11 +6454,14 @@ TRIO_ARGS2((self, intPointer), + trio_class_t *self, + int *intPointer) + { +- int fd = *((int *)self->location); ++ int fd; + int size; + unsigned char input; + + assert(VALID(self)); ++ assert(VALID(self->location)); ++ ++ fd = *((int *)self->location); + + size = read(fd, &input, sizeof(char)); + if (size == -1) diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0041-Check-for-tmon-in-_xmlSchemaDateAdd-is-incorrect.patch libxml2-2.9.1+dfsg1/debian/patches/0041-Check-for-tmon-in-_xmlSchemaDateAdd-is-incorrect.patch --- libxml2-2.9.1+dfsg1/debian/patches/0041-Check-for-tmon-in-_xmlSchemaDateAdd-is-incorrect.patch 1970-01-01 08:00:00.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0041-Check-for-tmon-in-_xmlSchemaDateAdd-is-incorrect.patch 2015-02-01 13:50:27.000000000 +0800 @@ -0,0 +1,32 @@ +From: David Kilzer <[email protected]> +Date: Mon, 14 Jul 2014 22:29:56 +0800 +Subject: Check for tmon in _xmlSchemaDateAdd() is incorrect + +For https://bugzilla.gnome.org/show_bug.cgi?id=732705 +In _xmlSchemaDateAdd(), the check for |tmon| should be the following +since MAX_DAYINMONTH() expects a month in the range [1,12]: + + if (tmon < 1) + tmon = 1; + +Regression introduced in +https://git.gnome.org/browse/libxml2/commit/?id=14b5643947845df089376106517c4f7ba061e4b0 +--- + xmlschemastypes.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/xmlschemastypes.c b/xmlschemastypes.c +index ec403e8..7e1d54a 100644 +--- a/xmlschemastypes.c ++++ b/xmlschemastypes.c +@@ -3848,8 +3848,8 @@ _xmlSchemaDateAdd (xmlSchemaValPtr dt, xmlSchemaValPtr dur) + * Coverity detected an overrun in daysInMonth + * of size 12 at position 12 with index variable "((r)->mon - 1)" + */ +- if (tmon < 0) +- tmon = 0; ++ if (tmon < 1) ++ tmon = 1; + if (tmon > 12) + tmon = 12; + tempdays += MAX_DAYINMONTH(tyr, tmon); diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0042-HTMLparser-Correctly-initialise-a-stack-allocated-st.patch libxml2-2.9.1+dfsg1/debian/patches/0042-HTMLparser-Correctly-initialise-a-stack-allocated-st.patch --- libxml2-2.9.1+dfsg1/debian/patches/0042-HTMLparser-Correctly-initialise-a-stack-allocated-st.patch 1970-01-01 08:00:00.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0042-HTMLparser-Correctly-initialise-a-stack-allocated-st.patch 2015-02-01 13:50:27.000000000 +0800 @@ -0,0 +1,29 @@ +From: Philip Withnall <[email protected]> +Date: Fri, 20 Jun 2014 21:03:42 +0100 +Subject: HTMLparser: Correctly initialise a stack allocated structure +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +If not initialised, the ‘node’ member remains undefined. + +Coverity issue: #60466 + +https://bugzilla.gnome.org/show_bug.cgi?id=731990 +--- + HTMLparser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index 79b1adf..4c51cc5 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -4366,7 +4366,7 @@ static void + htmlParseElementInternal(htmlParserCtxtPtr ctxt) { + const xmlChar *name; + const htmlElemDesc * info; +- htmlParserNodeInfo node_info; ++ htmlParserNodeInfo node_info = { 0, }; + int failed; + + if ((ctxt == NULL) || (ctxt->input == NULL)) { diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0043-xmlcatalog-Fix-a-memory-leak-on-quit.patch libxml2-2.9.1+dfsg1/debian/patches/0043-xmlcatalog-Fix-a-memory-leak-on-quit.patch --- libxml2-2.9.1+dfsg1/debian/patches/0043-xmlcatalog-Fix-a-memory-leak-on-quit.patch 1970-01-01 08:00:00.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0043-xmlcatalog-Fix-a-memory-leak-on-quit.patch 2015-02-01 13:50:27.000000000 +0800 @@ -0,0 +1,34 @@ +From: Philip Withnall <[email protected]> +Date: Fri, 20 Jun 2014 21:05:33 +0100 +Subject: xmlcatalog: Fix a memory leak on quit + +Coverity issue: #60442 + +https://bugzilla.gnome.org/show_bug.cgi?id=731990 +--- + xmlcatalog.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/xmlcatalog.c b/xmlcatalog.c +index 43f455a..b9ed6a4 100644 +--- a/xmlcatalog.c ++++ b/xmlcatalog.c +@@ -181,12 +181,13 @@ static void usershell(void) { + /* + * start interpreting the command + */ +- if (!strcmp(command, "exit")) +- break; +- if (!strcmp(command, "quit")) +- break; +- if (!strcmp(command, "bye")) ++ if (!strcmp(command, "exit") || ++ !strcmp(command, "quit") || ++ !strcmp(command, "bye")) { ++ free(cmdline); + break; ++ } ++ + if (!strcmp(command, "public")) { + if (nbargs != 1) { + printf("public requires 1 arguments\n"); diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0044-xmlschemastypes-Fix-potential-array-overflow.patch libxml2-2.9.1+dfsg1/debian/patches/0044-xmlschemastypes-Fix-potential-array-overflow.patch --- libxml2-2.9.1+dfsg1/debian/patches/0044-xmlschemastypes-Fix-potential-array-overflow.patch 1970-01-01 08:00:00.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0044-xmlschemastypes-Fix-potential-array-overflow.patch 2015-02-01 13:50:27.000000000 +0800 @@ -0,0 +1,28 @@ +From: Philip Withnall <[email protected]> +Date: Fri, 20 Jun 2014 21:37:21 +0100 +Subject: xmlschemastypes: Fix potential array overflow + +The year and month need validating before being put into the +MAX_DAYINMONTH macro. + +Coverity issue: #60436 + +https://bugzilla.gnome.org/show_bug.cgi?id=731990 +--- + xmlschemastypes.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/xmlschemastypes.c b/xmlschemastypes.c +index 7e1d54a..6e8bb70 100644 +--- a/xmlschemastypes.c ++++ b/xmlschemastypes.c +@@ -3854,7 +3854,8 @@ _xmlSchemaDateAdd (xmlSchemaValPtr dt, xmlSchemaValPtr dur) + tmon = 12; + tempdays += MAX_DAYINMONTH(tyr, tmon); + carry = -1; +- } else if (tempdays > (long) MAX_DAYINMONTH(r->year, r->mon)) { ++ } else if (VALID_YEAR(r->year) && VALID_MONTH(r->mon) && ++ tempdays > (long) MAX_DAYINMONTH(r->year, r->mon)) { + tempdays = tempdays - MAX_DAYINMONTH(r->year, r->mon); + carry = 1; + } else diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0045-Add-couple-of-missing-Null-checks.patch libxml2-2.9.1+dfsg1/debian/patches/0045-Add-couple-of-missing-Null-checks.patch --- libxml2-2.9.1+dfsg1/debian/patches/0045-Add-couple-of-missing-Null-checks.patch 1970-01-01 08:00:00.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0045-Add-couple-of-missing-Null-checks.patch 2015-02-01 13:50:27.000000000 +0800 @@ -0,0 +1,49 @@ +From: Daniel Veillard <[email protected]> +Date: Sat, 26 Jul 2014 21:04:54 +0800 +Subject: Add couple of missing Null checks + +For https://bugzilla.gnome.org/show_bug.cgi?id=733710 +Reported by Gaurav but with slightly different fixes +--- + relaxng.c | 7 ++++++- + tree.c | 4 ++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/relaxng.c b/relaxng.c +index 33fc71a..936f657 100644 +--- a/relaxng.c ++++ b/relaxng.c +@@ -6655,12 +6655,17 @@ xmlRelaxNGParseDocument(xmlRelaxNGParserCtxtPtr ctxt, xmlNodePtr node) + ctxt->define = NULL; + if (IS_RELAXNG(node, "grammar")) { + schema->topgrammar = xmlRelaxNGParseGrammar(ctxt, node->children); ++ if (schema->topgrammar == NULL) { ++ xmlRelaxNGFree(schema); ++ return (NULL); ++ } + } else { + xmlRelaxNGGrammarPtr tmp, ret; + + schema->topgrammar = ret = xmlRelaxNGNewGrammar(ctxt); + if (schema->topgrammar == NULL) { +- return (schema); ++ xmlRelaxNGFree(schema); ++ return (NULL); + } + /* + * Link the new grammar in the tree +diff --git a/tree.c b/tree.c +index 43c3c57..967c6a4 100644 +--- a/tree.c ++++ b/tree.c +@@ -4509,6 +4509,10 @@ xmlCopyDoc(xmlDocPtr doc, int recursive) { + #ifdef LIBXML_TREE_ENABLED + if (doc->intSubset != NULL) { + ret->intSubset = xmlCopyDtd(doc->intSubset); ++ if (ret->intSubset == NULL) { ++ xmlFreeDoc(ret); ++ return(NULL); ++ } + xmlSetTreeDoc((xmlNodePtr)ret->intSubset, ret); + ret->intSubset->parent = ret; + } diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0046-Couple-of-Missing-Null-checks.patch libxml2-2.9.1+dfsg1/debian/patches/0046-Couple-of-Missing-Null-checks.patch --- libxml2-2.9.1+dfsg1/debian/patches/0046-Couple-of-Missing-Null-checks.patch 1970-01-01 08:00:00.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0046-Couple-of-Missing-Null-checks.patch 2015-02-01 13:50:27.000000000 +0800 @@ -0,0 +1,35 @@ +From: Gaurav Gupta <[email protected]> +Date: Thu, 7 Aug 2014 11:19:03 +0800 +Subject: Couple of Missing Null checks + +For https://bugzilla.gnome.org/show_bug.cgi?id=734328 + +Missing Null check could cause crash, if a pointer is dereferenced. + +Found problem at two places in valid.c +--- + valid.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/valid.c b/valid.c +index 114bb72..6255b5b 100644 +--- a/valid.c ++++ b/valid.c +@@ -1798,6 +1798,7 @@ xmlCopyEnumeration(xmlEnumerationPtr cur) { + + if (cur == NULL) return(NULL); + ret = xmlCreateEnumeration((xmlChar *) cur->name); ++ if (ret == NULL) return(NULL); + + if (cur->next != NULL) ret->next = xmlCopyEnumeration(cur->next); + else ret->next = NULL; +@@ -6998,6 +6999,9 @@ xmlValidGetValidElements(xmlNode *prev, xmlNode *next, const xmlChar **names, + * Creates a dummy node and insert it into the tree + */ + test_node = xmlNewDocNode (ref_node->doc, NULL, BAD_CAST "<!dummy?>", NULL); ++ if (test_node == NULL) ++ return(-1); ++ + test_node->parent = parent; + test_node->prev = prev; + test_node->next = next; diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0047-Fix-Enum-check-and-missing-break.patch libxml2-2.9.1+dfsg1/debian/patches/0047-Fix-Enum-check-and-missing-break.patch --- libxml2-2.9.1+dfsg1/debian/patches/0047-Fix-Enum-check-and-missing-break.patch 1970-01-01 08:00:00.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0047-Fix-Enum-check-and-missing-break.patch 2015-02-01 13:50:27.000000000 +0800 @@ -0,0 +1,43 @@ +From: Gaurav Gupta <[email protected]> +Date: Mon, 6 Oct 2014 12:24:17 +0800 +Subject: Fix Enum check and missing break + +for https://bugzilla.gnome.org/show_bug.cgi?id=737403 + +In file xmlreader.c +1. An enum is checked to proper value instead of checking like a boolean. +2. Missing break statement added. +--- + xmlreader.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/xmlreader.c b/xmlreader.c +index 00083d0..9620f52 100644 +--- a/xmlreader.c ++++ b/xmlreader.c +@@ -1427,7 +1427,7 @@ get_next_node: + goto node_found; + } + #ifdef LIBXML_REGEXP_ENABLED +- if ((reader->validate) && (reader->node->type == XML_ELEMENT_NODE)) ++ if ((reader->validate != XML_TEXTREADER_NOT_VALIDATE) && (reader->node->type == XML_ELEMENT_NODE)) + xmlTextReaderValidatePop(reader); + #endif /* LIBXML_REGEXP_ENABLED */ + if ((reader->preserves > 0) && +@@ -1560,7 +1560,7 @@ node_found: + goto get_next_node; + } + #ifdef LIBXML_REGEXP_ENABLED +- if ((reader->validate) && (reader->node != NULL)) { ++ if ((reader->validate != XML_TEXTREADER_NOT_VALIDATE) && (reader->node != NULL)) { + xmlNodePtr node = reader->node; + + if ((node->type == XML_ELEMENT_NODE) && +@@ -1790,6 +1790,7 @@ xmlTextReaderReadString(xmlTextReaderPtr reader) + if (xmlTextReaderDoExpand(reader) != -1) { + return xmlTextReaderCollectSiblings(node->children); + } ++ break; + case XML_ATTRIBUTE_NODE: + TODO + break; diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0048-Possible-overflow-in-HTMLParser.c.patch libxml2-2.9.1+dfsg1/debian/patches/0048-Possible-overflow-in-HTMLParser.c.patch --- libxml2-2.9.1+dfsg1/debian/patches/0048-Possible-overflow-in-HTMLParser.c.patch 1970-01-01 08:00:00.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0048-Possible-overflow-in-HTMLParser.c.patch 2015-02-01 13:50:27.000000000 +0800 @@ -0,0 +1,38 @@ +From: Daniel Veillard <[email protected]> +Date: Mon, 6 Oct 2014 18:51:04 +0800 +Subject: Possible overflow in HTMLParser.c + +For https://bugzilla.gnome.org/show_bug.cgi?id=720615 + +make sure that the encoding string passed is of reasonable size +--- + HTMLparser.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index 4c51cc5..8d34fd1 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -6288,12 +6288,16 @@ htmlCreateFileParserCtxt(const char *filename, const char *encoding) + + /* set encoding */ + if (encoding) { +- content = xmlMallocAtomic (xmlStrlen(content_line) + strlen(encoding) + 1); +- if (content) { +- strcpy ((char *)content, (char *)content_line); +- strcat ((char *)content, (char *)encoding); +- htmlCheckEncoding (ctxt, content); +- xmlFree (content); ++ size_t l = strlen(encoding); ++ ++ if (l < 1000) { ++ content = xmlMallocAtomic (xmlStrlen(content_line) + l + 1); ++ if (content) { ++ strcpy ((char *)content, (char *)content_line); ++ strcat ((char *)content, (char *)encoding); ++ htmlCheckEncoding (ctxt, content); ++ xmlFree (content); ++ } + } + } + diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0049-Leak-of-struct-addrinfo-in-xmlNanoFTPConnect.patch libxml2-2.9.1+dfsg1/debian/patches/0049-Leak-of-struct-addrinfo-in-xmlNanoFTPConnect.patch --- libxml2-2.9.1+dfsg1/debian/patches/0049-Leak-of-struct-addrinfo-in-xmlNanoFTPConnect.patch 1970-01-01 08:00:00.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0049-Leak-of-struct-addrinfo-in-xmlNanoFTPConnect.patch 2015-02-01 13:50:27.000000000 +0800 @@ -0,0 +1,25 @@ +From: Gaurav Gupta <[email protected]> +Date: Mon, 6 Oct 2014 19:28:29 +0800 +Subject: Leak of struct addrinfo in xmlNanoFTPConnect() + +For https://bugzilla.gnome.org/show_bug.cgi?id=732352 + +in case of error condition in IPv6 support, the early return here +doesn't call freeaddrinfo(result), thus leaking memory. +--- + nanoftp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/nanoftp.c b/nanoftp.c +index 077bfe2..010e0b1 100644 +--- a/nanoftp.c ++++ b/nanoftp.c +@@ -908,6 +908,8 @@ xmlNanoFTPConnect(void *ctx) { + return (-1); + } + if (tmp->ai_addrlen > sizeof(ctxt->ftpAddr)) { ++ if (result) ++ freeaddrinfo (result); + __xmlIOErr(XML_FROM_FTP, 0, "gethostbyname address mismatch"); + return (-1); + } diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0050-Pointer-dereferenced-before-null-check.patch libxml2-2.9.1+dfsg1/debian/patches/0050-Pointer-dereferenced-before-null-check.patch --- libxml2-2.9.1+dfsg1/debian/patches/0050-Pointer-dereferenced-before-null-check.patch 1970-01-01 08:00:00.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0050-Pointer-dereferenced-before-null-check.patch 2015-02-01 13:50:27.000000000 +0800 @@ -0,0 +1,61 @@ +From: Daniel Veillard <[email protected]> +Date: Mon, 6 Oct 2014 20:07:19 +0800 +Subject: Pointer dereferenced before null check + +For https://bugzilla.gnome.org/show_bug.cgi?id=707027 + +A few pointer dereference before NULL check fixed. +Removed a useless test +--- + xmlreader.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/xmlreader.c b/xmlreader.c +index 9620f52..8834f50 100644 +--- a/xmlreader.c ++++ b/xmlreader.c +@@ -282,7 +282,10 @@ static void + xmlTextReaderFreeProp(xmlTextReaderPtr reader, xmlAttrPtr cur) { + xmlDictPtr dict; + +- dict = reader->ctxt->dict; ++ if ((reader != NULL) && (reader->ctxt != NULL)) ++ dict = reader->ctxt->dict; ++ else ++ dict = NULL; + if (cur == NULL) return; + + if ((__xmlRegisterCallbacks) && (xmlDeregisterNodeDefaultValue)) +@@ -319,7 +322,7 @@ xmlTextReaderFreeProp(xmlTextReaderPtr reader, xmlAttrPtr cur) { + static void + xmlTextReaderFreePropList(xmlTextReaderPtr reader, xmlAttrPtr cur) { + xmlAttrPtr next; +- if (cur == NULL) return; ++ + while (cur != NULL) { + next = cur->next; + xmlTextReaderFreeProp(reader, cur); +@@ -340,7 +343,10 @@ xmlTextReaderFreeNodeList(xmlTextReaderPtr reader, xmlNodePtr cur) { + xmlNodePtr next; + xmlDictPtr dict; + +- dict = reader->ctxt->dict; ++ if ((reader != NULL) && (reader->ctxt != NULL)) ++ dict = reader->ctxt->dict; ++ else ++ dict = NULL; + if (cur == NULL) return; + if (cur->type == XML_NAMESPACE_DECL) { + xmlFreeNsList((xmlNsPtr) cur); +@@ -417,7 +423,10 @@ static void + xmlTextReaderFreeNode(xmlTextReaderPtr reader, xmlNodePtr cur) { + xmlDictPtr dict; + +- dict = reader->ctxt->dict; ++ if ((reader != NULL) && (reader->ctxt != NULL)) ++ dict = reader->ctxt->dict; ++ else ++ dict = NULL; + if (cur->type == XML_DTD_NODE) { + xmlFreeDtd((xmlDtdPtr) cur); + return; diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0051-xpointer-fixing-Null-Pointers.patch libxml2-2.9.1+dfsg1/debian/patches/0051-xpointer-fixing-Null-Pointers.patch --- libxml2-2.9.1+dfsg1/debian/patches/0051-xpointer-fixing-Null-Pointers.patch 1970-01-01 08:00:00.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0051-xpointer-fixing-Null-Pointers.patch 2015-02-01 13:50:27.000000000 +0800 @@ -0,0 +1,110 @@ +From: Gaurav Gupta <[email protected]> +Date: Tue, 7 Oct 2014 17:09:35 +0800 +Subject: xpointer : fixing Null Pointers + +For https://bugzilla.gnome.org/show_bug.cgi?id=738053 +At many places in xpointer.c +Null check is missing which is dereferenced at later places. +--- + xpointer.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +diff --git a/xpointer.c b/xpointer.c +index 46f11e8..1ae2e53 100644 +--- a/xpointer.c ++++ b/xpointer.c +@@ -1375,6 +1375,8 @@ xmlXPtrEval(const xmlChar *str, xmlXPathContextPtr ctx) { + return(NULL); + + ctxt = xmlXPathNewParserContext(str, ctx); ++ if (ctxt == NULL) ++ return(NULL); + ctxt->xptr = 1; + xmlXPtrEvalXPointer(ctxt); + +@@ -1807,6 +1809,8 @@ xmlXPtrStartPointFunction(xmlXPathParserContextPtr ctxt, int nargs) { + */ + tmp = xmlXPtrNewLocationSetNodeSet(obj->nodesetval); + xmlXPathFreeObject(obj); ++ if (tmp == NULL) ++ XP_ERROR(XPATH_MEMORY_ERROR) + obj = tmp; + } + +@@ -1901,10 +1905,16 @@ xmlXPtrEndPointFunction(xmlXPathParserContextPtr ctxt, int nargs) { + */ + tmp = xmlXPtrNewLocationSetNodeSet(obj->nodesetval); + xmlXPathFreeObject(obj); ++ if (tmp == NULL) ++ XP_ERROR(XPATH_MEMORY_ERROR) + obj = tmp; + } + + newset = xmlXPtrLocationSetCreate(NULL); ++ if (newset == NULL) { ++ xmlXPathFreeObject(obj); ++ XP_ERROR(XPATH_MEMORY_ERROR); ++ } + oldset = (xmlLocationSetPtr) obj->user; + if (oldset != NULL) { + int i; +@@ -2049,6 +2059,8 @@ xmlXPtrRangeFunction(xmlXPathParserContextPtr ctxt, int nargs) { + */ + tmp = xmlXPtrNewLocationSetNodeSet(set->nodesetval); + xmlXPathFreeObject(set); ++ if (tmp == NULL) ++ XP_ERROR(XPATH_MEMORY_ERROR) + set = tmp; + } + oldset = (xmlLocationSetPtr) set->user; +@@ -2057,6 +2069,10 @@ xmlXPtrRangeFunction(xmlXPathParserContextPtr ctxt, int nargs) { + * The loop is to compute the covering range for each item and add it + */ + newset = xmlXPtrLocationSetCreate(NULL); ++ if (newset == NULL) { ++ xmlXPathFreeObject(set); ++ XP_ERROR(XPATH_MEMORY_ERROR); ++ } + for (i = 0;i < oldset->locNr;i++) { + xmlXPtrLocationSetAdd(newset, + xmlXPtrCoveringRange(ctxt, oldset->locTab[i])); +@@ -2195,6 +2211,8 @@ xmlXPtrRangeInsideFunction(xmlXPathParserContextPtr ctxt, int nargs) { + */ + tmp = xmlXPtrNewLocationSetNodeSet(set->nodesetval); + xmlXPathFreeObject(set); ++ if (tmp == NULL) ++ XP_ERROR(XPATH_MEMORY_ERROR) + set = tmp; + } + oldset = (xmlLocationSetPtr) set->user; +@@ -2203,6 +2221,10 @@ xmlXPtrRangeInsideFunction(xmlXPathParserContextPtr ctxt, int nargs) { + * The loop is to compute the covering range for each item and add it + */ + newset = xmlXPtrLocationSetCreate(NULL); ++ if (newset == NULL) { ++ xmlXPathFreeObject(set); ++ XP_ERROR(XPATH_MEMORY_ERROR); ++ } + for (i = 0;i < oldset->locNr;i++) { + xmlXPtrLocationSetAdd(newset, + xmlXPtrInsideRange(ctxt, oldset->locTab[i])); +@@ -2798,6 +2820,10 @@ xmlXPtrStringRangeFunction(xmlXPathParserContextPtr ctxt, int nargs) { + + set = valuePop(ctxt); + newset = xmlXPtrLocationSetCreate(NULL); ++ if (newset == NULL) { ++ xmlXPathFreeObject(set); ++ XP_ERROR(XPATH_MEMORY_ERROR); ++ } + if (set->nodesetval == NULL) { + goto error; + } +@@ -2809,6 +2835,8 @@ xmlXPtrStringRangeFunction(xmlXPathParserContextPtr ctxt, int nargs) { + */ + tmp = xmlXPtrNewLocationSetNodeSet(set->nodesetval); + xmlXPathFreeObject(set); ++ if (tmp == NULL) ++ XP_ERROR(XPATH_MEMORY_ERROR) + set = tmp; + } + oldset = (xmlLocationSetPtr) set->user; diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0052-xmlmemory-handle-realloc-properly.patch libxml2-2.9.1+dfsg1/debian/patches/0052-xmlmemory-handle-realloc-properly.patch --- libxml2-2.9.1+dfsg1/debian/patches/0052-xmlmemory-handle-realloc-properly.patch 1970-01-01 08:00:00.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0052-xmlmemory-handle-realloc-properly.patch 2015-02-01 13:50:27.000000000 +0800 @@ -0,0 +1,39 @@ +From: Yegor Yefremov <[email protected]> +Date: Fri, 10 Oct 2014 12:23:09 +0200 +Subject: xmlmemory: handle realloc properly + +If realloc fails, free original pointer. + +Signed-off-by: Yegor Yefremov <[email protected]> +--- + xmlmemory.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/xmlmemory.c b/xmlmemory.c +index 37dcf3b..6110849 100644 +--- a/xmlmemory.c ++++ b/xmlmemory.c +@@ -313,7 +313,7 @@ xmlMemMalloc(size_t size) + void * + xmlReallocLoc(void *ptr,size_t size, const char * file, int line) + { +- MEMHDR *p; ++ MEMHDR *p, *tmp; + unsigned long number; + #ifdef DEBUG_MEMORY + size_t oldsize; +@@ -344,10 +344,12 @@ xmlReallocLoc(void *ptr,size_t size, const char * file, int line) + #endif + xmlMutexUnlock(xmlMemMutex); + +- p = (MEMHDR *) realloc(p,RESERVE_SIZE+size); +- if (!p) { ++ tmp = (MEMHDR *) realloc(p,RESERVE_SIZE+size); ++ if (!tmp) { ++ free(p); + goto error; + } ++ p = tmp; + if (xmlMemTraceBlockAt == ptr) { + xmlGenericError(xmlGenericErrorContext, + "%p : Realloced(%lu -> %lu) Ok\n", diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0053-fix-memory-leak-xml-header-encoding-field-with-XML_P.patch libxml2-2.9.1+dfsg1/debian/patches/0053-fix-memory-leak-xml-header-encoding-field-with-XML_P.patch --- libxml2-2.9.1+dfsg1/debian/patches/0053-fix-memory-leak-xml-header-encoding-field-with-XML_P.patch 1970-01-01 08:00:00.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0053-fix-memory-leak-xml-header-encoding-field-with-XML_P.patch 2015-02-01 13:50:27.000000000 +0800 @@ -0,0 +1,50 @@ +From: Bart De Schuymer <[email protected]> +Date: Thu, 16 Oct 2014 12:17:20 +0800 +Subject: fix memory leak xml header encoding field with XML_PARSE_IGNORE_ENC + +When the xml parser encounters an xml encoding in an xml header while +configured with option XML_PARSE_IGNORE_ENC, it fails to free memory +allocated for storing the encoding. +The patch below fixes this. +How to reproduce: +1. Change doc/examples/parse4.c to add xmlCtxtUseOptions(ctxt, +XML_PARSE_IGNORE_ENC); after the call to xmlCreatePushParserCtxt. +2. Rebuild +3. run the following command from the top libxml2 directory: +LD_LIBRARY_PATH=.libs/ valgrind --leak-check=full +./doc/examples/.libs/parse4 ./test.xml , where test.xml contains +following +input: +<?xml version="1.0" encoding="UTF-81" ?><hi/> +valgrind will report: +==1964== 10 bytes in 1 blocks are definitely lost in loss record 1 of 1 +==1964== at 0x4C272DB: malloc (in +/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) +==1964== by 0x4E88497: xmlParseEncName (parser.c:10224) +==1964== by 0x4E888FE: xmlParseEncodingDecl (parser.c:10295) +==1964== by 0x4E89630: xmlParseXMLDecl (parser.c:10534) +==1964== by 0x4E8B737: xmlParseTryOrFinish (parser.c:11293) +==1964== by 0x4E8E775: xmlParseChunk (parser.c:12283) + +Signed-off-by: Bart De Schuymer <bart at amplidata com> +--- + parser.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/parser.c b/parser.c +index b02333b..ab69d56 100644 +--- a/parser.c ++++ b/parser.c +@@ -10338,8 +10338,10 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ctxt) { + /* + * Non standard parsing, allowing the user to ignore encoding + */ +- if (ctxt->options & XML_PARSE_IGNORE_ENC) +- return(encoding); ++ if (ctxt->options & XML_PARSE_IGNORE_ENC) { ++ xmlFree((xmlChar *) encoding); ++ return(NULL); ++ } + + /* + * UTF-16 encoding stwich has already taken place at this stage, diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0054-Fix-for-CVE-2014-3660.patch libxml2-2.9.1+dfsg1/debian/patches/0054-Fix-for-CVE-2014-3660.patch --- libxml2-2.9.1+dfsg1/debian/patches/0054-Fix-for-CVE-2014-3660.patch 1970-01-01 08:00:00.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0054-Fix-for-CVE-2014-3660.patch 2015-02-01 13:50:27.000000000 +0800 @@ -0,0 +1,141 @@ +From: Daniel Veillard <[email protected]> +Date: Thu, 16 Oct 2014 13:59:47 +0800 +Subject: Fix for CVE-2014-3660 + +Issues related to the billion laugh entity expansion which happened to +escape the initial set of fixes +--- + parser.c | 42 ++++++++++++++++++++++++++++++++++++++---- + 1 file changed, 38 insertions(+), 4 deletions(-) + +diff --git a/parser.c b/parser.c +index ab69d56..b7f3c03 100644 +--- a/parser.c ++++ b/parser.c +@@ -130,6 +130,29 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + return (0); + if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) + return (1); ++ ++ /* ++ * This may look absurd but is needed to detect ++ * entities problems ++ */ ++ if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) && ++ (ent->content != NULL) && (ent->checked == 0)) { ++ unsigned long oldnbent = ctxt->nbentities; ++ xmlChar *rep; ++ ++ ent->checked = 1; ++ ++ rep = xmlStringDecodeEntities(ctxt, ent->content, ++ XML_SUBSTITUTE_REF, 0, 0, 0); ++ ++ ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; ++ if (rep != NULL) { ++ if (xmlStrchr(rep, '<')) ++ ent->checked |= 1; ++ xmlFree(rep); ++ rep = NULL; ++ } ++ } + if (replacement != 0) { + if (replacement < XML_MAX_TEXT_LENGTH) + return(0); +@@ -189,9 +212,12 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + return (0); + } else { + /* +- * strange we got no data for checking just return ++ * strange we got no data for checking + */ +- return (0); ++ if (((ctxt->lastError.code != XML_ERR_UNDECLARED_ENTITY) && ++ (ctxt->lastError.code != XML_WAR_UNDECLARED_ENTITY)) || ++ (ctxt->nbentities <= 10000)) ++ return (0); + } + xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); + return (1); +@@ -2584,6 +2610,7 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) { + name, NULL); + ctxt->valid = 0; + } ++ xmlParserEntityCheck(ctxt, 0, NULL, 0); + } else if (ctxt->input->free != deallocblankswrapper) { + input = xmlNewBlanksWrapperInputStream(ctxt, entity); + if (xmlPushInput(ctxt, input) < 0) +@@ -2754,6 +2781,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) || + (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR)) + goto int_error; ++ xmlParserEntityCheck(ctxt, 0, ent, 0); + if (ent != NULL) + ctxt->nbentities += ent->checked / 2; + if ((ent != NULL) && +@@ -2805,6 +2833,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + ent = xmlParseStringPEReference(ctxt, &str); + if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) + goto int_error; ++ xmlParserEntityCheck(ctxt, 0, ent, 0); + if (ent != NULL) + ctxt->nbentities += ent->checked / 2; + if (ent != NULL) { +@@ -7307,6 +7336,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { + (ret != XML_WAR_UNDECLARED_ENTITY)) { + xmlFatalErrMsgStr(ctxt, XML_ERR_UNDECLARED_ENTITY, + "Entity '%s' failed to parse\n", ent->name); ++ xmlParserEntityCheck(ctxt, 0, ent, 0); + } else if (list != NULL) { + xmlFreeNodeList(list); + list = NULL; +@@ -7413,7 +7443,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { + /* + * We are copying here, make sure there is no abuse + */ +- ctxt->sizeentcopy += ent->length; ++ ctxt->sizeentcopy += ent->length + 5; + if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) + return; + +@@ -7461,7 +7491,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { + /* + * We are copying here, make sure there is no abuse + */ +- ctxt->sizeentcopy += ent->length; ++ ctxt->sizeentcopy += ent->length + 5; + if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) + return; + +@@ -7647,6 +7677,7 @@ xmlParseEntityRef(xmlParserCtxtPtr ctxt) { + ctxt->sax->reference(ctxt->userData, name); + } + } ++ xmlParserEntityCheck(ctxt, 0, ent, 0); + ctxt->valid = 0; + } + +@@ -7840,6 +7871,7 @@ xmlParseStringEntityRef(xmlParserCtxtPtr ctxt, const xmlChar ** str) { + "Entity '%s' not defined\n", + name); + } ++ xmlParserEntityCheck(ctxt, 0, ent, 0); + /* TODO ? check regressions ctxt->valid = 0; */ + } + +@@ -7999,6 +8031,7 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) + name, NULL); + ctxt->valid = 0; + } ++ xmlParserEntityCheck(ctxt, 0, NULL, 0); + } else { + /* + * Internal checking in case the entity quest barfed +@@ -8238,6 +8271,7 @@ xmlParseStringPEReference(xmlParserCtxtPtr ctxt, const xmlChar **str) { + name, NULL); + ctxt->valid = 0; + } ++ xmlParserEntityCheck(ctxt, 0, NULL, 0); + } else { + /* + * Internal checking in case the entity quest barfed diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0055-Fix-missing-entities-after-CVE-2014-3660-fix.patch libxml2-2.9.1+dfsg1/debian/patches/0055-Fix-missing-entities-after-CVE-2014-3660-fix.patch --- libxml2-2.9.1+dfsg1/debian/patches/0055-Fix-missing-entities-after-CVE-2014-3660-fix.patch 1970-01-01 08:00:00.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/0055-Fix-missing-entities-after-CVE-2014-3660-fix.patch 2015-02-01 13:50:27.000000000 +0800 @@ -0,0 +1,27 @@ +From: Daniel Veillard <[email protected]> +Date: Thu, 23 Oct 2014 11:35:36 +0800 +Subject: Fix missing entities after CVE-2014-3660 fix + +For https://bugzilla.gnome.org/show_bug.cgi?id=738805 + +The fix for CVE-2014-3660 introduced a regression in some case +where entity substitution is required and the entity is used +first in anotther entity referenced from an attribute value +--- + parser.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index b7f3c03..c187327 100644 +--- a/parser.c ++++ b/parser.c +@@ -7230,7 +7230,8 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { + * far more secure as the parser will only process data coming from + * the document entity by default. + */ +- if ((ent->checked == 0) && ++ if (((ent->checked == 0) || ++ ((ent->children == NULL) && (ctxt->options & XML_PARSE_NOENT))) && + ((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) || + (ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) { + unsigned long oldnbent = ctxt->nbentities; diff -Nru libxml2-2.9.1+dfsg1/debian/patches/series libxml2-2.9.1+dfsg1/debian/patches/series --- libxml2-2.9.1+dfsg1/debian/patches/series 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/patches/series 2015-02-01 13:50:27.000000000 +0800 @@ -30,3 +30,26 @@ 0030-Avoid-Possible-null-pointer-dereference-in-memory-de.patch 0031-xmllint-was-not-parsing-the-c14n11-flag.patch 0032-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch +0033-Adding-some-missing-NULL-checks.patch +0034-xmlSaveUri-incorrectly-recomposes-URIs-with-rootless.patch +0035-Adding-a-check-in-case-of-allocation-error.patch +0036-Add-a-missing-argument-check.patch +0037-Add-a-couple-of-misisng-check-in-xmlRelaxNGCleanupTr.patch +0038-Fix-a-potential-NULL-dereference.patch +0039-Fix-processing-in-SAX2-in-case-of-an-allocation-fail.patch +0040-Avoid-Possible-Null-Pointer-in-trio.c.patch +0041-Check-for-tmon-in-_xmlSchemaDateAdd-is-incorrect.patch +0042-HTMLparser-Correctly-initialise-a-stack-allocated-st.patch +0043-xmlcatalog-Fix-a-memory-leak-on-quit.patch +0044-xmlschemastypes-Fix-potential-array-overflow.patch +0045-Add-couple-of-missing-Null-checks.patch +0046-Couple-of-Missing-Null-checks.patch +0047-Fix-Enum-check-and-missing-break.patch +0048-Possible-overflow-in-HTMLParser.c.patch +0049-Leak-of-struct-addrinfo-in-xmlNanoFTPConnect.patch +0050-Pointer-dereferenced-before-null-check.patch +0051-xpointer-fixing-Null-Pointers.patch +0052-xmlmemory-handle-realloc-properly.patch +0053-fix-memory-leak-xml-header-encoding-field-with-XML_P.patch +0054-Fix-for-CVE-2014-3660.patch +0055-Fix-missing-entities-after-CVE-2014-3660-fix.patch diff -Nru libxml2-2.9.1+dfsg1/debian/rules libxml2-2.9.1+dfsg1/debian/rules --- libxml2-2.9.1+dfsg1/debian/rules 2014-07-09 06:46:15.000000000 +0800 +++ libxml2-2.9.1+dfsg1/debian/rules 2015-02-01 13:42:06.000000000 +0800 @@ -11,7 +11,7 @@ DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) CC = $(DEB_HOST_GNU_TYPE)-gcc -CFLAGS = `dpkg-buildflags --get CFLAGS` -Wall +CFLAGS = `dpkg-buildflags --get CFLAGS` -Wall -O3 LDFLAGS = `dpkg-buildflags --get LDFLAGS` -Wl,--as-needed CPPFLAGS = `dpkg-buildflags --get CPPFLAGS`Attachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: Aron Xu <[email protected]>, [email protected]
- Cc: Julien Cristau <[email protected]>, "Adam D. Barratt" <[email protected]>
- Subject: Re: Bug#776748: (pre-approval) unblock: libxml2/2.9.1+dfsg1-5 (via t-p-u)
- From: Ivo De Decker <[email protected]>
- Date: Sat, 21 Feb 2015 11:38:05 +0100
- Message-id: <[email protected]>
- In-reply-to: <[🔎] CAMr=8w79anD0tXm+gGdyEvJut6pzkcRRtjKZtA4PVX3ULMyEZQ@mail.gmail.com>
- References: <[🔎] [email protected]> <[🔎] CAMr=8w5JspY+O=+ov3Lo18AQe759zkJmK0mCguMOh0pDc-2sKA@mail.gmail.com> <[🔎] [email protected]> <[🔎] CAMr=8w7AZj_-0Mvm6xNL4aozuNE4O9-h-DCh99EYDzJ8_=UF0w@mail.gmail.com> <[🔎] [email protected]> <[🔎] CAMr=8w6aMVFD6E47GZhQz2e7Gw=_U+aV2qra6Z78pPF+kRWpxQ@mail.gmail.com> <[🔎] [email protected]> <[🔎] CAMr=8w6eYY+-Q7C-ONMk_P0EfEpWcKrxp2iZSQrttP2a2Wrwmw@mail.gmail.com> <[🔎] [email protected]> <[🔎] CAMr=8w79anD0tXm+gGdyEvJut6pzkcRRtjKZtA4PVX3ULMyEZQ@mail.gmail.com>
Hi, On Fri, Feb 20, 2015 at 01:55:27AM +0800, Aron Xu wrote: > > Go ahead, thanks. > > Uploaded. Unblocked. Cheers, Ivo
--- End Message ---