Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions debian/changelog
Original file line number Diff line number Diff line change
@@ -1,3 +1,11 @@
libxml2 (2.12.7+dfsg+really2.9.14-2.1+deb13u2deepin1) unstable; urgency=medium

* Fix CVE-2026-6653: Use After Free in xmlParseInternalSubset causing
denial of service via maliciously crafted XML input with improper
entity resolution handling.

-- lichenggang <lichenggang@deepin.org> Fri, 26 Jun 2026 18:23:25 +0800

libxml2 (2.12.7+dfsg+really2.9.14-2.1+deb13u2) trixie; urgency=high

* Non-maintainer upload.
Expand Down
70 changes: 70 additions & 0 deletions debian/patches/CVE-2026-6653.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 19 Dec 2022 18:39:45 +0100
Subject: Fix use-after-free in xmlParseInternalSubset

Restructure the loop in xmlParseInternalSubset to call
xmlParseMarkupDecl and xmlParsePEReference conditionally based on the
current character, instead of calling both unconditionally. This
prevents a use-after-free when entity resolution frees memory that
the markup declaration parser still references.

Also replace the old progress-detection error handling with
xmlHaltParser for safer error recovery.

Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/463bbeeca1805b5c4828f50d0fefc4eebaf620df
Bug: https://gitlab.gnome.org/GNOME/libxml2/-/work_items/1058
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-6653
---
parser.c | 35 +++++++++++++++++++----------------
1 file changed, 19 insertions(+), 16 deletions(-)

diff --git a/parser.c b/parser.c
index 1bc3713..a4ec1c5 100644
--- a/parser.c
+++ b/parser.c
@@ -8359,14 +8359,9 @@ xmlParseInternalSubset(xmlParserCtxtPtr ctxt) {
* PEReferences.
* Subsequence (markupdecl | PEReference | S)*
*/
+ SKIP_BLANKS;
while (((RAW != ']') || (ctxt->inputNr > baseInputNr)) &&
(ctxt->instate != XML_PARSER_EOF)) {
- const xmlChar *check = CUR_PTR;
- unsigned int cons = ctxt->input->consumed;
-
- SKIP_BLANKS;
- xmlParseMarkupDecl(ctxt);
- xmlParsePEReference(ctxt);

/*
* Conditional sections are allowed from external entities included
@@ -8375,16 +8370,20 @@ xmlParseInternalSubset(xmlParserCtxtPtr ctxt) {
if ((ctxt->inputNr > 1) && (ctxt->input->filename != NULL) &&
(RAW == '<') && (NXT(1) == '!') && (NXT(2) == '[')) {
xmlParseConditionalSections(ctxt);
- }
-
- if ((CUR_PTR == check) && (cons == ctxt->input->consumed)) {
+ } else if ((RAW == '<') && ((NXT(1) == '!') || (NXT(1) == '?'))) {
+ xmlParseMarkupDecl(ctxt);
+ } else if (RAW == '%') {
+ xmlParsePEReference(ctxt);
+ } else {
xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
- "xmlParseInternalSubset: error detected in Markup declaration\n");
- if (ctxt->inputNr > baseInputNr)
- xmlPopInput(ctxt);
- else
- break;
- }
+ "xmlParseInternalSubset: error detected in"
+ " Markup declaration\n");
+ xmlHaltParser(ctxt);
+ return;
+ }
+ SKIP_BLANKS;
+ SHRINK;
+ GROW;
}
if (RAW == ']') {
NEXT;
1 change: 1 addition & 0 deletions debian/patches/series
Original file line number Diff line number Diff line change
Expand Up @@ -26,3 +26,4 @@ CVE-2025-49794_49796.patch
CVE-2025-6170.patch
CVE-2025-7425.patch
CVE-2025-9714.patch
CVE-2026-6653.patch
Loading