[xml/sgml-pkgs] Bug#1110152: unblock: libxml2/2.12.7+dfsg+really2.9.14-2.1

Adrian Bunk bunk at debian.org
Wed Jul 30 21:53:16 BST 2025 

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: libxml2 at packages.debian.org, Guilhem Moulin <guilhem at debian.org>
Control: affects -1 + src:libxml2
User: release.debian.org at packages.debian.org
Usertags: unblock

Please unblock package libxml2

CVE-2025-6170 fix, already accepted into bookworm-pu in #1109947.

unblock libxml2/2.12.7+dfsg+really2.9.14-2.1
-------------- next part --------------
diffstat for libxml2-2.12.7+dfsg+really2.9.14 libxml2-2.12.7+dfsg+really2.9.14

 changelog                   |    8 +++
 patches/CVE-2025-6170.patch |  100 ++++++++++++++++++++++++++++++++++++++++++++
 patches/series              |    1 
 3 files changed, 109 insertions(+)

diff -Nru libxml2-2.12.7+dfsg+really2.9.14/debian/changelog libxml2-2.12.7+dfsg+really2.9.14/debian/changelog
--- libxml2-2.12.7+dfsg+really2.9.14/debian/changelog	2025-07-17 18:09:57.000000000 +0300
+++ libxml2-2.12.7+dfsg+really2.9.14/debian/changelog	2025-07-27 01:59:51.000000000 +0300
@@ -1,3 +1,11 @@
+libxml2 (2.12.7+dfsg+really2.9.14-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2025-6170: Potential buffer overflows in the interactive shell
+    (Closes: #1107938).
+
+ -- Guilhem Moulin <guilhem at debian.org>  Sun, 27 Jul 2025 00:59:51 +0200
+
 libxml2 (2.12.7+dfsg+really2.9.14-2) unstable; urgency=medium
 
   * Security fixes:
diff -Nru libxml2-2.12.7+dfsg+really2.9.14/debian/patches/CVE-2025-6170.patch libxml2-2.12.7+dfsg+really2.9.14/debian/patches/CVE-2025-6170.patch
--- libxml2-2.12.7+dfsg+really2.9.14/debian/patches/CVE-2025-6170.patch	1970-01-01 02:00:00.000000000 +0200
+++ libxml2-2.12.7+dfsg+really2.9.14/debian/patches/CVE-2025-6170.patch	2025-07-27 01:59:51.000000000 +0300
@@ -0,0 +1,100 @@
+From: Michael Mann <mmann78 at netscape.net>
+Date: Fri, 20 Jun 2025 23:05:00 -0400
+Subject: Fix potential buffer overflows of interactive shell
+
+Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/5e9ec5c107d3f5b5179c3dbc19df43df041cd55b
+Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/941
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2025-6170
+Bug-Debian: https://bugs.debian.org/1107938
+---
+ debugXML.c                       | 15 ++++++++++-----
+ result/scripts/long_command      |  8 ++++++++
+ test/scripts/long_command.script |  6 ++++++
+ test/scripts/long_command.xml    |  1 +
+ 4 files changed, 25 insertions(+), 5 deletions(-)
+ create mode 100644 result/scripts/long_command
+ create mode 100644 test/scripts/long_command.script
+ create mode 100644 test/scripts/long_command.xml
+
+diff --git a/debugXML.c b/debugXML.c
+index 7a2ca47..dfde58e 100644
+--- a/debugXML.c
++++ b/debugXML.c
+@@ -1050,6 +1050,10 @@ xmlCtxtDumpOneNode(xmlDebugCtxtPtr ctxt, xmlNodePtr node)
+     xmlCtxtGenericNodeCheck(ctxt, node);
+ }
+ 
++#define MAX_PROMPT_SIZE     500
++#define MAX_ARG_SIZE        400
++#define MAX_COMMAND_SIZE    100
++
+ /**
+  * xmlCtxtDumpNode:
+  * @output:  the FILE * for the output
+@@ -2802,10 +2806,10 @@ void
+ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
+          FILE * output)
+ {
+-    char prompt[500] = "/ > ";
++    char prompt[MAX_PROMPT_SIZE] = "/ > ";
+     char *cmdline = NULL, *cur;
+-    char command[100];
+-    char arg[400];
++    char command[MAX_COMMAND_SIZE];
++    char arg[MAX_ARG_SIZE];
+     int i;
+     xmlShellCtxtPtr ctxt;
+     xmlXPathObjectPtr list;
+@@ -2863,7 +2867,8 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
+             cur++;
+         i = 0;
+         while ((*cur != ' ') && (*cur != '\t') &&
+-               (*cur != '\n') && (*cur != '\r')) {
++               (*cur != '\n') && (*cur != '\r') &&
++               (i < (MAX_COMMAND_SIZE - 1))) {
+             if (*cur == 0)
+                 break;
+             command[i++] = *cur++;
+@@ -2878,7 +2883,7 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
+         while ((*cur == ' ') || (*cur == '\t'))
+             cur++;
+         i = 0;
+-        while ((*cur != '\n') && (*cur != '\r') && (*cur != 0)) {
++        while ((*cur != '\n') && (*cur != '\r') && (*cur != 0) && (i < (MAX_ARG_SIZE-1))) {
+             if (*cur == 0)
+                 break;
+             arg[i++] = *cur++;
+diff --git a/result/scripts/long_command b/result/scripts/long_command
+new file mode 100644
+index 0000000..e6f0070
+--- /dev/null
++++ b/result/scripts/long_command
+@@ -0,0 +1,8 @@
++/ > b > b > Object is a Node Set :
++Set contains 1 nodes:
++1  ELEMENT a:c
++b > Unknown command This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_comm
++b > b > Unknown command ess_currents_of_time_and_existence
++b > <?xml version="1.0"?>
++<a xmlns:a="bar"><b xmlns:a="foo">Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_prof</b></a>
++b > 
+\ No newline at end of file
+diff --git a/test/scripts/long_command.script b/test/scripts/long_command.script
+new file mode 100644
+index 0000000..00f6df0
+--- /dev/null
++++ b/test/scripts/long_command.script
+@@ -0,0 +1,6 @@
++cd a/b
++set <a:c/>
++xpath //*[namespace-uri()="foo"]
++This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_command_please_dont_crash foo
++set Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_profound_emotion_and_every_grand_aspiration_that_propels_our_species_ever_onward_through_the_relentless_currents_of_time_and_existence
++save -
+diff --git a/test/scripts/long_command.xml b/test/scripts/long_command.xml
+new file mode 100644
+index 0000000..1ba4401
+--- /dev/null
++++ b/test/scripts/long_command.xml
+@@ -0,0 +1 @@
++<a xmlns:a="bar"><b xmlns:a="foo"/></a>
diff -Nru libxml2-2.12.7+dfsg+really2.9.14/debian/patches/series libxml2-2.12.7+dfsg+really2.9.14/debian/patches/series
--- libxml2-2.12.7+dfsg+really2.9.14/debian/patches/series	2025-07-17 18:09:57.000000000 +0300
+++ libxml2-2.12.7+dfsg+really2.9.14/debian/patches/series	2025-07-27 01:59:51.000000000 +0300
@@ -23,3 +23,4 @@
 CVE-2025-32415.patch
 CVE-2025-6021.patch
 CVE-2025-49794_49796.patch
+CVE-2025-6170.patch

More information about the debian-xml-sgml-pkgs mailing list