diff --git a/debian/changelog b/debian/changelog index c15a3c3..d51467b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +libxml2 (2.12.7+dfsg+really2.9.14-2.1+deb13u2deepin1) unstable; urgency=medium + + * Fix CVE-2026-6653: Use After Free in xmlParseInternalSubset causing + denial of service via maliciously crafted XML input with improper + entity resolution handling. + + -- lichenggang Fri, 26 Jun 2026 18:23:25 +0800 + libxml2 (2.12.7+dfsg+really2.9.14-2.1+deb13u2) trixie; urgency=high * Non-maintainer upload. diff --git a/debian/patches/CVE-2026-6653.patch b/debian/patches/CVE-2026-6653.patch new file mode 100644 index 0000000..e2c0674 --- /dev/null +++ b/debian/patches/CVE-2026-6653.patch @@ -0,0 +1,70 @@ +From: Nick Wellnhofer +Date: Mon, 19 Dec 2022 18:39:45 +0100 +Subject: Fix use-after-free in xmlParseInternalSubset + +Restructure the loop in xmlParseInternalSubset to call +xmlParseMarkupDecl and xmlParsePEReference conditionally based on the +current character, instead of calling both unconditionally. This +prevents a use-after-free when entity resolution frees memory that +the markup declaration parser still references. + +Also replace the old progress-detection error handling with +xmlHaltParser for safer error recovery. + +Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/463bbeeca1805b5c4828f50d0fefc4eebaf620df +Bug: https://gitlab.gnome.org/GNOME/libxml2/-/work_items/1058 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-6653 +--- + parser.c | 35 +++++++++++++++++++---------------- + 1 file changed, 19 insertions(+), 16 deletions(-) + +diff --git a/parser.c b/parser.c +index 1bc3713..a4ec1c5 100644 +--- a/parser.c ++++ b/parser.c +@@ -8359,14 +8359,9 @@ xmlParseInternalSubset(xmlParserCtxtPtr ctxt) { + * PEReferences. + * Subsequence (markupdecl | PEReference | S)* + */ ++ SKIP_BLANKS; + while (((RAW != ']') || (ctxt->inputNr > baseInputNr)) && + (ctxt->instate != XML_PARSER_EOF)) { +- const xmlChar *check = CUR_PTR; +- unsigned int cons = ctxt->input->consumed; +- +- SKIP_BLANKS; +- xmlParseMarkupDecl(ctxt); +- xmlParsePEReference(ctxt); + + /* + * Conditional sections are allowed from external entities included +@@ -8375,16 +8370,20 @@ xmlParseInternalSubset(xmlParserCtxtPtr ctxt) { + if ((ctxt->inputNr > 1) && (ctxt->input->filename != NULL) && + (RAW == '<') && (NXT(1) == '!') && (NXT(2) == '[')) { + xmlParseConditionalSections(ctxt); +- } +- +- if ((CUR_PTR == check) && (cons == ctxt->input->consumed)) { ++ } else if ((RAW == '<') && ((NXT(1) == '!') || (NXT(1) == '?'))) { ++ xmlParseMarkupDecl(ctxt); ++ } else if (RAW == '%') { ++ xmlParsePEReference(ctxt); ++ } else { + xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, +- "xmlParseInternalSubset: error detected in Markup declaration\n"); +- if (ctxt->inputNr > baseInputNr) +- xmlPopInput(ctxt); +- else +- break; +- } ++ "xmlParseInternalSubset: error detected in" ++ " Markup declaration\n"); ++ xmlHaltParser(ctxt); ++ return; ++ } ++ SKIP_BLANKS; ++ SHRINK; ++ GROW; + } + if (RAW == ']') { + NEXT; diff --git a/debian/patches/series b/debian/patches/series index 412446f..1ca65b6 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -26,3 +26,4 @@ CVE-2025-49794_49796.patch CVE-2025-6170.patch CVE-2025-7425.patch CVE-2025-9714.patch +CVE-2026-6653.patch