Debian Patches
Status for libxml2.9/2.12.7+dfsg+really2.9.14-2.4
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| install-html.patch | install *all* the HTML docs The relevant makefile target was never updated since 2004.. Should probably look for a nicer way to do this than the current list before forwarding. |
Mattia Rizzolo <mattia@debian.org> | no | 2021-07-28 | ||
| xml2-config-fix.patch | display dynamic linking information with --libs, not static Don't bother about keeping support for the static variant, it's not needed in debian directly. |
Mattia Rizzolo <mattia@debian.org> | no | debian | 2020-02-23 | |
| python3-unicode-errors.patch | https://gitlab.gnome.org/GNOME/libxml2/issues/64 | no | https://src.fedoraproject.org/rpms/libxml2/blob/master/f/libxml2-2.9.8-python3-unicode-errors.patch | |||
| CVE-2022-40303-Fix-integer-overflows-with-XML_PARSE_.patch | [CVE-2022-40303] Fix integer overflows with XML_PARSE_HUGE Also impose size limits when XML_PARSE_HUGE is set. Limit size of names to XML_MAX_TEXT_LENGTH (10 million bytes) and other content to XML_MAX_HUGE_LENGTH (1 billion bytes). Move some the length checks to the end of the respective loop to make them strict. xmlParseEntityValue didn't have a length limitation at all. But without XML_PARSE_HUGE, this should eventually trigger an error in xmlGROW. Thanks to Maddie Stone working with Google Project Zero for the report! |
Nick Wellnhofer <wellnhofer@aevum.de> | no | debian | https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0 | 2022-08-25 |
| CVE-2022-40304-Fix-dict-corruption-caused-by-entity-.patch | [CVE-2022-40304] Fix dict corruption caused by entity reference cycles When an entity reference cycle is detected, the entity content is cleared by setting its first byte to zero. But the entity content might be allocated from a dict. In this case, the dict entry becomes corrupted leading to all kinds of logic errors, including memory errors like double-frees. Stop storing entity content, orig, ExternalID and SystemID in a dict. These values are unlikely to occur multiple times in a document, so they shouldn't have been stored in a dict in the first place. Thanks to Ned Williamson and Nathan Wachholz working with Google Project Zero for the report! |
Nick Wellnhofer <wellnhofer@aevum.de> | no | debian | https://gitlab.gnome.org/GNOME/libxml2/-/commit/1b41ec4e9433b05bb0376be4725804c54ef1d80b | 2022-08-31 |
| schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch | schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK Found by OSS-Fuzz. |
Nick Wellnhofer <wellnhofer@aevum.de> | no | https://gitlab.gnome.org/GNOME/libxml2/-/commit/4c6922f763ad958c48ff66f82823ae21f2e92ee6 | 2022-09-13 | |
| CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch | [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType Fix a null pointer dereference when parsing (invalid) XML schemas. Thanks to Robby Simpson for the report! Fixes #491. |
Nick Wellnhofer <wellnhofer@aevum.de> | no | debian | https://gitlab.gnome.org/GNOME/libxml2/-/commit/647e072ea0a2f12687fa05c172f4c4713fdb0c4f | 2023-04-07 |
| CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch | [CVE-2023-29469] Hashing of empty dict strings isn't deterministic When hashing empty strings which aren't null-terminated, xmlDictComputeFastKey could produce inconsistent results. This could lead to various logic or memory errors, including double frees. For consistency the seed is also taken into account, but this shouldn't have an impact on security. Found by OSS-Fuzz. Fixes #510. |
Nick Wellnhofer <wellnhofer@aevum.de> | no | debian | https://gitlab.gnome.org/GNOME/libxml2/-/commit/09a2dd453007f9c7205274623acdd73747c22d64 | 2023-04-07 |
| Reset-nsNr-in-xmlCtxtReset.patch | Reset nsNr in xmlCtxtReset | Nick Wellnhofer <wellnhofer@aevum.de> | no | debian | https://gitlab.gnome.org/GNOME/libxml2/-/commit/5930fe01963136ab92125feec0c6204d9c9225dc | 2022-07-18 |
| Also-reset-nsNr-in-htmlCtxtReset.patch | Also reset nsNr in htmlCtxtReset | Nick Wellnhofer <wellnhofer@aevum.de> | no | debian | https://gitlab.gnome.org/GNOME/libxml2/-/commit/a82ea25fc83f563c574ddb863d6c17d9c5abdbd2 | 2022-07-28 |
| python3.13.patch | Migrate from PyEval_ to PyObject_ PyEval_ functions are deprecated. Fixes #208. |
Nick Wellnhofer <wellnhofer@aevum.de> | no | debian | 2022-08-29 | |
| CVE-2022-49043.patch | malloc-fail: Fix use-after-free in xmlXIncludeAddNode Found with libFuzzer, see #344. |
Nick Wellnhofer <wellnhofer@aevum.de> | no | 2022-11-02 | ||
| CVE-2024-34459.patch | [CVE-2024-34459] Fix buffer overread with `xmllint --htmlout` Add a missing bounds check. |
Nick Wellnhofer <wellnhofer@aevum.de> | no | 2024-05-08 | ||
| CVE-2024-56171.patch | [CVE-2024-56171] Fix use-after-free after xmlSchemaItemListAdd xmlSchemaItemListAdd can reallocate the items array. Update local variables after adding item in - xmlSchemaIDCFillNodeTables - xmlSchemaBubbleIDCNodeTables Fixes #828. |
Nick Wellnhofer <wellnhofer@aevum.de> | no | 2024-12-10 | ||
| CVE-2025-24928-pre1.patch | valid: Check for NULL node->name in xmlSnprintfElements Unfortunately, we can have NULL element names if xmlSetTreeDoc fails. |
Nick Wellnhofer <wellnhofer@aevum.de> | no | 2024-03-19 | ||
| CVE-2025-24928.patch | [CVE-2025-24928] Fix stack-buffer-overflow in xmlSnprintfElements Fixes #847. |
Nick Wellnhofer <wellnhofer@aevum.de> | no | 2025-02-11 | ||
| CVE-2025-27113.patch | pattern: Fix compilation of explicit child axis The child axis is the default axis and should generate XML_OP_ELEM like the case without an axis. |
Nick Wellnhofer <wellnhofer@aevum.de> | no | 2025-02-13 | ||
| CVE-2023-39615_1.patch | parser: Fix old SAX1 parser with custom callbacks For some reason, xmlCtxtUseOptionsInternal set the start and end element SAX handlers to the internal DOM builder functions when XML_PARSE_SAX1 was specified. This means that custom SAX handlers could never work with that flag because these functions would receive the wrong user data argument and crash immediately. Fixes #535. |
Nick Wellnhofer <wellnhofer@aevum.de> | no | 2023-05-06 | ||
| CVE-2023-39615_2.patch | SAX: Always initialize SAX1 element handlers Follow-up to commit d0c3f01e. A parser context will be initialized to SAX version 2, but this can be overridden with XML_PARSE_SAX1 later, so we must initialize the SAX1 element handlers as well. Change the check in xmlDetectSAX2 to only look for XML_SAX2_MAGIC, so we don't switch to SAX1 if the SAX2 element handlers are NULL. |
Nick Wellnhofer <wellnhofer@aevum.de> | no | 2023-05-08 | ||
| CVE-2023-45322.patch | tree: Fix #583 again Only set doc->intSubset after successful copy to avoid dangling pointers in error case. |
Nick Wellnhofer <wellnhofer@aevum.de> | no | 2023-11-28 | ||
| CVE-2024-25062.patch | [CVE-2024-25062] xmlreader: Don't expand XIncludes when backtracking Fixes a use-after-free if XML Reader if used with DTD validation and XInclude expansion. Fixes #604. |
Nick Wellnhofer <wellnhofer@aevum.de> | no | 2023-10-14 | ||
| CVE-2025-32414-bug-889-v2.10.4-and-below.patch | =================================================================== | no | ||||
| CVE-2025-32415.patch | [CVE-2025-32415] schemas: Fix heap buffer overflow in xmlSchemaIDCFillNodeTables Don't use local variable which could contain a stale value. Fixes #890. |
Nick Wellnhofer <wellnhofer@aevum.de> | no | 2025-04-06 | ||
| CVE-2025-6021.patch | tree: Fix integer overflow in xmlBuildQName This issue affects memory safety and might receive a CVE ID later. Fixes #926. |
Nick Wellnhofer <wellnhofer@aevum.de> | no | 2025-05-27 | ||
| CVE-2025-49794_49796.patch | schematron: Fix memory safety issues in xmlSchematronReportOutput Fix use-after-free (CVE-2025-49794) and type confusion (CVE-2025-49796) in xmlSchematronReportOutput. Fixes #931. Fixes #933. |
Nick Wellnhofer <wellnhofer@aevum.de> | no | 2025-07-04 | ||
| CVE-2025-6170.patch | Fix potential buffer overflows of interactive shell | Michael Mann <mmann78@netscape.net> | yes | debian upstream | https://gitlab.gnome.org/GNOME/libxml2/-/commit/5e9ec5c107d3f5b5179c3dbc19df43df041cd55b | 2025-06-20 |
| CVE-2025-7425.patch | libxslt: heap-use-after-free in xmlFreeID caused by `atype` corruption * include/libxml/tree.h: (XML_ATTR_CLEAR_ATYPE): Add. (XML_ATTR_GET_ATYPE): Add. (XML_ATTR_SET_ATYPE): Add. (XML_NODE_ADD_EXTRA): Add. (XML_NODE_CLEAR_EXTRA): Add. (XML_NODE_GET_EXTRA): Add. (XML_NODE_SET_EXTRA): Add. (XML_DOC_ADD_PROPERTIES): Add. (XML_DOC_CLEAR_PROPERTIES): Add. (XML_DOC_GET_PROPERTIES): Add. (XML_DOC_SET_PROPERTIES): Add. - Add macros for accessing fields with upper bits that may be set by libxslt. * HTMLparser.c: (htmlNewDocNoDtD): * SAX2.c: (xmlSAX2StartDocument): (xmlSAX2EndDocument): * parser.c: (xmlParseEntityDecl): (xmlParseExternalSubset): (xmlParseReference): (xmlCtxtParseDtd): * runxmlconf.c: (xmlconfTestInvalid): (xmlconfTestValid): * tree.c: (xmlNewDoc): (xmlFreeProp): (xmlNodeSetDoc): (xmlSetNsProp): (xmlDOMWrapAdoptBranch): * valid.c: (xmlFreeID): (xmlAddIDInternal): (xmlValidateAttributeValueInternal): (xmlValidateOneAttribute): (xmlValidateRef): * xmlreader.c: (xmlTextReaderStartElement): (xmlTextReaderStartElementNs): (xmlTextReaderValidateEntity): (xmlTextReaderRead): (xmlTextReaderNext): (xmlTextReaderIsEmptyElement): (xmlTextReaderPreserve): * xmlschemas.c: (xmlSchemaPValAttrNodeID): * xmlschemastypes.c: (xmlSchemaValAtomicType): - Adopt macros by renaming the struct fields, recompiling and fixing compiler failures, then changing the struct field names back. |
David Kilzer <ddkilzer@apple.com> | yes | debian upstream | https://gitlab.gnome.org/-/project/1762/uploads/302ecfda701895ebd0fa438a66d1a7a4/gnome-libxslt-bug-140-apple-fix.diff | 2025-06-23 |
| CVE-2025-9714.patch | Make XPath depth check work with recursive invocations EXSLT functions like dyn:map or dyn:evaluate invoke xmlXPathRunEval recursively. Don't set depth to zero but keep and restore the original value to avoid stack overflows when abusing these functions. |
Nick Wellnhofer <wellnhofer@aevum.de> | yes | upstream | https://gitlab.gnome.org/GNOME/libxml2/-/commit/677a42645ef22b5a50741bad5facf9d8a8bc6d21 | 2022-07-28 |
| CVE-2026-1757.patch | shell: free cmdline before continue This patch frees the cmdline when it's not empty but it doesn't contain any actual character. If the cmdline is just whitespaces or \r and \n, the loop continues without freeing the cmdline string, so it's a leak. |
Daniel Garcia Moreno <daniel.garcia@suse.com> | yes | upstream | https://gitlab.gnome.org/GNOME/libxml2/-/commit/5446460ad3229579c91506317fb80ab333d44414 | 2025-10-23 |
| 0030-Fix-memory-leak-of-prefix-in-xmlTextWriterStartEleme.patch | Fix memory leak of prefix in xmlTextWriterStartElementNS() | Niels Dossche <7771979+nielsdos@users.noreply.github.com> | no | https://gitlab.gnome.org/GNOME/libxml2/-/commit/7d138310f1d4f006d490e29c72168c8ede3a020a | 2025-09-04 | |
| CVE-2025-8732.patch | fix: Prevent infinite recursion in xmlCatalogListXMLResolve | Nathan <nathan.shain@echohq.com> | yes | upstream | https://gitlab.gnome.org/GNOME/libxml2/-/commit/3425dece47c8db600f8d7328ae2d7ddfaa0d7b2d | 2025-09-10 |
| CVE-2026-0990.patch | catalog: prevent inf recursion in xmlCatalogXMLResolveURI | Daniel Garcia Moreno <daniel.garcia@suse.com> | yes | debian upstream | https://gitlab.gnome.org/GNOME/libxml2/-/commit/ac6f0fde1476c41f59ad0c68ada3394599ebf2ae | 2025-12-17 |
| CVE-2026-0992/01-4af23b523.patch | catalog: Ignore repeated nextCatalog entries This patch makes the catalog parsing to ignore repeated entries of nextCatalog with the same value. |
Daniel Garcia Moreno <daniel.garcia@suse.com> | yes | debian upstream | https://gitlab.gnome.org/GNOME/libxml2/-/commit/4af23b523de5b72f27faf3e8e8a99dde5f7b82a2 | 2025-12-19 |
| CVE-2026-0992/02-096402c94.patch | catalog: Do not check value for duplication nextCatalog The value field stores the path as it appears in the catalog definition, the URL is built using xmlBuildURI that changes the relative paths to absolute. This change fixes the issue of using relative path to the same catalog in the same file. |
Daniel Garcia Moreno <dani@danigm.net> | yes | debian upstream | https://gitlab.gnome.org/GNOME/libxml2/-/commit/096402c942e9d9a049f283eb4e6da431289900e1 | 2026-01-18 |
| 0035-testcatalog-Add-new-tests-for-catalog.c.patch | testcatalog: Add new tests for catalog.c Adds a new test program to run specific tests related to catalog parsing. This initial version includes a couple of tests, the first one to check the infinite recursion detection related to: https://gitlab.gnome.org/GNOME/libxml2/-/issues/1018. The second one tests the nextCatalog element repeated parsing, related to: https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019 https://gitlab.gnome.org/GNOME/libxml2/-/issues/1040 |
Daniel Garcia Moreno <daniel.garcia@suse.com> | yes | upstream | https://gitlab.gnome.org/GNOME/libxml2/-/commit/f14c733327f163b49a632f03d05a58c119ed7e57 | 2025-12-19 |
| CVE-2026-0989.patch | Add RelaxNG include limit This patch adds a default xmlRelaxNGIncludeLimit of 1.000, and that limit can be modified at runtime with the env variable RNG_INCLUDE_LIMIT. |
Daniel Garcia Moreno <daniel.garcia@suse.com> | yes | debian upstream | https://gitlab.gnome.org/GNOME/libxml2/-/commit/66c52b3ac6c32ab112ec2a3bf41e6c30948be113 | 2025-10-10 |
| 0037-use-duplicating-variant-in-relaxng-to-mitigate-UAF.patch | use duplicating variant in relaxng to mitigate UAF | Jayakrishna Menon <jkrshnmenon@gmail.com> | no | https://gitlab.gnome.org/GNOME/libxml2/-/commit/df2ba65f661addfba50bdb7f280d594781249dfc | 2026-02-10 | |
| 0038-fix-memory-leak-in-issue-1054.patch | fix memory leak in issue 1054 | Yun <emptyiscolor@gmail.com> | yes | upstream | https://gitlab.gnome.org/GNOME/libxml2/-/commit/8d77ac83082288e6b11259266e0ce56095ecdd69 | 2026-02-11 |
| 0039-schematron-fix-additional-memory-leaks-on-error-path.patch | schematron: fix additional memory leaks on error paths In xmlSchematronParseRule, free report when xmlSchematronAddTest fails in the assert and report blocks. In xmlSchematronAddTest, free the compiled XPath expression when xmlMalloc fails. |
ylwango613 <1217816127@qq.com> | no | https://gitlab.gnome.org/GNOME/libxml2/-/commit/99bf8af1bb9654dd6746c73456ce17412fe442f3 | 2026-02-24 | |
| 0040-catalog-fix-stack-overflow-from-self-referencing-SGM.patch | catalog: fix stack overflow from self-referencing SGML CATALOG entries An SGML catalog file with multiple CATALOG directives referencing itself causes exponential recursion in xmlParseSGMLCatalog(), leading to stack overflow. With K self-referencing entries and MAX_CATAL_DEPTH=50, total recursive parses = K^50. Add deduplication by registering expanded filenames in the catalog hash table before calling xmlExpandCatalog(), consistent with the existing super branch. |
ylwango613 <1217816127@qq.com> | yes | upstream | https://gitlab.gnome.org/GNOME/libxml2/-/commit/4982ee83f91ed598de793b280c8990646726c440 | 2026-02-24 |