[xml/sgml-pkgs] Bug#1075221: NMU: libxmltok: ftbfs with GCC-14

Bastian Germann bage at debian.org
Tue Mar 18 22:45:57 GMT 2025 

Control: tags -1 patch

I am uploading a NMU to fix this.
Please find the debdiff attached.
-------------- next part --------------
diff -Nru libxmltok-1.2/debian/changelog libxmltok-1.2/debian/changelog
--- libxmltok-1.2/debian/changelog	2024-03-01 08:20:23.000000000 +0100
+++ libxmltok-1.2/debian/changelog	2025-03-18 23:03:07.000000000 +0100
@@ -1,3 +1,16 @@
+libxmltok (1.2-4.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * debian/patches/include_unistd_header.patch: included <unistd.h> in
+    xmlwf/unixfilemap.c to address -Wimplicit-function-declaration.
+    Closes: #1075221
+  * debian/patches/CVE-2021-46143.patch: add an integer overflow check
+    for groupSize variable at doProlog() in xmlparse/xmlparse.c.
+    Closes: #1012179, CVE-2021-46143
+  * debian/copyright: Convert to machine-readable format.
+
+ -- Bastian Germann <bage at debian.org>  Tue, 18 Mar 2025 23:03:07 +0100
+
 libxmltok (1.2-4.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru libxmltok-1.2/debian/copyright libxmltok-1.2/debian/copyright
--- libxmltok-1.2/debian/copyright	2017-08-10 14:01:46.000000000 +0200
+++ libxmltok-1.2/debian/copyright	2025-03-18 23:03:07.000000000 +0100
@@ -1,29 +1,55 @@
-This is the Debian package of expat 1.x, the C library for parsing XML.
-
-The source package was downloaded from <URL:ftp://ftp.jclark.com/pub/xml/>.
-
-The original packager is Adam Di Carlo <aph at debian.org>.  The current
-maintainer is Ardo van Rangelrooij <ardo at debian.org>.
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Comment:
+ This is the Debian package of expat 1.x, the C library for parsing XML.
+ .
+ The original packager is Adam Di Carlo <aph at debian.org>.
+ The current maintainer is Ardo van Rangelrooij <ardo at debian.org>.
+Source:
+ ftp://ftp.jclark.com/pub/xml/
 
+Files: *
 Copyright:
+ Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd
+ Portions created by James Clark are Copyright (C) 1998
+ James Clark. All Rights Reserved.
+License: Expat
 
-Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd
-
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of this software and associated documentation files (the
-"Software"), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to
-the following conditions:
-
-The above copyright notice and this permission notice shall be included
-in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
-IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
-CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
-TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
-SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+Files: debian/*
+Copyright:
+ Adam Di Carlo <aph at debian.org>
+ A. P. Harris <aph at debian.org>
+ Ardo van Rangelrooij <ardo at debian.org>
+License: MPL-1
+ The contents of this file are subject to the Mozilla Public License
+ Version 1.0 (the "License"); you may not use this file except in
+ compliance with the License. You may obtain a copy of the License at
+ http://www.mozilla.org/MPL/
+ .
+ Software distributed under the License is distributed on an "AS IS"
+ basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the
+ License for the specific language governing rights and limitations
+ under the License.
+
+Files: debian/patches/*
+Copyright: (see individual files)
+License: Expat
+
+License: Expat
+ Permission is hereby granted, free of charge, to any person obtaining
+ a copy of this software and associated documentation files (the
+ "Software"), to deal in the Software without restriction, including
+ without limitation the rights to use, copy, modify, merge, publish,
+ distribute, sublicense, and/or sell copies of the Software, and to
+ permit persons to whom the Software is furnished to do so, subject to
+ the following conditions:
+ .
+ The above copyright notice and this permission notice shall be included
+ in all copies or substantial portions of the Software.
+ .
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+ IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+ CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+ TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff -Nru libxmltok-1.2/debian/patches/CVE-2021-46143.patch libxmltok-1.2/debian/patches/CVE-2021-46143.patch
--- libxmltok-1.2/debian/patches/CVE-2021-46143.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxmltok-1.2/debian/patches/CVE-2021-46143.patch	2025-03-18 23:03:07.000000000 +0100
@@ -0,0 +1,30 @@
+Origin: https://github.com/libexpat/libexpat/commit/82c11af9d3dafc1b086a15efecd6ec07b6e13613
+From: Sebastian Pipping <sebastian at pipping.org>
+Date: Sat, 25 Dec 2021 20:52:08 +0100
+Subject: [PATCH 1/2] lib: Prevent integer overflow on m_groupSize in function
+ doProlog (CVE-2021-46143)
+
+---
+ xmlparse/xmlparse.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+Index: libxmltok-1.2/xmlparse/xmlparse.c
+===================================================================
+--- libxmltok-1.2.orig/xmlparse/xmlparse.c
++++ libxmltok-1.2/xmlparse/xmlparse.c
+@@ -2784,8 +2784,14 @@ doProlog(XML_Parser parser,
+ #endif /* XML_DTD */
+     case XML_ROLE_GROUP_OPEN:
+       if (prologState.level >= groupSize) {
+-	if (groupSize)
++	if (groupSize) {
++            /* Detect and prevent integer overflow */
++            if (groupSize > (unsigned int)(-1) / 2u) {
++              return XML_ERROR_NO_MEMORY;
++            }
++
+ 	  groupConnector = realloc(groupConnector, groupSize *= 2);
++	}
+ 	else
+ 	  groupConnector = malloc(groupSize = 32);
+ 	if (!groupConnector)
diff -Nru libxmltok-1.2/debian/patches/debian-changes.patch libxmltok-1.2/debian/patches/debian-changes.patch
--- libxmltok-1.2/debian/patches/debian-changes.patch	2017-08-10 13:54:26.000000000 +0200
+++ libxmltok-1.2/debian/patches/debian-changes.patch	2025-03-18 23:03:07.000000000 +0100
@@ -120,29 +120,6 @@
 +	$(MAKE) -Cxmlparse install
 +endif
 --- /dev/null
-+++ libxmltok-1.2/copying.txt
-@@ -0,0 +1,20 @@
-+Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd
-+
-+Permission is hereby granted, free of charge, to any person obtaining
-+a copy of this software and associated documentation files (the
-+"Software"), to deal in the Software without restriction, including
-+without limitation the rights to use, copy, modify, merge, publish,
-+distribute, sublicense, and/or sell copies of the Software, and to
-+permit persons to whom the Software is furnished to do so, subject to
-+the following conditions:
-+
-+The above copyright notice and this permission notice shall be included
-+in all copies or substantial portions of the Software.
-+
-+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
-+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
-+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
-+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
-+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
---- /dev/null
 +++ libxmltok-1.2/xmlparse/Makefile
 @@ -0,0 +1,37 @@
 +LIB		:= xmlparse
diff -Nru libxmltok-1.2/debian/patches/include_unistd_header.patch libxmltok-1.2/debian/patches/include_unistd_header.patch
--- libxmltok-1.2/debian/patches/include_unistd_header.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxmltok-1.2/debian/patches/include_unistd_header.patch	2025-03-18 23:01:30.000000000 +0100
@@ -0,0 +1,17 @@
+Description: includes <unistd.h> in xmlwf/unixfilemap.c
+ This patch adds `include <unistd.h>` to xmlwf/unixfilemap.c
+ to address an -Wimplicit-function-declaration warning causing
+ a build failure starting with 24.10.
+
+---
+
+--- libxmltok-1.2.orig/xmlwf/unixfilemap.c
++++ libxmltok-1.2/xmlwf/unixfilemap.c
+@@ -10,6 +10,7 @@ See the file copying.txt for copying per
+ #include <errno.h>
+ #include <string.h>
+ #include <stdio.h>
++#include <unistd.h>
+ 
+ #ifndef MAP_FILE
+ #define MAP_FILE 0
diff -Nru libxmltok-1.2/debian/patches/series libxmltok-1.2/debian/patches/series
--- libxmltok-1.2/debian/patches/series	2017-08-10 13:53:42.000000000 +0200
+++ libxmltok-1.2/debian/patches/series	2025-03-18 23:03:07.000000000 +0100
@@ -1 +1,3 @@
 debian-changes.patch
+CVE-2021-46143.patch
+include_unistd_header.patch
diff -Nru libxmltok-1.2/debian/README.Debian libxmltok-1.2/debian/README.Debian
--- libxmltok-1.2/debian/README.Debian	2017-08-10 13:42:01.000000000 +0200
+++ libxmltok-1.2/debian/README.Debian	1970-01-01 01:00:00.000000000 +0100
@@ -1,22 +0,0 @@
-expat for Debian
-----------------
-
-The contents of this file are subject to the Mozilla Public License
-Version 1.0 (the "License"); you may not use this file except in
-compliance with the License. You may obtain a copy of the License at
-http://www.mozilla.org/MPL/
- 
-Software distributed under the License is distributed on an "AS IS"
-basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the
-License for the specific language governing rights and limitations
-under the License.
-
-The Original Code is expat.
-
-The Initial Developer of the Original Code is James Clark.
-Portions created by James Clark are Copyright (C) 1998
-James Clark. All Rights Reserved.
-
-Contributor(s): 
-  A. P. Harris <aph at debian.org>
-  Ardo van Rangelrooij <ardo at debian.org>
diff -Nru libxmltok-1.2/debian/README.xmltok libxmltok-1.2/debian/README.xmltok
--- libxmltok-1.2/debian/README.xmltok	2017-08-10 13:42:01.000000000 +0200
+++ libxmltok-1.2/debian/README.xmltok	2025-03-18 23:03:07.000000000 +0100
@@ -10,23 +10,3 @@
 me.
 
   Ardo van Rangelrooij <ardo at debian.org>
-
-The contents of this file are subject to the Mozilla Public License
-Version 1.0 (the "License"); you may not use this file except in
-compliance with the License. You may obtain a copy of the License at
-http://www.mozilla.org/MPL/
- 
-Software distributed under the License is distributed on an "AS IS"
-basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the
-License for the specific language governing rights and limitations
-under the License.
-
-The Original Code is expat.
-
-The Initial Developer of the Original Code is James Clark.
-Portions created by James Clark are Copyright (C) 1998
-James Clark. All Rights Reserved.
-
-Contributor(s): 
-  A. P. Harris <aph at debian.org>
-  Ardo van Rangelrooij <ardo at debian.org>

More information about the debian-xml-sgml-pkgs mailing list