From 159da198c20711069a63b1582f5734c1fb1b3939 Mon Sep 17 00:00:00 2001 From: lichenggang Date: Fri, 26 Jun 2026 18:31:22 +0800 Subject: [PATCH] fix: CVE-2026-6653 Fix use-after-free in xmlParseInternalSubset causing denial of service via maliciously crafted XML input with improper entity resolution handling. Restructure the loop in xmlParseInternalSubset to call xmlParseMarkupDecl and xmlParsePEReference conditionally based on the current character, instead of calling both unconditionally. Changes: - Add debian/patches/CVE-2026-6653.patch - Update debian/patches/series - Update debian/changelog Bug: https://security-tracker.debian.org/tracker/CVE-2026-6653 Signed-off-by: lichenggang --- debian/changelog | 8 ++++ debian/patches/CVE-2026-6653.patch | 70 ++++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 79 insertions(+) create mode 100644 debian/patches/CVE-2026-6653.patch diff --git a/debian/changelog b/debian/changelog index c15a3c3..d51467b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +libxml2 (2.12.7+dfsg+really2.9.14-2.1+deb13u2deepin1) unstable; urgency=medium + + * Fix CVE-2026-6653: Use After Free in xmlParseInternalSubset causing + denial of service via maliciously crafted XML input with improper + entity resolution handling. + + -- lichenggang Fri, 26 Jun 2026 18:23:25 +0800 + libxml2 (2.12.7+dfsg+really2.9.14-2.1+deb13u2) trixie; urgency=high * Non-maintainer upload. diff --git a/debian/patches/CVE-2026-6653.patch b/debian/patches/CVE-2026-6653.patch new file mode 100644 index 0000000..e2c0674 --- /dev/null +++ b/debian/patches/CVE-2026-6653.patch @@ -0,0 +1,70 @@ +From: Nick Wellnhofer +Date: Mon, 19 Dec 2022 18:39:45 +0100 +Subject: Fix use-after-free in xmlParseInternalSubset + +Restructure the loop in xmlParseInternalSubset to call +xmlParseMarkupDecl and xmlParsePEReference conditionally based on the +current character, instead of calling both unconditionally. This +prevents a use-after-free when entity resolution frees memory that +the markup declaration parser still references. + +Also replace the old progress-detection error handling with +xmlHaltParser for safer error recovery. + +Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/463bbeeca1805b5c4828f50d0fefc4eebaf620df +Bug: https://gitlab.gnome.org/GNOME/libxml2/-/work_items/1058 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-6653 +--- + parser.c | 35 +++++++++++++++++++---------------- + 1 file changed, 19 insertions(+), 16 deletions(-) + +diff --git a/parser.c b/parser.c +index 1bc3713..a4ec1c5 100644 +--- a/parser.c ++++ b/parser.c +@@ -8359,14 +8359,9 @@ xmlParseInternalSubset(xmlParserCtxtPtr ctxt) { + * PEReferences. + * Subsequence (markupdecl | PEReference | S)* + */ ++ SKIP_BLANKS; + while (((RAW != ']') || (ctxt->inputNr > baseInputNr)) && + (ctxt->instate != XML_PARSER_EOF)) { +- const xmlChar *check = CUR_PTR; +- unsigned int cons = ctxt->input->consumed; +- +- SKIP_BLANKS; +- xmlParseMarkupDecl(ctxt); +- xmlParsePEReference(ctxt); + + /* + * Conditional sections are allowed from external entities included +@@ -8375,16 +8370,20 @@ xmlParseInternalSubset(xmlParserCtxtPtr ctxt) { + if ((ctxt->inputNr > 1) && (ctxt->input->filename != NULL) && + (RAW == '<') && (NXT(1) == '!') && (NXT(2) == '[')) { + xmlParseConditionalSections(ctxt); +- } +- +- if ((CUR_PTR == check) && (cons == ctxt->input->consumed)) { ++ } else if ((RAW == '<') && ((NXT(1) == '!') || (NXT(1) == '?'))) { ++ xmlParseMarkupDecl(ctxt); ++ } else if (RAW == '%') { ++ xmlParsePEReference(ctxt); ++ } else { + xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, +- "xmlParseInternalSubset: error detected in Markup declaration\n"); +- if (ctxt->inputNr > baseInputNr) +- xmlPopInput(ctxt); +- else +- break; +- } ++ "xmlParseInternalSubset: error detected in" ++ " Markup declaration\n"); ++ xmlHaltParser(ctxt); ++ return; ++ } ++ SKIP_BLANKS; ++ SHRINK; ++ GROW; + } + if (RAW == ']') { + NEXT; diff --git a/debian/patches/series b/debian/patches/series index 412446f..1ca65b6 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -26,3 +26,4 @@ CVE-2025-49794_49796.patch CVE-2025-6170.patch CVE-2025-7425.patch CVE-2025-9714.patch +CVE-2026-6653.patch