[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1110152: marked as done (unblock: libxml2/2.12.7+dfsg+really2.9.14-2.1)

Your message dated Wed, 30 Jul 2025 21:02:56 +0000
with message-id <E1uhDwu-003eKK-1D@respighi.debian.org>
and subject line unblock libxml2
has caused the Debian Bug report #1110152,
regarding unblock: libxml2/2.12.7+dfsg+really2.9.14-2.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1110152: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110152
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: libxml2@packages.debian.org, Guilhem Moulin <guilhem@debian.org>
Control: affects -1 + src:libxml2
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package libxml2

CVE-2025-6170 fix, already accepted into bookworm-pu in #1109947.

unblock libxml2/2.12.7+dfsg+really2.9.14-2.1

diffstat for libxml2-2.12.7+dfsg+really2.9.14 libxml2-2.12.7+dfsg+really2.9.14

 changelog                   |    8 +++
 patches/CVE-2025-6170.patch |  100 ++++++++++++++++++++++++++++++++++++++++++++
 patches/series              |    1 
 3 files changed, 109 insertions(+)

diff -Nru libxml2-2.12.7+dfsg+really2.9.14/debian/changelog libxml2-2.12.7+dfsg+really2.9.14/debian/changelog
--- libxml2-2.12.7+dfsg+really2.9.14/debian/changelog	2025-07-17 18:09:57.000000000 +0300
+++ libxml2-2.12.7+dfsg+really2.9.14/debian/changelog	2025-07-27 01:59:51.000000000 +0300
@@ -1,3 +1,11 @@
+libxml2 (2.12.7+dfsg+really2.9.14-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2025-6170: Potential buffer overflows in the interactive shell
+    (Closes: #1107938).
+
+ -- Guilhem Moulin <guilhem@debian.org>  Sun, 27 Jul 2025 00:59:51 +0200
+
 libxml2 (2.12.7+dfsg+really2.9.14-2) unstable; urgency=medium
 
   * Security fixes:
diff -Nru libxml2-2.12.7+dfsg+really2.9.14/debian/patches/CVE-2025-6170.patch libxml2-2.12.7+dfsg+really2.9.14/debian/patches/CVE-2025-6170.patch
--- libxml2-2.12.7+dfsg+really2.9.14/debian/patches/CVE-2025-6170.patch	1970-01-01 02:00:00.000000000 +0200
+++ libxml2-2.12.7+dfsg+really2.9.14/debian/patches/CVE-2025-6170.patch	2025-07-27 01:59:51.000000000 +0300
@@ -0,0 +1,100 @@
+From: Michael Mann <mmann78@netscape.net>
+Date: Fri, 20 Jun 2025 23:05:00 -0400
+Subject: Fix potential buffer overflows of interactive shell
+
+Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/5e9ec5c107d3f5b5179c3dbc19df43df041cd55b
+Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/941
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2025-6170
+Bug-Debian: https://bugs.debian.org/1107938
+---
+ debugXML.c                       | 15 ++++++++++-----
+ result/scripts/long_command      |  8 ++++++++
+ test/scripts/long_command.script |  6 ++++++
+ test/scripts/long_command.xml    |  1 +
+ 4 files changed, 25 insertions(+), 5 deletions(-)
+ create mode 100644 result/scripts/long_command
+ create mode 100644 test/scripts/long_command.script
+ create mode 100644 test/scripts/long_command.xml
+
+diff --git a/debugXML.c b/debugXML.c
+index 7a2ca47..dfde58e 100644
+--- a/debugXML.c
++++ b/debugXML.c
+@@ -1050,6 +1050,10 @@ xmlCtxtDumpOneNode(xmlDebugCtxtPtr ctxt, xmlNodePtr node)
+     xmlCtxtGenericNodeCheck(ctxt, node);
+ }
+ 
++#define MAX_PROMPT_SIZE     500
++#define MAX_ARG_SIZE        400
++#define MAX_COMMAND_SIZE    100
++
+ /**
+  * xmlCtxtDumpNode:
+  * @output:  the FILE * for the output
+@@ -2802,10 +2806,10 @@ void
+ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
+          FILE * output)
+ {
+-    char prompt[500] = "/ > ";
++    char prompt[MAX_PROMPT_SIZE] = "/ > ";
+     char *cmdline = NULL, *cur;
+-    char command[100];
+-    char arg[400];
++    char command[MAX_COMMAND_SIZE];
++    char arg[MAX_ARG_SIZE];
+     int i;
+     xmlShellCtxtPtr ctxt;
+     xmlXPathObjectPtr list;
+@@ -2863,7 +2867,8 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
+             cur++;
+         i = 0;
+         while ((*cur != ' ') && (*cur != '\t') &&
+-               (*cur != '\n') && (*cur != '\r')) {
++               (*cur != '\n') && (*cur != '\r') &&
++               (i < (MAX_COMMAND_SIZE - 1))) {
+             if (*cur == 0)
+                 break;
+             command[i++] = *cur++;
+@@ -2878,7 +2883,7 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
+         while ((*cur == ' ') || (*cur == '\t'))
+             cur++;
+         i = 0;
+-        while ((*cur != '\n') && (*cur != '\r') && (*cur != 0)) {
++        while ((*cur != '\n') && (*cur != '\r') && (*cur != 0) && (i < (MAX_ARG_SIZE-1))) {
+             if (*cur == 0)
+                 break;
+             arg[i++] = *cur++;
+diff --git a/result/scripts/long_command b/result/scripts/long_command
+new file mode 100644
+index 0000000..e6f0070
+--- /dev/null
++++ b/result/scripts/long_command
+@@ -0,0 +1,8 @@
++/ > b > b > Object is a Node Set :
++Set contains 1 nodes:
++1  ELEMENT a:c
++b > Unknown command This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_comm
++b > b > Unknown command ess_currents_of_time_and_existence
++b > <?xml version="1.0"?>
++<a xmlns:a="bar"><b xmlns:a="foo">Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_prof</b></a>
++b > 
+\ No newline at end of file
+diff --git a/test/scripts/long_command.script b/test/scripts/long_command.script
+new file mode 100644
+index 0000000..00f6df0
+--- /dev/null
++++ b/test/scripts/long_command.script
+@@ -0,0 +1,6 @@
++cd a/b
++set <a:c/>
++xpath //*[namespace-uri()="foo"]
++This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_command_please_dont_crash foo
++set Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_profound_emotion_and_every_grand_aspiration_that_propels_our_species_ever_onward_through_the_relentless_currents_of_time_and_existence
++save -
+diff --git a/test/scripts/long_command.xml b/test/scripts/long_command.xml
+new file mode 100644
+index 0000000..1ba4401
+--- /dev/null
++++ b/test/scripts/long_command.xml
+@@ -0,0 +1 @@
++<a xmlns:a="bar"><b xmlns:a="foo"/></a>
diff -Nru libxml2-2.12.7+dfsg+really2.9.14/debian/patches/series libxml2-2.12.7+dfsg+really2.9.14/debian/patches/series
--- libxml2-2.12.7+dfsg+really2.9.14/debian/patches/series	2025-07-17 18:09:57.000000000 +0300
+++ libxml2-2.12.7+dfsg+really2.9.14/debian/patches/series	2025-07-27 01:59:51.000000000 +0300
@@ -23,3 +23,4 @@
 CVE-2025-32415.patch
 CVE-2025-6021.patch
 CVE-2025-49794_49796.patch
+CVE-2025-6170.patch

--- End Message ---
--- Begin Message --- 
Unblocked libxml2.

--- End Message ---
Reply to: