Debian Patches

Status for libxml2.9/2.12.7+dfsg+really2.9.14-2.2

Patch Description Author Forwarded Bugs Origin Last update
install-html.patch install *all* the HTML docs The relevant makefile target was never updated since 2004..
Should probably look for a nicer way to do this than the current list before forwarding.		 Mattia Rizzolo <mattia@debian.org> no 2021-07-28
xml2-config-fix.patch display dynamic linking information with --libs, not static Don't bother about keeping support for the static variant, it's not needed
in debian directly.		 Mattia Rizzolo <mattia@debian.org> no debian 2020-02-23
python3-unicode-errors.patch https://gitlab.gnome.org/GNOME/libxml2/issues/64 no https://src.fedoraproject.org/rpms/libxml2/blob/master/f/libxml2-2.9.8-python3-unicode-errors.patch
CVE-2022-40303-Fix-integer-overflows-with-XML_PARSE_.patch [CVE-2022-40303] Fix integer overflows with XML_PARSE_HUGE
Also impose size limits when XML_PARSE_HUGE is set. Limit size of names
to XML_MAX_TEXT_LENGTH (10 million bytes) and other content to
XML_MAX_HUGE_LENGTH (1 billion bytes).

Move some the length checks to the end of the respective loop to make
them strict.

xmlParseEntityValue didn't have a length limitation at all. But without
XML_PARSE_HUGE, this should eventually trigger an error in xmlGROW.

Thanks to Maddie Stone working with Google Project Zero for the report!		 Nick Wellnhofer <wellnhofer@aevum.de> no debian https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0 2022-08-25
CVE-2022-40304-Fix-dict-corruption-caused-by-entity-.patch [CVE-2022-40304] Fix dict corruption caused by entity reference cycles

When an entity reference cycle is detected, the entity content is
cleared by setting its first byte to zero. But the entity content might
be allocated from a dict. In this case, the dict entry becomes corrupted
leading to all kinds of logic errors, including memory errors like
double-frees.

Stop storing entity content, orig, ExternalID and SystemID in a dict.
These values are unlikely to occur multiple times in a document, so they
shouldn't have been stored in a dict in the first place.

Thanks to Ned Williamson and Nathan Wachholz working with Google Project
Zero for the report!		 Nick Wellnhofer <wellnhofer@aevum.de> no debian https://gitlab.gnome.org/GNOME/libxml2/-/commit/1b41ec4e9433b05bb0376be4725804c54ef1d80b 2022-08-31
schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK
Found by OSS-Fuzz.		 Nick Wellnhofer <wellnhofer@aevum.de> no https://gitlab.gnome.org/GNOME/libxml2/-/commit/4c6922f763ad958c48ff66f82823ae21f2e92ee6 2022-09-13
CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
Fix a null pointer dereference when parsing (invalid) XML schemas.

Thanks to Robby Simpson for the report!

Fixes #491.		 Nick Wellnhofer <wellnhofer@aevum.de> no debian https://gitlab.gnome.org/GNOME/libxml2/-/commit/647e072ea0a2f12687fa05c172f4c4713fdb0c4f 2023-04-07
CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch [CVE-2023-29469] Hashing of empty dict strings isn't deterministic
When hashing empty strings which aren't null-terminated,
xmlDictComputeFastKey could produce inconsistent results. This could
lead to various logic or memory errors, including double frees.

For consistency the seed is also taken into account, but this shouldn't
have an impact on security.

Found by OSS-Fuzz.

Fixes #510.		 Nick Wellnhofer <wellnhofer@aevum.de> no debian https://gitlab.gnome.org/GNOME/libxml2/-/commit/09a2dd453007f9c7205274623acdd73747c22d64 2023-04-07
Reset-nsNr-in-xmlCtxtReset.patch Reset nsNr in xmlCtxtReset Nick Wellnhofer <wellnhofer@aevum.de> no debian https://gitlab.gnome.org/GNOME/libxml2/-/commit/5930fe01963136ab92125feec0c6204d9c9225dc 2022-07-18
Also-reset-nsNr-in-htmlCtxtReset.patch Also reset nsNr in htmlCtxtReset Nick Wellnhofer <wellnhofer@aevum.de> no debian https://gitlab.gnome.org/GNOME/libxml2/-/commit/a82ea25fc83f563c574ddb863d6c17d9c5abdbd2 2022-07-28
python3.13.patch Migrate from PyEval_ to PyObject_
PyEval_ functions are deprecated.

Fixes #208.		 Nick Wellnhofer <wellnhofer@aevum.de> no debian 2022-08-29
CVE-2022-49043.patch [PATCH] malloc-fail: Fix use-after-free in xmlXIncludeAddNode
Found with libFuzzer, see #344.		 Nick Wellnhofer <wellnhofer@aevum.de> no 2022-11-02
CVE-2024-34459.patch [PATCH] [CVE-2024-34459] Fix buffer overread with `xmllint --htmlout`
Add a missing bounds check.		 Nick Wellnhofer <wellnhofer@aevum.de> no 2024-05-08
CVE-2024-56171.patch [PATCH] [CVE-2024-56171] Fix use-after-free after xmlSchemaItemListAdd

xmlSchemaItemListAdd can reallocate the items array. Update local
variables after adding item in

- xmlSchemaIDCFillNodeTables
- xmlSchemaBubbleIDCNodeTables

Fixes #828.		 Nick Wellnhofer <wellnhofer@aevum.de> no 2024-12-10
CVE-2025-24928-pre1.patch [PATCH] valid: Check for NULL node->name in xmlSnprintfElements
Unfortunately, we can have NULL element names if xmlSetTreeDoc fails.		 Nick Wellnhofer <wellnhofer@aevum.de> no 2024-03-19
CVE-2025-24928.patch [PATCH] [CVE-2025-24928] Fix stack-buffer-overflow in xmlSnprintfElements

Fixes #847.		 Nick Wellnhofer <wellnhofer@aevum.de> no 2025-02-11
CVE-2025-27113.patch [PATCH] pattern: Fix compilation of explicit child axis
The child axis is the default axis and should generate XML_OP_ELEM like
the case without an axis.		 Nick Wellnhofer <wellnhofer@aevum.de> no 2025-02-13
CVE-2023-39615_1.patch [PATCH] parser: Fix old SAX1 parser with custom callbacks
For some reason, xmlCtxtUseOptionsInternal set the start and end element
SAX handlers to the internal DOM builder functions when XML_PARSE_SAX1
was specified. This means that custom SAX handlers could never work with
that flag because these functions would receive the wrong user data
argument and crash immediately.

Fixes #535.		 Nick Wellnhofer <wellnhofer@aevum.de> no 2023-05-06
CVE-2023-39615_2.patch [PATCH] SAX: Always initialize SAX1 element handlers
Follow-up to commit d0c3f01e. A parser context will be initialized to
SAX version 2, but this can be overridden with XML_PARSE_SAX1 later,
so we must initialize the SAX1 element handlers as well.

Change the check in xmlDetectSAX2 to only look for XML_SAX2_MAGIC, so
we don't switch to SAX1 if the SAX2 element handlers are NULL.		 Nick Wellnhofer <wellnhofer@aevum.de> no 2023-05-08
CVE-2023-45322.patch [PATCH] tree: Fix #583 again
Only set doc->intSubset after successful copy to avoid dangling pointers
in error case.		 Nick Wellnhofer <wellnhofer@aevum.de> no 2023-11-28
CVE-2024-25062.patch [PATCH] [CVE-2024-25062] xmlreader: Don't expand XIncludes when backtracking

Fixes a use-after-free if XML Reader if used with DTD validation and
XInclude expansion.

Fixes #604.		 Nick Wellnhofer <wellnhofer@aevum.de> no 2023-10-14
CVE-2025-32414-bug-889-v2.10.4-and-below.patch =================================================================== no
CVE-2025-32415.patch [PATCH] [CVE-2025-32415] schemas: Fix heap buffer overflow in xmlSchemaIDCFillNodeTables

Don't use local variable which could contain a stale value.

Fixes #890.		 Nick Wellnhofer <wellnhofer@aevum.de> no 2025-04-06
CVE-2025-6021.patch [PATCH] tree: Fix integer overflow in xmlBuildQName
This issue affects memory safety and might receive a CVE ID later.

Fixes #926.		 Nick Wellnhofer <wellnhofer@aevum.de> no 2025-05-27
CVE-2025-49794_49796.patch [PATCH] schematron: Fix memory safety issues in xmlSchematronReportOutput

Fix use-after-free (CVE-2025-49794) and type confusion (CVE-2025-49796)
in xmlSchematronReportOutput.

Fixes #931.
Fixes #933.		 Nick Wellnhofer <wellnhofer@aevum.de> no 2025-07-04
CVE-2025-6170.patch Fix potential buffer overflows of interactive shell Michael Mann <mmann78@netscape.net> yes debian upstream https://gitlab.gnome.org/GNOME/libxml2/-/commit/5e9ec5c107d3f5b5179c3dbc19df43df041cd55b 2025-06-20

All known versions for source package 'libxml2.9'

Links