From fccd80a7d35b9eefabcc384d5c9fe89d9545dd22 Mon Sep 17 00:00:00 2001 From: Aron Xu Date: Tue, 22 Sep 2015 16:23:21 +0800 Subject: Upstream post release cherry-picks --- ...-missing-entities-after-CVE-2014-3660-fix.patch | 27 ---- ...ing-initialization-for-the-catalog-module.patch | 25 +++ ...-missing-entities-after-CVE-2014-3660-fix.patch | 27 ++++ ...ccount-for-ID-attributes-in-xmlSetTreeDoc.patch | 32 ++++ ...top-parsing-on-entities-boundaries-errors.patch | 28 ++++ ...leanup-conditional-section-error-handling.patch | 45 ++++++ debian/patches/0008-Fix-order-of-root-nodes.patch | 29 ++++ .../0009-xmlMemUsed-is-not-thread-safe.patch | 42 +++++ ...19-Enforce-the-reader-to-run-in-constant-.patch | 172 +++++++++++++++++++++ ...ess-encoding-values-if-the-declaration-if.patch | 34 ++++ ...ng-early-on-if-encoding-conversion-failed.patch | 31 ++++ ...x-a-self-assignment-issue-raised-by-clang.patch | 40 +++++ ...14-Fix-previous-change-to-node-sort-order.patch | 33 ++++ ...Fix-the-spurious-ID-already-defined-error.patch | 84 ++++++++++ debian/patches/series | 14 +- 15 files changed, 635 insertions(+), 28 deletions(-) delete mode 100644 debian/patches/0003-Fix-missing-entities-after-CVE-2014-3660-fix.patch create mode 100644 debian/patches/0003-Revert-Missing-initialization-for-the-catalog-module.patch create mode 100644 debian/patches/0004-Fix-missing-entities-after-CVE-2014-3660-fix.patch create mode 100644 debian/patches/0005-Account-for-ID-attributes-in-xmlSetTreeDoc.patch create mode 100644 debian/patches/0006-Stop-parsing-on-entities-boundaries-errors.patch create mode 100644 debian/patches/0007-Cleanup-conditional-section-error-handling.patch create mode 100644 debian/patches/0008-Fix-order-of-root-nodes.patch create mode 100644 debian/patches/0009-xmlMemUsed-is-not-thread-safe.patch create mode 100644 debian/patches/0010-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch create mode 100644 debian/patches/0011-Do-not-process-encoding-values-if-the-declaration-if.patch create mode 100644 debian/patches/0012-Fail-parsing-early-on-if-encoding-conversion-failed.patch create mode 100644 debian/patches/0013-Fix-a-self-assignment-issue-raised-by-clang.patch create mode 100644 debian/patches/0014-Fix-previous-change-to-node-sort-order.patch create mode 100644 debian/patches/0015-Fix-the-spurious-ID-already-defined-error.patch (limited to 'debian') diff --git a/debian/patches/0003-Fix-missing-entities-after-CVE-2014-3660-fix.patch b/debian/patches/0003-Fix-missing-entities-after-CVE-2014-3660-fix.patch deleted file mode 100644 index 2afe1f0..0000000 --- a/debian/patches/0003-Fix-missing-entities-after-CVE-2014-3660-fix.patch +++ /dev/null @@ -1,27 +0,0 @@ -From: Daniel Veillard -Date: Thu, 23 Oct 2014 11:35:36 +0800 -Subject: Fix missing entities after CVE-2014-3660 fix - -For https://bugzilla.gnome.org/show_bug.cgi?id=738805 - -The fix for CVE-2014-3660 introduced a regression in some case -where entity substitution is required and the entity is used -first in anotther entity referenced from an attribute value ---- - parser.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/parser.c b/parser.c -index 1d93967..313ff28 100644 ---- a/parser.c -+++ b/parser.c -@@ -7235,7 +7235,8 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { - * far more secure as the parser will only process data coming from - * the document entity by default. - */ -- if ((ent->checked == 0) && -+ if (((ent->checked == 0) || -+ ((ent->children == NULL) && (ctxt->options & XML_PARSE_NOENT))) && - ((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) || - (ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) { - unsigned long oldnbent = ctxt->nbentities; diff --git a/debian/patches/0003-Revert-Missing-initialization-for-the-catalog-module.patch b/debian/patches/0003-Revert-Missing-initialization-for-the-catalog-module.patch new file mode 100644 index 0000000..d04a773 --- /dev/null +++ b/debian/patches/0003-Revert-Missing-initialization-for-the-catalog-module.patch @@ -0,0 +1,25 @@ +From: Daniel Veillard +Date: Fri, 17 Oct 2014 17:13:41 +0800 +Subject: Revert "Missing initialization for the catalog module" + +This reverts commit 054c716ea1bf001544127a4ab4f4346d1b9947e7. +As this break xmlcatalog command +https://bugzilla.redhat.com/show_bug.cgi?id=1153753 +--- + parser.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/parser.c b/parser.c +index 1d93967..67c9dfd 100644 +--- a/parser.c ++++ b/parser.c +@@ -14830,9 +14830,6 @@ xmlInitParser(void) { + #ifdef LIBXML_XPATH_ENABLED + xmlXPathInit(); + #endif +-#ifdef LIBXML_CATALOG_ENABLED +- xmlInitializeCatalog(); +-#endif + xmlParserInitialized = 1; + #ifdef LIBXML_THREAD_ENABLED + } diff --git a/debian/patches/0004-Fix-missing-entities-after-CVE-2014-3660-fix.patch b/debian/patches/0004-Fix-missing-entities-after-CVE-2014-3660-fix.patch new file mode 100644 index 0000000..01e131d --- /dev/null +++ b/debian/patches/0004-Fix-missing-entities-after-CVE-2014-3660-fix.patch @@ -0,0 +1,27 @@ +From: Daniel Veillard +Date: Thu, 23 Oct 2014 11:35:36 +0800 +Subject: Fix missing entities after CVE-2014-3660 fix + +For https://bugzilla.gnome.org/show_bug.cgi?id=738805 + +The fix for CVE-2014-3660 introduced a regression in some case +where entity substitution is required and the entity is used +first in anotther entity referenced from an attribute value +--- + parser.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index 67c9dfd..a8d1b67 100644 +--- a/parser.c ++++ b/parser.c +@@ -7235,7 +7235,8 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { + * far more secure as the parser will only process data coming from + * the document entity by default. + */ +- if ((ent->checked == 0) && ++ if (((ent->checked == 0) || ++ ((ent->children == NULL) && (ctxt->options & XML_PARSE_NOENT))) && + ((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) || + (ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) { + unsigned long oldnbent = ctxt->nbentities; diff --git a/debian/patches/0005-Account-for-ID-attributes-in-xmlSetTreeDoc.patch b/debian/patches/0005-Account-for-ID-attributes-in-xmlSetTreeDoc.patch new file mode 100644 index 0000000..18d7720 --- /dev/null +++ b/debian/patches/0005-Account-for-ID-attributes-in-xmlSetTreeDoc.patch @@ -0,0 +1,32 @@ +From: Nick Wellnhofer +Date: Fri, 19 Dec 2014 00:08:35 +0100 +Subject: Account for ID attributes in xmlSetTreeDoc + +--- + tree.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/tree.c b/tree.c +index 307782c..ff9a890 100644 +--- a/tree.c ++++ b/tree.c +@@ -2799,8 +2799,19 @@ xmlSetTreeDoc(xmlNodePtr tree, xmlDocPtr doc) { + if(tree->type == XML_ELEMENT_NODE) { + prop = tree->properties; + while (prop != NULL) { ++ if (prop->atype == XML_ATTRIBUTE_ID) { ++ xmlRemoveID(tree->doc, prop); ++ } ++ + prop->doc = doc; + xmlSetListDoc(prop->children, doc); ++ ++ if (xmlIsID(doc, tree, prop)) { ++ xmlChar *idVal = xmlNodeListGetString(doc, prop->children, ++ 1); ++ xmlAddID(NULL, doc, idVal, prop); ++ } ++ + prop = prop->next; + } + } diff --git a/debian/patches/0006-Stop-parsing-on-entities-boundaries-errors.patch b/debian/patches/0006-Stop-parsing-on-entities-boundaries-errors.patch new file mode 100644 index 0000000..00cca9d --- /dev/null +++ b/debian/patches/0006-Stop-parsing-on-entities-boundaries-errors.patch @@ -0,0 +1,28 @@ +From: Daniel Veillard +Date: Mon, 23 Feb 2015 11:17:35 +0800 +Subject: Stop parsing on entities boundaries errors + +For https://bugzilla.gnome.org/show_bug.cgi?id=744980 + +There are times, like on unterminated entities that it's preferable to +stop parsing, even if that means less error reporting. Entities are +feeding the parser on further processing, and if they are ill defined +then it's possible to get the parser to bug. Also do the same on +Conditional Sections if the input is broken, as the structure of +the document can't be guessed. +--- + parser.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/parser.c b/parser.c +index a8d1b67..bbe97eb 100644 +--- a/parser.c ++++ b/parser.c +@@ -5658,6 +5658,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) { + if (RAW != '>') { + xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED, + "xmlParseEntityDecl: entity %s not terminated\n", name); ++ xmlStopParser(ctxt); + } else { + if (input != ctxt->input) { + xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY, diff --git a/debian/patches/0007-Cleanup-conditional-section-error-handling.patch b/debian/patches/0007-Cleanup-conditional-section-error-handling.patch new file mode 100644 index 0000000..0c8492c --- /dev/null +++ b/debian/patches/0007-Cleanup-conditional-section-error-handling.patch @@ -0,0 +1,45 @@ +From: Daniel Veillard +Date: Mon, 23 Feb 2015 11:29:20 +0800 +Subject: Cleanup conditional section error handling + +For https://bugzilla.gnome.org/show_bug.cgi?id=744980 + +The error handling of Conditional Section also need to be +straightened as the structure of the document can't be +guessed on a failure there and it's better to stop parsing +as further errors are likely to be irrelevant. +--- + parser.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/parser.c b/parser.c +index bbe97eb..fe603ac 100644 +--- a/parser.c ++++ b/parser.c +@@ -6770,6 +6770,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + SKIP_BLANKS; + if (RAW != '[') { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); ++ xmlStopParser(ctxt); ++ return; + } else { + if (ctxt->input->id != id) { + xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, +@@ -6830,6 +6832,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + SKIP_BLANKS; + if (RAW != '[') { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); ++ xmlStopParser(ctxt); ++ return; + } else { + if (ctxt->input->id != id) { + xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, +@@ -6885,6 +6889,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + + } else { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL); ++ xmlStopParser(ctxt); ++ return; + } + + if (RAW == 0) diff --git a/debian/patches/0008-Fix-order-of-root-nodes.patch b/debian/patches/0008-Fix-order-of-root-nodes.patch new file mode 100644 index 0000000..171c3da --- /dev/null +++ b/debian/patches/0008-Fix-order-of-root-nodes.patch @@ -0,0 +1,29 @@ +From: Nick Wellnhofer +Date: Sun, 8 Mar 2015 16:44:11 +0100 +Subject: Fix order of root nodes + +Make sure root nodes are sorted before other nodes. +--- + xpath.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/xpath.c b/xpath.c +index dc41ce6..95559b3 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -361,13 +361,13 @@ turtle_comparison: + /* + * compute depth to root + */ +- for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) { ++ for (depth2 = 0, cur = node2; cur != NULL; cur = cur->parent) { + if (cur == node1) + return(1); + depth2++; + } + root = cur; +- for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) { ++ for (depth1 = 0, cur = node1; cur != NULL; cur = cur->parent) { + if (cur == node2) + return(-1); + depth1++; diff --git a/debian/patches/0009-xmlMemUsed-is-not-thread-safe.patch b/debian/patches/0009-xmlMemUsed-is-not-thread-safe.patch new file mode 100644 index 0000000..03a8f4f --- /dev/null +++ b/debian/patches/0009-xmlMemUsed-is-not-thread-safe.patch @@ -0,0 +1,42 @@ +From: Martin von Gagern +Date: Mon, 13 Apr 2015 16:32:14 +0800 +Subject: xmlMemUsed is not thread-safe + +For https://bugzilla.gnome.org/show_bug.cgi?id=747437 +just use the mutex to protect access to those variables +--- + xmlmemory.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/xmlmemory.c b/xmlmemory.c +index a3dc737..f24fd6d 100644 +--- a/xmlmemory.c ++++ b/xmlmemory.c +@@ -554,7 +554,12 @@ xmlMemoryStrdup(const char *str) { + + int + xmlMemUsed(void) { +- return(debugMemSize); ++ int res; ++ ++ xmlMutexLock(xmlMemMutex); ++ res = debugMemSize; ++ xmlMutexUnlock(xmlMemMutex); ++ return(res); + } + + /** +@@ -567,7 +572,12 @@ xmlMemUsed(void) { + + int + xmlMemBlocks(void) { +- return(debugMemBlocks); ++ int res; ++ ++ xmlMutexLock(xmlMemMutex); ++ res = debugMemBlocks; ++ xmlMutexUnlock(xmlMemMutex); ++ return(res); + } + + #ifdef MEM_LIST diff --git a/debian/patches/0010-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch b/debian/patches/0010-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch new file mode 100644 index 0000000..14d3032 --- /dev/null +++ b/debian/patches/0010-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch @@ -0,0 +1,172 @@ +From: Daniel Veillard +Date: Tue, 14 Apr 2015 17:41:48 +0800 +Subject: CVE-2015-1819 Enforce the reader to run in constant memory + +One of the operation on the reader could resolve entities +leading to the classic expansion issue. Make sure the +buffer used for xmlreader operation is bounded. +Introduce a new allocation type for the buffers for this effect. +--- + buf.c | 43 ++++++++++++++++++++++++++++++++++++++++++- + include/libxml/tree.h | 3 ++- + xmlreader.c | 20 +++++++++++++++++++- + 3 files changed, 63 insertions(+), 3 deletions(-) + +diff --git a/buf.c b/buf.c +index 6efc7b6..07922ff 100644 +--- a/buf.c ++++ b/buf.c +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include /* for XML_MAX_TEXT_LENGTH */ + #include "buf.h" + + #define WITH_BUFFER_COMPAT +@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf, + if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) || + (scheme == XML_BUFFER_ALLOC_EXACT) || + (scheme == XML_BUFFER_ALLOC_HYBRID) || +- (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) { ++ (scheme == XML_BUFFER_ALLOC_IMMUTABLE) || ++ (scheme == XML_BUFFER_ALLOC_BOUNDED)) { + buf->alloc = scheme; + if (buf->buffer) + buf->buffer->alloc = scheme; +@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) { + size = buf->use + len + 100; + #endif + ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if ((buf->use + len >= XML_MAX_TEXT_LENGTH) || ++ (buf->size >= XML_MAX_TEXT_LENGTH)) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(0); ++ } ++ if (size >= XML_MAX_TEXT_LENGTH) ++ size = XML_MAX_TEXT_LENGTH; ++ } + if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) { + size_t start_buf = buf->content - buf->contentIO; + +@@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size) + CHECK_COMPAT(buf) + + if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0); ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if (size >= XML_MAX_TEXT_LENGTH) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(0); ++ } ++ } + + /* Don't resize if we don't have to */ + if (size < buf->size) +@@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) { + + needSize = buf->use + len + 2; + if (needSize > buf->size){ ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if (needSize >= XML_MAX_TEXT_LENGTH) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(-1); ++ } ++ } + if (!xmlBufResize(buf, needSize)){ + xmlBufMemoryError(buf, "growing buffer"); + return XML_ERR_NO_MEMORY; +@@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) { + } + needSize = buf->use + len + 2; + if (needSize > buf->size){ ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if (needSize >= XML_MAX_TEXT_LENGTH) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(-1); ++ } ++ } + if (!xmlBufResize(buf, needSize)){ + xmlBufMemoryError(buf, "growing buffer"); + return XML_ERR_NO_MEMORY; +diff --git a/include/libxml/tree.h b/include/libxml/tree.h +index 2f90717..4a9b3bc 100644 +--- a/include/libxml/tree.h ++++ b/include/libxml/tree.h +@@ -76,7 +76,8 @@ typedef enum { + XML_BUFFER_ALLOC_EXACT, /* grow only to the minimal size */ + XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */ + XML_BUFFER_ALLOC_IO, /* special allocation scheme used for I/O */ +- XML_BUFFER_ALLOC_HYBRID /* exact up to a threshold, and doubleit thereafter */ ++ XML_BUFFER_ALLOC_HYBRID, /* exact up to a threshold, and doubleit thereafter */ ++ XML_BUFFER_ALLOC_BOUNDED /* limit the upper size of the buffer */ + } xmlBufferAllocationScheme; + + /** +diff --git a/xmlreader.c b/xmlreader.c +index f19e123..471e7e2 100644 +--- a/xmlreader.c ++++ b/xmlreader.c +@@ -2091,6 +2091,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) { + "xmlNewTextReader : malloc failed\n"); + return(NULL); + } ++ /* no operation on a reader should require a huge buffer */ ++ xmlBufSetAllocationScheme(ret->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); + ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); + if (ret->sax == NULL) { + xmlBufFree(ret->buffer); +@@ -3616,6 +3619,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) { + return(((xmlNsPtr) node)->href); + case XML_ATTRIBUTE_NODE:{ + xmlAttrPtr attr = (xmlAttrPtr) node; ++ const xmlChar *ret; + + if ((attr->children != NULL) && + (attr->children->type == XML_TEXT_NODE) && +@@ -3629,10 +3633,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) { + "xmlTextReaderSetup : malloc failed\n"); + return (NULL); + } ++ xmlBufSetAllocationScheme(reader->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); + } else + xmlBufEmpty(reader->buffer); + xmlBufGetNodeContent(reader->buffer, node); +- return(xmlBufContent(reader->buffer)); ++ ret = xmlBufContent(reader->buffer); ++ if (ret == NULL) { ++ /* error on the buffer best to reallocate */ ++ xmlBufFree(reader->buffer); ++ reader->buffer = xmlBufCreateSize(100); ++ xmlBufSetAllocationScheme(reader->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); ++ ret = BAD_CAST ""; ++ } ++ return(ret); + } + break; + } +@@ -5131,6 +5146,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader, + "xmlTextReaderSetup : malloc failed\n"); + return (-1); + } ++ /* no operation on a reader should require a huge buffer */ ++ xmlBufSetAllocationScheme(reader->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); + if (reader->sax == NULL) + reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); + if (reader->sax == NULL) { diff --git a/debian/patches/0011-Do-not-process-encoding-values-if-the-declaration-if.patch b/debian/patches/0011-Do-not-process-encoding-values-if-the-declaration-if.patch new file mode 100644 index 0000000..386ab1e --- /dev/null +++ b/debian/patches/0011-Do-not-process-encoding-values-if-the-declaration-if.patch @@ -0,0 +1,34 @@ +From: Daniel Veillard +Date: Mon, 29 Jun 2015 09:08:25 +0800 +Subject: Do not process encoding values if the declaration if broken + +For https://bugzilla.gnome.org/show_bug.cgi?id=751603 + +If the string is not properly terminated do not try to convert +to the given encoding. +--- + parser.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/parser.c b/parser.c +index fe603ac..a3a9568 100644 +--- a/parser.c ++++ b/parser.c +@@ -10404,6 +10404,8 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ctxt) { + encoding = xmlParseEncName(ctxt); + if (RAW != '"') { + xmlFatalErr(ctxt, XML_ERR_STRING_NOT_CLOSED, NULL); ++ xmlFree((xmlChar *) encoding); ++ return(NULL); + } else + NEXT; + } else if (RAW == '\''){ +@@ -10411,6 +10413,8 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ctxt) { + encoding = xmlParseEncName(ctxt); + if (RAW != '\'') { + xmlFatalErr(ctxt, XML_ERR_STRING_NOT_CLOSED, NULL); ++ xmlFree((xmlChar *) encoding); ++ return(NULL); + } else + NEXT; + } else { diff --git a/debian/patches/0012-Fail-parsing-early-on-if-encoding-conversion-failed.patch b/debian/patches/0012-Fail-parsing-early-on-if-encoding-conversion-failed.patch new file mode 100644 index 0000000..d065088 --- /dev/null +++ b/debian/patches/0012-Fail-parsing-early-on-if-encoding-conversion-failed.patch @@ -0,0 +1,31 @@ +From: Daniel Veillard +Date: Mon, 29 Jun 2015 16:10:26 +0800 +Subject: Fail parsing early on if encoding conversion failed + +For https://bugzilla.gnome.org/show_bug.cgi?id=751631 + +If we fail conversing the current input stream while +processing the encoding declaration of the XMLDecl +then it's safer to just abort there and not try to +report further errors. +--- + parser.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index a3a9568..0edd53b 100644 +--- a/parser.c ++++ b/parser.c +@@ -10471,7 +10471,11 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ctxt) { + + handler = xmlFindCharEncodingHandler((const char *) encoding); + if (handler != NULL) { +- xmlSwitchToEncoding(ctxt, handler); ++ if (xmlSwitchToEncoding(ctxt, handler) < 0) { ++ /* failed to convert */ ++ ctxt->errNo = XML_ERR_UNSUPPORTED_ENCODING; ++ return(NULL); ++ } + } else { + xmlFatalErrMsgStr(ctxt, XML_ERR_UNSUPPORTED_ENCODING, + "Unsupported encoding %s\n", encoding); diff --git a/debian/patches/0013-Fix-a-self-assignment-issue-raised-by-clang.patch b/debian/patches/0013-Fix-a-self-assignment-issue-raised-by-clang.patch new file mode 100644 index 0000000..5cc28b2 --- /dev/null +++ b/debian/patches/0013-Fix-a-self-assignment-issue-raised-by-clang.patch @@ -0,0 +1,40 @@ +From: Scott Graham +Date: Tue, 30 Jun 2015 10:47:16 +0800 +Subject: Fix a self assignment issue raised by clang + +For https://bugzilla.gnome.org/show_bug.cgi?id=751679 + +Also added a few newline cleanups +--- + xmlschemas.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/xmlschemas.c b/xmlschemas.c +index 0657b66..d47512f 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -24186,6 +24186,7 @@ xmlSchemaValidateFacets(xmlSchemaAbstractCtxtPtr actxt, + else + goto pattern_and_enum; + } ++ + /* + * Whitespace handling is only of importance for string-based + * types. +@@ -24196,14 +24197,13 @@ xmlSchemaValidateFacets(xmlSchemaAbstractCtxtPtr actxt, + ws = xmlSchemaGetWhiteSpaceFacetValue(type); + } else + ws = XML_SCHEMA_WHITESPACE_COLLAPSE; ++ + /* + * If the value was not computed (for string or + * anySimpleType based types), then use the provided + * type. + */ +- if (val == NULL) +- valType = valType; +- else ++ if (val != NULL) + valType = xmlSchemaGetValType(val); + + ret = 0; diff --git a/debian/patches/0014-Fix-previous-change-to-node-sort-order.patch b/debian/patches/0014-Fix-previous-change-to-node-sort-order.patch new file mode 100644 index 0000000..4ff344b --- /dev/null +++ b/debian/patches/0014-Fix-previous-change-to-node-sort-order.patch @@ -0,0 +1,33 @@ +From: Nick Wellnhofer +Date: Sat, 11 Jul 2015 14:27:34 +0200 +Subject: Fix previous change to node sort order + +Commit ba58f23 broke comparison of nodes from different documents. +Thanks to Olli Pottonen for the report. +--- + xpath.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/xpath.c b/xpath.c +index 95559b3..e60f4e5 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -361,14 +361,14 @@ turtle_comparison: + /* + * compute depth to root + */ +- for (depth2 = 0, cur = node2; cur != NULL; cur = cur->parent) { +- if (cur == node1) ++ for (depth2 = 0, cur = node2; cur->parent != NULL; cur = cur->parent) { ++ if (cur->parent == node1) + return(1); + depth2++; + } + root = cur; +- for (depth1 = 0, cur = node1; cur != NULL; cur = cur->parent) { +- if (cur == node2) ++ for (depth1 = 0, cur = node1; cur->parent != NULL; cur = cur->parent) { ++ if (cur->parent == node2) + return(-1); + depth1++; + } diff --git a/debian/patches/0015-Fix-the-spurious-ID-already-defined-error.patch b/debian/patches/0015-Fix-the-spurious-ID-already-defined-error.patch new file mode 100644 index 0000000..61b7dfa --- /dev/null +++ b/debian/patches/0015-Fix-the-spurious-ID-already-defined-error.patch @@ -0,0 +1,84 @@ +From: Daniel Veillard +Date: Thu, 10 Sep 2015 19:41:41 +0800 +Subject: Fix the spurious ID already defined error + +For https://bugzilla.gnome.org/show_bug.cgi?id=737840 +the fix for 724903 introduced a regression on external entities carrying +IDs, revert that patch in part and add a specific test to avoid readding it +--- + result/valid/737840.xml | 10 ++++++++++ + result/valid/737840.xml.err | 0 + result/valid/737840.xml.err.rdr | 0 + test/valid/737840.xml | 10 ++++++++++ + test/valid/dtds/737840.ent | 1 + + valid.c | 6 ++++-- + 6 files changed, 25 insertions(+), 2 deletions(-) + create mode 100644 result/valid/737840.xml + create mode 100644 result/valid/737840.xml.err + create mode 100644 result/valid/737840.xml.err.rdr + create mode 100644 test/valid/737840.xml + create mode 100644 test/valid/dtds/737840.ent + +diff --git a/result/valid/737840.xml b/result/valid/737840.xml +new file mode 100644 +index 0000000..433c6d6 +--- /dev/null ++++ b/result/valid/737840.xml +@@ -0,0 +1,10 @@ ++ ++ ++ ++ ++ ++]> ++ ++ ⌖ ++ +diff --git a/result/valid/737840.xml.err b/result/valid/737840.xml.err +new file mode 100644 +index 0000000..e69de29 +diff --git a/result/valid/737840.xml.err.rdr b/result/valid/737840.xml.err.rdr +new file mode 100644 +index 0000000..e69de29 +diff --git a/test/valid/737840.xml b/test/valid/737840.xml +new file mode 100644 +index 0000000..2d27b73 +--- /dev/null ++++ b/test/valid/737840.xml +@@ -0,0 +1,10 @@ ++ ++ ++ ++ ++]> ++ ++ ++ ⌖ ++ +diff --git a/test/valid/dtds/737840.ent b/test/valid/dtds/737840.ent +new file mode 100644 +index 0000000..e972132 +--- /dev/null ++++ b/test/valid/dtds/737840.ent +@@ -0,0 +1 @@ ++ +\ No newline at end of file +diff --git a/valid.c b/valid.c +index 409aa81..45a3f70 100644 +--- a/valid.c ++++ b/valid.c +@@ -2634,8 +2634,10 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value, + /* + * The id is already defined in this DTD. + */ +- xmlErrValidNode(ctxt, attr->parent, XML_DTD_ID_REDEFINED, +- "ID %s already defined\n", value, NULL, NULL); ++ if (ctxt != NULL) { ++ xmlErrValidNode(ctxt, attr->parent, XML_DTD_ID_REDEFINED, ++ "ID %s already defined\n", value, NULL, NULL); ++ } + #endif /* LIBXML_VALID_ENABLED */ + xmlFreeID(ret); + return(NULL); diff --git a/debian/patches/series b/debian/patches/series index 631a2bf..6d8ee86 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,15 @@ 0001-modify-xml2-config-and-pkgconfig-behaviour.patch 0002-fix-python-multiarch-includes.patch -0003-Fix-missing-entities-after-CVE-2014-3660-fix.patch +0003-Revert-Missing-initialization-for-the-catalog-module.patch +0004-Fix-missing-entities-after-CVE-2014-3660-fix.patch +0005-Account-for-ID-attributes-in-xmlSetTreeDoc.patch +0006-Stop-parsing-on-entities-boundaries-errors.patch +0007-Cleanup-conditional-section-error-handling.patch +0008-Fix-order-of-root-nodes.patch +0009-xmlMemUsed-is-not-thread-safe.patch +0010-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch +0011-Do-not-process-encoding-values-if-the-declaration-if.patch +0012-Fail-parsing-early-on-if-encoding-conversion-failed.patch +0013-Fix-a-self-assignment-issue-raised-by-clang.patch +0014-Fix-previous-change-to-node-sort-order.patch +0015-Fix-the-spurious-ID-already-defined-error.patch -- cgit v1.2.3