On Sun, 27 Jul 2025 at 02:00:30 +0200, Guilhem Moulin wrote: > [x] attach debdiff against the package in stable (Oops, here it comes) -- Guilhem.
diffstat for libxml2-2.9.14+dfsg libxml2-2.9.14+dfsg
changelog | 14 ++
patches/CVE-2025-49794_CVE-2025-49796.patch | 187 ++++++++++++++++++++++++++++
patches/CVE-2025-6021.patch | 49 +++++++
patches/CVE-2025-6170.patch | 100 ++++++++++++++
patches/series | 3
salsa-ci.yml | 8 +
6 files changed, 361 insertions(+)
diff -Nru libxml2-2.9.14+dfsg/debian/changelog libxml2-2.9.14+dfsg/debian/changelog
--- libxml2-2.9.14+dfsg/debian/changelog 2025-06-06 10:50:13.000000000 +0200
+++ libxml2-2.9.14+dfsg/debian/changelog 2025-07-27 01:15:48.000000000 +0200
@@ -1,3 +1,17 @@
+libxml2 (2.9.14+dfsg-1.3~deb12u3) bookworm; urgency=high
+
+ * Non-maintainer upload.
+ * Fix CVE-2025-6021: Integer overflow issue in xmlBuildQName. (Closes:
+ #1107720).
+ * Fix CVE-2025-6170: Potential buffer overflows in the interactive shell
+ (Closes: #1107938).
+ * Fix CVE-2025-49794: Use-after-free issue in xmlSchematronReportOutput
+ (Closes: #1107755).
+ * Fix CVE-2025-49796: Type confusion issue in xmlSchematronReportOutput
+ (Closes: #1107752).
+
+ -- Guilhem Moulin <guilhem@debian.org> Sun, 27 Jul 2025 01:15:48 +0200
+
libxml2 (2.9.14+dfsg-1.3~deb12u2) bookworm-security; urgency=high
* Security fixes:
diff -Nru libxml2-2.9.14+dfsg/debian/patches/CVE-2025-49794_CVE-2025-49796.patch libxml2-2.9.14+dfsg/debian/patches/CVE-2025-49794_CVE-2025-49796.patch
--- libxml2-2.9.14+dfsg/debian/patches/CVE-2025-49794_CVE-2025-49796.patch 1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.14+dfsg/debian/patches/CVE-2025-49794_CVE-2025-49796.patch 2025-07-27 01:15:48.000000000 +0200
@@ -0,0 +1,187 @@
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 4 Jul 2025 14:28:26 +0200
+Subject: schematron: Fix memory safety issues in xmlSchematronReportOutput
+
+Fix use-after-free (CVE-2025-49794) and type confusion (CVE-2025-49796)
+in xmlSchematronReportOutput.
+
+Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5b5aec2acdf5707e57a6db0c8d1d0abca
+Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/931
+Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/933
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2025-49794
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2025-49796
+Bug-Debian: https://bugs.debian.org/1107752
+Bug-Debian: https://bugs.debian.org/1107755
+---
+ result/schematron/cve-2025-49794_0.err | 3 ++
+ result/schematron/cve-2025-49796_0.err | 3 ++
+ schematron.c | 54 ++++++++++++++++++----------------
+ test/schematron/cve-2025-49794.sct | 10 +++++++
+ test/schematron/cve-2025-49794_0.xml | 6 ++++
+ test/schematron/cve-2025-49796.sct | 9 ++++++
+ test/schematron/cve-2025-49796_0.xml | 3 ++
+ 7 files changed, 63 insertions(+), 25 deletions(-)
+ create mode 100644 result/schematron/cve-2025-49794_0.err
+ create mode 100644 result/schematron/cve-2025-49796_0.err
+ create mode 100644 test/schematron/cve-2025-49794.sct
+ create mode 100644 test/schematron/cve-2025-49794_0.xml
+ create mode 100644 test/schematron/cve-2025-49796.sct
+ create mode 100644 test/schematron/cve-2025-49796_0.xml
+
+diff --git a/result/schematron/cve-2025-49794_0.err b/result/schematron/cve-2025-49794_0.err
+new file mode 100644
+index 0000000..618ae11
+--- /dev/null
++++ b/result/schematron/cve-2025-49794_0.err
+@@ -0,0 +1,3 @@
++Pattern:
++/librar0/boo0 line 2:
++./test/schematron/cve-2025-49794_0.xml fails to validate
+diff --git a/result/schematron/cve-2025-49796_0.err b/result/schematron/cve-2025-49796_0.err
+new file mode 100644
+index 0000000..0d0146b
+--- /dev/null
++++ b/result/schematron/cve-2025-49796_0.err
+@@ -0,0 +1,3 @@
++Pattern:
++/librar0/boo0 line 2:
++./test/schematron/cve-2025-49796_0.xml fails to validate
+diff --git a/schematron.c b/schematron.c
+index ddbb069..5782636 100644
+--- a/schematron.c
++++ b/schematron.c
+@@ -1239,27 +1239,16 @@ exit:
+ * *
+ ************************************************************************/
+
+-static xmlNodePtr
++static xmlXPathObjectPtr
+ xmlSchematronGetNode(xmlSchematronValidCtxtPtr ctxt,
+ xmlNodePtr cur, const xmlChar *xpath) {
+- xmlNodePtr node = NULL;
+- xmlXPathObjectPtr ret;
+-
+ if ((ctxt == NULL) || (cur == NULL) || (xpath == NULL))
+ return(NULL);
+
+ ctxt->xctxt->doc = cur->doc;
+ ctxt->xctxt->node = cur;
+- ret = xmlXPathEval(xpath, ctxt->xctxt);
+- if (ret == NULL)
+- return(NULL);
+-
+- if ((ret->type == XPATH_NODESET) &&
+- (ret->nodesetval != NULL) && (ret->nodesetval->nodeNr > 0))
+- node = ret->nodesetval->nodeTab[0];
+
+- xmlXPathFreeObject(ret);
+- return(node);
++ return(xmlXPathEval(xpath, ctxt->xctxt));
+ }
+
+ /**
+@@ -1304,25 +1293,40 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt,
+ (child->type == XML_CDATA_SECTION_NODE))
+ ret = xmlStrcat(ret, child->content);
+ else if (IS_SCHEMATRON(child, "name")) {
++ xmlXPathObject *obj = NULL;
+ xmlChar *path;
+
+ path = xmlGetNoNsProp(child, BAD_CAST "path");
+
+- node = cur;
++ node = cur;
+ if (path != NULL) {
+- node = xmlSchematronGetNode(ctxt, cur, path);
+- if (node == NULL)
+- node = cur;
+- xmlFree(path);
++ obj = xmlSchematronGetNode(ctxt, cur, path);
++ if ((obj != NULL) &&
++ (obj->type == XPATH_NODESET) &&
++ (obj->nodesetval != NULL) &&
++ (obj->nodesetval->nodeNr > 0))
++ node = obj->nodesetval->nodeTab[0];
++ xmlFree(path);
+ }
+
+- if ((node->ns == NULL) || (node->ns->prefix == NULL))
+- ret = xmlStrcat(ret, node->name);
+- else {
+- ret = xmlStrcat(ret, node->ns->prefix);
+- ret = xmlStrcat(ret, BAD_CAST ":");
+- ret = xmlStrcat(ret, node->name);
+- }
++ switch (node->type) {
++ case XML_ELEMENT_NODE:
++ case XML_ATTRIBUTE_NODE:
++ if ((node->ns == NULL) || (node->ns->prefix == NULL))
++ ret = xmlStrcat(ret, node->name);
++ else {
++ ret = xmlStrcat(ret, node->ns->prefix);
++ ret = xmlStrcat(ret, BAD_CAST ":");
++ ret = xmlStrcat(ret, node->name);
++ }
++ break;
++
++ /* TODO: handle other node types */
++ default:
++ break;
++ }
++
++ xmlXPathFreeObject(obj);
+ } else {
+ child = child->next;
+ continue;
+diff --git a/test/schematron/cve-2025-49794.sct b/test/schematron/cve-2025-49794.sct
+new file mode 100644
+index 0000000..7fc9ee3
+--- /dev/null
++++ b/test/schematron/cve-2025-49794.sct
+@@ -0,0 +1,10 @@
++<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron";>
++ <sch:pattern id="">
++ <sch:rule context="boo0">
++ <sch:report test="not(0)">
++ <sch:name path="	e|namespace::*|e"/>
++ </sch:report>
++ <sch:report test="0"></sch:report>
++ </sch:rule>
++ </sch:pattern>
++</sch:schema>
+diff --git a/test/schematron/cve-2025-49794_0.xml b/test/schematron/cve-2025-49794_0.xml
+new file mode 100644
+index 0000000..debc64b
+--- /dev/null
++++ b/test/schematron/cve-2025-49794_0.xml
+@@ -0,0 +1,6 @@
++<librar0>
++ <boo0 t="">
++ <author></author>
++ </boo0>
++ <ins></ins>
++</librar0>
+diff --git a/test/schematron/cve-2025-49796.sct b/test/schematron/cve-2025-49796.sct
+new file mode 100644
+index 0000000..e9702d7
+--- /dev/null
++++ b/test/schematron/cve-2025-49796.sct
+@@ -0,0 +1,9 @@
++<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron";>
++ <sch:pattern id="">
++ <sch:rule context="boo0">
++ <sch:report test="not(0)">
++ <sch:name path="/"/>
++ </sch:report>
++ </sch:rule>
++ </sch:pattern>
++</sch:schema>
+diff --git a/test/schematron/cve-2025-49796_0.xml b/test/schematron/cve-2025-49796_0.xml
+new file mode 100644
+index 0000000..be33c4e
+--- /dev/null
++++ b/test/schematron/cve-2025-49796_0.xml
+@@ -0,0 +1,3 @@
++<librar0>
++ <boo0/>
++</librar0>
diff -Nru libxml2-2.9.14+dfsg/debian/patches/CVE-2025-6021.patch libxml2-2.9.14+dfsg/debian/patches/CVE-2025-6021.patch
--- libxml2-2.9.14+dfsg/debian/patches/CVE-2025-6021.patch 1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.14+dfsg/debian/patches/CVE-2025-6021.patch 2025-07-27 01:15:48.000000000 +0200
@@ -0,0 +1,49 @@
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 27 May 2025 12:53:17 +0200
+Subject: tree: Fix integer overflow in xmlBuildQName
+
+Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/17d950ae33c23f87692aa179bacedb6743f3188a
+Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/926
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2025-6021
+Bug-Debian: https://bugs.debian.org/1107720
+---
+ tree.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/tree.c b/tree.c
+index 87899f9..60cc6f4 100644
+--- a/tree.c
++++ b/tree.c
+@@ -50,6 +50,10 @@
+ #include "buf.h"
+ #include "save.h"
+
++#ifndef SIZE_MAX
++ #define SIZE_MAX ((size_t)-1)
++#endif
++
+ int __xmlRegisterCallbacks = 0;
+
+ /************************************************************************
+@@ -222,16 +226,18 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) {
+ xmlChar *
+ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
+ xmlChar *memory, int len) {
+- int lenn, lenp;
++ size_t lenn, lenp;
+ xmlChar *ret;
+
+- if (ncname == NULL) return(NULL);
++ if ((ncname == NULL) || (len < 0)) return(NULL);
+ if (prefix == NULL) return((xmlChar *) ncname);
+
+ lenn = strlen((char *) ncname);
+ lenp = strlen((char *) prefix);
++ if (lenn >= SIZE_MAX - lenp - 1)
++ return(NULL);
+
+- if ((memory == NULL) || (len < lenn + lenp + 2)) {
++ if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) {
+ ret = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2);
+ if (ret == NULL) {
+ xmlTreeErrMemory("building QName");
diff -Nru libxml2-2.9.14+dfsg/debian/patches/CVE-2025-6170.patch libxml2-2.9.14+dfsg/debian/patches/CVE-2025-6170.patch
--- libxml2-2.9.14+dfsg/debian/patches/CVE-2025-6170.patch 1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.14+dfsg/debian/patches/CVE-2025-6170.patch 2025-07-27 01:15:48.000000000 +0200
@@ -0,0 +1,100 @@
+From: Michael Mann <mmann78@netscape.net>
+Date: Fri, 20 Jun 2025 23:05:00 -0400
+Subject: Fix potential buffer overflows of interactive shell
+
+Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/5e9ec5c107d3f5b5179c3dbc19df43df041cd55b
+Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/941
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2025-6170
+Bug-Debian: https://bugs.debian.org/1107938
+---
+ debugXML.c | 15 ++++++++++-----
+ result/scripts/long_command | 8 ++++++++
+ test/scripts/long_command.script | 6 ++++++
+ test/scripts/long_command.xml | 1 +
+ 4 files changed, 25 insertions(+), 5 deletions(-)
+ create mode 100644 result/scripts/long_command
+ create mode 100644 test/scripts/long_command.script
+ create mode 100644 test/scripts/long_command.xml
+
+diff --git a/debugXML.c b/debugXML.c
+index 7a2ca47..dfde58e 100644
+--- a/debugXML.c
++++ b/debugXML.c
+@@ -1050,6 +1050,10 @@ xmlCtxtDumpOneNode(xmlDebugCtxtPtr ctxt, xmlNodePtr node)
+ xmlCtxtGenericNodeCheck(ctxt, node);
+ }
+
++#define MAX_PROMPT_SIZE 500
++#define MAX_ARG_SIZE 400
++#define MAX_COMMAND_SIZE 100
++
+ /**
+ * xmlCtxtDumpNode:
+ * @output: the FILE * for the output
+@@ -2802,10 +2806,10 @@ void
+ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
+ FILE * output)
+ {
+- char prompt[500] = "/ > ";
++ char prompt[MAX_PROMPT_SIZE] = "/ > ";
+ char *cmdline = NULL, *cur;
+- char command[100];
+- char arg[400];
++ char command[MAX_COMMAND_SIZE];
++ char arg[MAX_ARG_SIZE];
+ int i;
+ xmlShellCtxtPtr ctxt;
+ xmlXPathObjectPtr list;
+@@ -2863,7 +2867,8 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
+ cur++;
+ i = 0;
+ while ((*cur != ' ') && (*cur != '\t') &&
+- (*cur != '\n') && (*cur != '\r')) {
++ (*cur != '\n') && (*cur != '\r') &&
++ (i < (MAX_COMMAND_SIZE - 1))) {
+ if (*cur == 0)
+ break;
+ command[i++] = *cur++;
+@@ -2878,7 +2883,7 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
+ while ((*cur == ' ') || (*cur == '\t'))
+ cur++;
+ i = 0;
+- while ((*cur != '\n') && (*cur != '\r') && (*cur != 0)) {
++ while ((*cur != '\n') && (*cur != '\r') && (*cur != 0) && (i < (MAX_ARG_SIZE-1))) {
+ if (*cur == 0)
+ break;
+ arg[i++] = *cur++;
+diff --git a/result/scripts/long_command b/result/scripts/long_command
+new file mode 100644
+index 0000000..e6f0070
+--- /dev/null
++++ b/result/scripts/long_command
+@@ -0,0 +1,8 @@
++/ > b > b > Object is a Node Set :
++Set contains 1 nodes:
++1 ELEMENT a:c
++b > Unknown command This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_comm
++b > b > Unknown command ess_currents_of_time_and_existence
++b > <?xml version="1.0"?>
++<a xmlns:a="bar"><b xmlns:a="foo">Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_prof</b></a>
++b >
+\ No newline at end of file
+diff --git a/test/scripts/long_command.script b/test/scripts/long_command.script
+new file mode 100644
+index 0000000..00f6df0
+--- /dev/null
++++ b/test/scripts/long_command.script
+@@ -0,0 +1,6 @@
++cd a/b
++set <a:c/>
++xpath //*[namespace-uri()="foo"]
++This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_command_please_dont_crash foo
++set Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_profound_emotion_and_every_grand_aspiration_that_propels_our_species_ever_onward_through_the_relentless_currents_of_time_and_existence
++save -
+diff --git a/test/scripts/long_command.xml b/test/scripts/long_command.xml
+new file mode 100644
+index 0000000..1ba4401
+--- /dev/null
++++ b/test/scripts/long_command.xml
+@@ -0,0 +1 @@
++<a xmlns:a="bar"><b xmlns:a="foo"/></a>
diff -Nru libxml2-2.9.14+dfsg/debian/patches/series libxml2-2.9.14+dfsg/debian/patches/series
--- libxml2-2.9.14+dfsg/debian/patches/series 2025-06-06 10:49:57.000000000 +0200
+++ libxml2-2.9.14+dfsg/debian/patches/series 2025-07-27 01:15:48.000000000 +0200
@@ -20,3 +20,6 @@
CVE-2024-25062.patch
CVE-2025-32414-bug-889-v2.10.4-and-below.patch
CVE-2025-32415.patch
+CVE-2025-6021.patch
+CVE-2025-6170.patch
+CVE-2025-49794_CVE-2025-49796.patch
diff -Nru libxml2-2.9.14+dfsg/debian/salsa-ci.yml libxml2-2.9.14+dfsg/debian/salsa-ci.yml
--- libxml2-2.9.14+dfsg/debian/salsa-ci.yml 1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.14+dfsg/debian/salsa-ci.yml 2025-07-27 01:15:48.000000000 +0200
@@ -0,0 +1,8 @@
+---
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+
+variables:
+ RELEASE: 'bookworm'
+ SALSA_CI_DISABLE_LINTIAN: 1
+ SALSA_CI_DISABLE_REPROTEST: 1
Attachment:
signature.asc
Description: PGP signature