guix-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

02/04: gnu: libxml2: Add fixes for CVE-2015-{1819, 7941, 7942, 8035} and


From: Mark H. Weaver
Subject: 02/04: gnu: libxml2: Add fixes for CVE-2015-{1819, 7941, 7942, 8035} and other bugs.
Date: Tue, 17 Nov 2015 19:32:36 +0000

mhw pushed a commit to branch security-updates
in repository guix.

commit 95b94bf7772a9536d76dbd1b4f91e481794951fb
Author: Mark H Weaver <address@hidden>
Date:   Sun Nov 15 14:16:57 2015 -0500

    gnu: libxml2: Add fixes for CVE-2015-{1819,7941,7942,8035} and other bugs.
    
    * gnu/packages/patches/libxml2-CVE-2015-1819.patch,
      gnu/packages/patches/libxml2-CVE-2015-7941-pt1.patch,
      gnu/packages/patches/libxml2-CVE-2015-7941-pt2.patch,
      gnu/packages/patches/libxml2-CVE-2015-7942-pt1.patch,
      gnu/packages/patches/libxml2-CVE-2015-7942-pt2.patch,
      gnu/packages/patches/libxml2-CVE-2015-8035.patch,
      gnu/packages/patches/libxml2-bug-737840.patch,
      gnu/packages/patches/libxml2-bug-738805.patch,
      gnu/packages/patches/libxml2-bug-746048.patch,
      gnu/packages/patches/libxml2-bug-747437.patch,
      gnu/packages/patches/libxml2-bug-751603.patch,
      gnu/packages/patches/libxml2-bug-751631.patch,
      gnu/packages/patches/libxml2-bug-754946.patch,
      gnu/packages/patches/libxml2-bug-754947.patch,
      gnu/packages/patches/libxml2-bug-755857.patch,
      gnu/packages/patches/libxml2-fix-catalog-corruption.patch,
      gnu/packages/patches/libxml2-id-attrs-in-xmlSetTreeDoc.patch,
      gnu/packages/patches/libxml2-node-sort-order-pt1.patch,
      gnu/packages/patches/libxml2-node-sort-order-pt2.patch: New files.
    * gnu-system.am (dist_patch_DATA): Add them.
    * gnu/packages/xml.scm (libxml2)[source]: Add patches.
---
 gnu-system.am                                      |   19 ++
 gnu/packages/patches/libxml2-CVE-2015-1819.patch   |  176 ++++++++++++++++++++
 .../patches/libxml2-CVE-2015-7941-pt1.patch        |   32 ++++
 .../patches/libxml2-CVE-2015-7941-pt2.patch        |   49 ++++++
 .../patches/libxml2-CVE-2015-7942-pt1.patch        |   32 ++++
 .../patches/libxml2-CVE-2015-7942-pt2.patch        |   28 +++
 gnu/packages/patches/libxml2-CVE-2015-8035.patch   |   31 ++++
 gnu/packages/patches/libxml2-bug-737840.patch      |   88 ++++++++++
 gnu/packages/patches/libxml2-bug-738805.patch      |   31 ++++
 gnu/packages/patches/libxml2-bug-746048.patch      |   65 +++++++
 gnu/packages/patches/libxml2-bug-747437.patch      |   46 +++++
 gnu/packages/patches/libxml2-bug-751603.patch      |   38 +++++
 gnu/packages/patches/libxml2-bug-751631.patch      |   35 ++++
 gnu/packages/patches/libxml2-bug-754946.patch      |  132 +++++++++++++++
 gnu/packages/patches/libxml2-bug-754947.patch      |  103 ++++++++++++
 gnu/packages/patches/libxml2-bug-755857.patch      |   43 +++++
 .../patches/libxml2-fix-catalog-corruption.patch   |   29 ++++
 .../libxml2-id-attrs-in-xmlSetTreeDoc.patch        |   36 ++++
 .../patches/libxml2-node-sort-order-pt1.patch      |   33 ++++
 .../patches/libxml2-node-sort-order-pt2.patch      |   37 ++++
 gnu/packages/xml.scm                               |   23 +++-
 21 files changed, 1105 insertions(+), 1 deletions(-)

diff --git a/gnu-system.am b/gnu-system.am
index c80f086..0366ece 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -568,6 +568,25 @@ dist_patch_DATA =                                          
\
   gnu/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch        \
   gnu/packages/patches/libwmf-CVE-2015-4695.patch              \
   gnu/packages/patches/libwmf-CVE-2015-4696.patch              \
+  gnu/packages/patches/libxml2-CVE-2015-1819.patch             \
+  gnu/packages/patches/libxml2-CVE-2015-7941-pt1.patch         \
+  gnu/packages/patches/libxml2-CVE-2015-7941-pt2.patch         \
+  gnu/packages/patches/libxml2-CVE-2015-7942-pt1.patch         \
+  gnu/packages/patches/libxml2-CVE-2015-7942-pt2.patch         \
+  gnu/packages/patches/libxml2-CVE-2015-8035.patch             \
+  gnu/packages/patches/libxml2-bug-737840.patch                        \
+  gnu/packages/patches/libxml2-bug-738805.patch                        \
+  gnu/packages/patches/libxml2-bug-746048.patch                        \
+  gnu/packages/patches/libxml2-bug-747437.patch                        \
+  gnu/packages/patches/libxml2-bug-751603.patch                        \
+  gnu/packages/patches/libxml2-bug-751631.patch                        \
+  gnu/packages/patches/libxml2-bug-754946.patch                        \
+  gnu/packages/patches/libxml2-bug-754947.patch                        \
+  gnu/packages/patches/libxml2-bug-755857.patch                        \
+  gnu/packages/patches/libxml2-fix-catalog-corruption.patch    \
+  gnu/packages/patches/libxml2-id-attrs-in-xmlSetTreeDoc.patch \
+  gnu/packages/patches/libxml2-node-sort-order-pt1.patch       \
+  gnu/packages/patches/libxml2-node-sort-order-pt2.patch       \
   gnu/packages/patches/lirc-localstatedir.patch                        \
   gnu/packages/patches/libpthread-glibc-preparation.patch      \
   gnu/packages/patches/lm-sensors-hwmon-attrs.patch            \
diff --git a/gnu/packages/patches/libxml2-CVE-2015-1819.patch 
b/gnu/packages/patches/libxml2-CVE-2015-1819.patch
new file mode 100644
index 0000000..58461c7
--- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2015-1819.patch
@@ -0,0 +1,176 @@
+From 213f1fe0d76d30eaed6e5853057defc43e6df2c9 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <address@hidden>
+Date: Tue, 14 Apr 2015 17:41:48 +0800
+Subject: [PATCH] CVE-2015-1819 Enforce the reader to run in constant memory
+
+One of the operation on the reader could resolve entities
+leading to the classic expansion issue. Make sure the
+buffer used for xmlreader operation is bounded.
+Introduce a new allocation type for the buffers for this effect.
+---
+ buf.c                 | 43 ++++++++++++++++++++++++++++++++++++++++++-
+ include/libxml/tree.h |  3 ++-
+ xmlreader.c           | 20 +++++++++++++++++++-
+ 3 files changed, 63 insertions(+), 3 deletions(-)
+
+diff --git a/buf.c b/buf.c
+index 6efc7b6..07922ff 100644
+--- a/buf.c
++++ b/buf.c
+@@ -27,6 +27,7 @@
+ #include <libxml/tree.h>
+ #include <libxml/globals.h>
+ #include <libxml/tree.h>
++#include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */
+ #include "buf.h"
+ 
+ #define WITH_BUFFER_COMPAT
+@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf,
+     if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) ||
+         (scheme == XML_BUFFER_ALLOC_EXACT) ||
+         (scheme == XML_BUFFER_ALLOC_HYBRID) ||
+-        (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) {
++        (scheme == XML_BUFFER_ALLOC_IMMUTABLE) ||
++      (scheme == XML_BUFFER_ALLOC_BOUNDED)) {
+       buf->alloc = scheme;
+         if (buf->buffer)
+             buf->buffer->alloc = scheme;
+@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) {
+     size = buf->use + len + 100;
+ #endif
+ 
++    if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++        /*
++       * Used to provide parsing limits
++       */
++        if ((buf->use + len >= XML_MAX_TEXT_LENGTH) ||
++          (buf->size >= XML_MAX_TEXT_LENGTH)) {
++          xmlBufMemoryError(buf, "buffer error: text too long\n");
++          return(0);
++      }
++      if (size >= XML_MAX_TEXT_LENGTH)
++          size = XML_MAX_TEXT_LENGTH;
++    }
+     if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {
+         size_t start_buf = buf->content - buf->contentIO;
+ 
+@@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size)
+     CHECK_COMPAT(buf)
+ 
+     if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
++    if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++        /*
++       * Used to provide parsing limits
++       */
++        if (size >= XML_MAX_TEXT_LENGTH) {
++          xmlBufMemoryError(buf, "buffer error: text too long\n");
++          return(0);
++      }
++    }
+ 
+     /* Don't resize if we don't have to */
+     if (size < buf->size)
+@@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {
+ 
+     needSize = buf->use + len + 2;
+     if (needSize > buf->size){
++      if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++          /*
++           * Used to provide parsing limits
++           */
++          if (needSize >= XML_MAX_TEXT_LENGTH) {
++              xmlBufMemoryError(buf, "buffer error: text too long\n");
++              return(-1);
++          }
++      }
+         if (!xmlBufResize(buf, needSize)){
+           xmlBufMemoryError(buf, "growing buffer");
+             return XML_ERR_NO_MEMORY;
+@@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) 
{
+     }
+     needSize = buf->use + len + 2;
+     if (needSize > buf->size){
++      if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++          /*
++           * Used to provide parsing limits
++           */
++          if (needSize >= XML_MAX_TEXT_LENGTH) {
++              xmlBufMemoryError(buf, "buffer error: text too long\n");
++              return(-1);
++          }
++      }
+         if (!xmlBufResize(buf, needSize)){
+           xmlBufMemoryError(buf, "growing buffer");
+             return XML_ERR_NO_MEMORY;
+diff --git a/include/libxml/tree.h b/include/libxml/tree.h
+index 2f90717..4a9b3bc 100644
+--- a/include/libxml/tree.h
++++ b/include/libxml/tree.h
+@@ -76,7 +76,8 @@ typedef enum {
+     XML_BUFFER_ALLOC_EXACT,   /* grow only to the minimal size */
+     XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */
+     XML_BUFFER_ALLOC_IO,      /* special allocation scheme used for I/O */
+-    XML_BUFFER_ALLOC_HYBRID   /* exact up to a threshold, and doubleit 
thereafter */
++    XML_BUFFER_ALLOC_HYBRID,  /* exact up to a threshold, and doubleit 
thereafter */
++    XML_BUFFER_ALLOC_BOUNDED  /* limit the upper size of the buffer */
+ } xmlBufferAllocationScheme;
+ 
+ /**
+diff --git a/xmlreader.c b/xmlreader.c
+index f19e123..471e7e2 100644
+--- a/xmlreader.c
++++ b/xmlreader.c
+@@ -2091,6 +2091,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const 
char *URI) {
+               "xmlNewTextReader : malloc failed\n");
+       return(NULL);
+     }
++    /* no operation on a reader should require a huge buffer */
++    xmlBufSetAllocationScheme(ret->buffer,
++                            XML_BUFFER_ALLOC_BOUNDED);
+     ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
+     if (ret->sax == NULL) {
+       xmlBufFree(ret->buffer);
+@@ -3616,6 +3619,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
+           return(((xmlNsPtr) node)->href);
+         case XML_ATTRIBUTE_NODE:{
+           xmlAttrPtr attr = (xmlAttrPtr) node;
++          const xmlChar *ret;
+ 
+           if ((attr->children != NULL) &&
+               (attr->children->type == XML_TEXT_NODE) &&
+@@ -3629,10 +3633,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
+                                         "xmlTextReaderSetup : malloc 
failed\n");
+                         return (NULL);
+                     }
++                  xmlBufSetAllocationScheme(reader->buffer,
++                                            XML_BUFFER_ALLOC_BOUNDED);
+                 } else
+                     xmlBufEmpty(reader->buffer);
+               xmlBufGetNodeContent(reader->buffer, node);
+-              return(xmlBufContent(reader->buffer));
++              ret = xmlBufContent(reader->buffer);
++              if (ret == NULL) {
++                  /* error on the buffer best to reallocate */
++                  xmlBufFree(reader->buffer);
++                  reader->buffer = xmlBufCreateSize(100);
++                  xmlBufSetAllocationScheme(reader->buffer,
++                                            XML_BUFFER_ALLOC_BOUNDED);
++                  ret = BAD_CAST "";
++              }
++              return(ret);
+           }
+           break;
+       }
+@@ -5131,6 +5146,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader,
+                         "xmlTextReaderSetup : malloc failed\n");
+         return (-1);
+     }
++    /* no operation on a reader should require a huge buffer */
++    xmlBufSetAllocationScheme(reader->buffer,
++                            XML_BUFFER_ALLOC_BOUNDED);
+     if (reader->sax == NULL)
+       reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
+     if (reader->sax == NULL) {
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/libxml2-CVE-2015-7941-pt1.patch 
b/gnu/packages/patches/libxml2-CVE-2015-7941-pt1.patch
new file mode 100644
index 0000000..4ca4903
--- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2015-7941-pt1.patch
@@ -0,0 +1,32 @@
+From a7dfab7411cbf545f359dd3157e5df1eb0e7ce31 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <address@hidden>
+Date: Mon, 23 Feb 2015 11:17:35 +0800
+Subject: [PATCH] Stop parsing on entities boundaries errors
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=744980
+
+There are times, like on unterminated entities that it's preferable to
+stop parsing, even if that means less error reporting. Entities are
+feeding the parser on further processing, and if they are ill defined
+then it's possible to get the parser to bug. Also do the same on
+Conditional Sections if the input is broken, as the structure of
+the document can't be guessed.
+---
+ parser.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/parser.c b/parser.c
+index a8d1b67..bbe97eb 100644
+--- a/parser.c
++++ b/parser.c
+@@ -5658,6 +5658,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) {
+       if (RAW != '>') {
+           xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
+                   "xmlParseEntityDecl: entity %s not terminated\n", name);
++          xmlStopParser(ctxt);
+       } else {
+           if (input != ctxt->input) {
+               xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/libxml2-CVE-2015-7941-pt2.patch 
b/gnu/packages/patches/libxml2-CVE-2015-7941-pt2.patch
new file mode 100644
index 0000000..30563a4
--- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2015-7941-pt2.patch
@@ -0,0 +1,49 @@
+From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <address@hidden>
+Date: Mon, 23 Feb 2015 11:29:20 +0800
+Subject: [PATCH] Cleanup conditional section error handling
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=744980
+
+The error handling of Conditional Section also need to be
+straightened as the structure of the document can't be
+guessed on a failure there and it's better to stop parsing
+as further errors are likely to be irrelevant.
+---
+ parser.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index bbe97eb..fe603ac 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6770,6 +6770,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+       SKIP_BLANKS;
+       if (RAW != '[') {
+           xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
++          xmlStopParser(ctxt);
++          return;
+       } else {
+           if (ctxt->input->id != id) {
+               xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
+@@ -6830,6 +6832,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+       SKIP_BLANKS;
+       if (RAW != '[') {
+           xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
++          xmlStopParser(ctxt);
++          return;
+       } else {
+           if (ctxt->input->id != id) {
+               xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
+@@ -6885,6 +6889,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 
+     } else {
+       xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
++      xmlStopParser(ctxt);
++      return;
+     }
+ 
+     if (RAW == 0)
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/libxml2-CVE-2015-7942-pt1.patch 
b/gnu/packages/patches/libxml2-CVE-2015-7942-pt1.patch
new file mode 100644
index 0000000..bd9077d
--- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2015-7942-pt1.patch
@@ -0,0 +1,32 @@
+From bd0526e66a56e75a18da8c15c4750db8f801c52d Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <address@hidden>
+Date: Fri, 23 Oct 2015 19:02:28 +0800
+Subject: [PATCH] Another variation of overflow in Conditional sections
+
+Which happen after the previous fix to
+https://bugzilla.gnome.org/show_bug.cgi?id=756456
+
+But stopping the parser and exiting we didn't pop the intermediary entities
+and doing the SKIP there applies on an input which may be too small
+---
+ parser.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index a65e4cc..b9217ff 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6915,7 +6915,9 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+       "All markup of the conditional section is not in the same entity\n",
+                                NULL, NULL);
+       }
+-        SKIP(3);
++      if ((ctxt-> instate != XML_PARSER_EOF) &&
++          ((ctxt->input->cur + 3) < ctxt->input->end))
++          SKIP(3);
+     }
+ }
+ 
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/libxml2-CVE-2015-7942-pt2.patch 
b/gnu/packages/patches/libxml2-CVE-2015-7942-pt2.patch
new file mode 100644
index 0000000..115d369
--- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2015-7942-pt2.patch
@@ -0,0 +1,28 @@
+From 41ac9049a27f52e7a1f3b341f8714149fc88d450 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <address@hidden>
+Date: Tue, 27 Oct 2015 10:53:44 +0800
+Subject: [PATCH] Fix an error in previous Conditional section patch
+
+an off by one mistake in the change, led to error on correct
+document where the end of the included entity was exactly
+the end of the conditional section, leading to regtest failure
+---
+ parser.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index b9217ff..d67b300 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6916,7 +6916,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+                                NULL, NULL);
+       }
+       if ((ctxt-> instate != XML_PARSER_EOF) &&
+-          ((ctxt->input->cur + 3) < ctxt->input->end))
++          ((ctxt->input->cur + 3) <= ctxt->input->end))
+           SKIP(3);
+     }
+ }
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/libxml2-CVE-2015-8035.patch 
b/gnu/packages/patches/libxml2-CVE-2015-8035.patch
new file mode 100644
index 0000000..d29c962
--- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2015-8035.patch
@@ -0,0 +1,31 @@
+From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <address@hidden>
+Date: Tue, 3 Nov 2015 15:31:25 +0800
+Subject: [PATCH] CVE-2015-8035 Fix XZ compression support loop
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=757466
+DoS when parsing specially crafted XML document if XZ support
+is compiled in (which wasn't the case for 2.9.2 and master since
+Nov 2013, fixed in next commit !)
+---
+ xzlib.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/xzlib.c b/xzlib.c
+index 0dcb9f4..1fab546 100644
+--- a/xzlib.c
++++ b/xzlib.c
+@@ -581,6 +581,10 @@ xz_decomp(xz_statep state)
+             xz_error(state, LZMA_DATA_ERROR, "compressed data error");
+             return -1;
+         }
++        if (ret == LZMA_PROG_ERROR) {
++            xz_error(state, LZMA_PROG_ERROR, "compression error");
++            return -1;
++        }
+     } while (strm->avail_out && ret != LZMA_STREAM_END);
+ 
+     /* update available output and crc check value */
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/libxml2-bug-737840.patch 
b/gnu/packages/patches/libxml2-bug-737840.patch
new file mode 100644
index 0000000..2a2d62c
--- /dev/null
+++ b/gnu/packages/patches/libxml2-bug-737840.patch
@@ -0,0 +1,88 @@
+From ef709ce2f7b792d5fb69ed142796d743fb1eb388 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <address@hidden>
+Date: Thu, 10 Sep 2015 19:41:41 +0800
+Subject: [PATCH] Fix the spurious ID already defined error
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=737840
+the fix for 724903 introduced a regression on external entities carrying
+IDs, revert that patch in part and add a specific test to avoid readding it
+---
+ result/valid/737840.xml         | 10 ++++++++++
+ result/valid/737840.xml.err     |  0
+ result/valid/737840.xml.err.rdr |  0
+ test/valid/737840.xml           | 10 ++++++++++
+ test/valid/dtds/737840.ent      |  1 +
+ valid.c                         |  6 ++++--
+ 6 files changed, 25 insertions(+), 2 deletions(-)
+ create mode 100644 result/valid/737840.xml
+ create mode 100644 result/valid/737840.xml.err
+ create mode 100644 result/valid/737840.xml.err.rdr
+ create mode 100644 test/valid/737840.xml
+ create mode 100644 test/valid/dtds/737840.ent
+
+diff --git a/result/valid/737840.xml b/result/valid/737840.xml
+new file mode 100644
+index 0000000..433c6d6
+--- /dev/null
++++ b/result/valid/737840.xml
+@@ -0,0 +1,10 @@
++<?xml version="1.0"?>
++<!DOCTYPE root [
++<!ELEMENT root (elem)>
++<!ELEMENT elem (#PCDATA)>
++<!ATTLIST elem id ID #IMPLIED>
++<!ENTITY target SYSTEM "dtds/737840.ent">
++]>
++<root>
++  &target;
++</root>
+diff --git a/result/valid/737840.xml.err b/result/valid/737840.xml.err
+new file mode 100644
+index 0000000..e69de29
+diff --git a/result/valid/737840.xml.err.rdr b/result/valid/737840.xml.err.rdr
+new file mode 100644
+index 0000000..e69de29
+diff --git a/test/valid/737840.xml b/test/valid/737840.xml
+new file mode 100644
+index 0000000..2d27b73
+--- /dev/null
++++ b/test/valid/737840.xml
+@@ -0,0 +1,10 @@
++<!DOCTYPE root [
++<!ELEMENT root (elem)>
++<!ELEMENT elem (#PCDATA)>
++<!ATTLIST elem id ID #IMPLIED>
++<!ENTITY target SYSTEM "dtds/737840.ent">
++]>
++
++<root>
++  &target;
++</root>
+diff --git a/test/valid/dtds/737840.ent b/test/valid/dtds/737840.ent
+new file mode 100644
+index 0000000..e972132
+--- /dev/null
++++ b/test/valid/dtds/737840.ent
+@@ -0,0 +1 @@
++<elem id="id0"/>
+\ No newline at end of file
+diff --git a/valid.c b/valid.c
+index 409aa81..45a3f70 100644
+--- a/valid.c
++++ b/valid.c
+@@ -2634,8 +2634,10 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const 
xmlChar *value,
+       /*
+        * The id is already defined in this DTD.
+        */
+-      xmlErrValidNode(ctxt, attr->parent, XML_DTD_ID_REDEFINED,
+-                      "ID %s already defined\n", value, NULL, NULL);
++      if (ctxt != NULL) {
++          xmlErrValidNode(ctxt, attr->parent, XML_DTD_ID_REDEFINED,
++                          "ID %s already defined\n", value, NULL, NULL);
++      }
+ #endif /* LIBXML_VALID_ENABLED */
+       xmlFreeID(ret);
+       return(NULL);
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/libxml2-bug-738805.patch 
b/gnu/packages/patches/libxml2-bug-738805.patch
new file mode 100644
index 0000000..16163bb
--- /dev/null
+++ b/gnu/packages/patches/libxml2-bug-738805.patch
@@ -0,0 +1,31 @@
+From 72a46a519ce7326d9a00f0b6a7f2a8e958cd1675 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <address@hidden>
+Date: Thu, 23 Oct 2014 11:35:36 +0800
+Subject: [PATCH] Fix missing entities after CVE-2014-3660 fix
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=738805
+
+The fix for CVE-2014-3660 introduced a regression in some case
+where entity substitution is required and the entity is used
+first in anotther entity referenced from an attribute value
+---
+ parser.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index 67c9dfd..a8d1b67 100644
+--- a/parser.c
++++ b/parser.c
+@@ -7235,7 +7235,8 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+      * far more secure as the parser will only process data coming from
+      * the document entity by default.
+      */
+-    if ((ent->checked == 0) &&
++    if (((ent->checked == 0) ||
++         ((ent->children == NULL) && (ctxt->options & XML_PARSE_NOENT))) &&
+         ((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) ||
+          (ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) {
+       unsigned long oldnbent = ctxt->nbentities;
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/libxml2-bug-746048.patch 
b/gnu/packages/patches/libxml2-bug-746048.patch
new file mode 100644
index 0000000..450b8d3
--- /dev/null
+++ b/gnu/packages/patches/libxml2-bug-746048.patch
@@ -0,0 +1,65 @@
+From e724879d964d774df9b7969fc846605aa1bac54c Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <address@hidden>
+Date: Fri, 30 Oct 2015 21:14:55 +0800
+Subject: [PATCH] Fix parsing short unclosed comment uninitialized access
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=746048
+The HTML parser was too optimistic when processing comments and
+didn't check for the end of the stream on the first 2 characters
+---
+ HTMLparser.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/HTMLparser.c b/HTMLparser.c
+index 19c10c3..bdf7807 100644
+--- a/HTMLparser.c
++++ b/HTMLparser.c
+@@ -3264,12 +3264,17 @@ htmlParseComment(htmlParserCtxtPtr ctxt) {
+       ctxt->instate = state;
+       return;
+     }
++    len = 0;
++    buf[len] = 0;
+     q = CUR_CHAR(ql);
++    if (!IS_CHAR(q))
++        goto unfinished;
+     NEXTL(ql);
+     r = CUR_CHAR(rl);
++    if (!IS_CHAR(r))
++        goto unfinished;
+     NEXTL(rl);
+     cur = CUR_CHAR(l);
+-    len = 0;
+     while (IS_CHAR(cur) &&
+            ((cur != '>') ||
+           (r != '-') || (q != '-'))) {
+@@ -3300,18 +3305,20 @@ htmlParseComment(htmlParserCtxtPtr ctxt) {
+       }
+     }
+     buf[len] = 0;
+-    if (!IS_CHAR(cur)) {
+-      htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
+-                   "Comment not terminated \n<!--%.50s\n", buf, NULL);
+-      xmlFree(buf);
+-    } else {
++    if (IS_CHAR(cur)) {
+         NEXT;
+       if ((ctxt->sax != NULL) && (ctxt->sax->comment != NULL) &&
+           (!ctxt->disableSAX))
+           ctxt->sax->comment(ctxt->userData, buf);
+       xmlFree(buf);
++      ctxt->instate = state;
++      return;
+     }
+-    ctxt->instate = state;
++
++unfinished:
++    htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
++               "Comment not terminated \n<!--%.50s\n", buf, NULL);
++    xmlFree(buf);
+ }
+ 
+ /**
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/libxml2-bug-747437.patch 
b/gnu/packages/patches/libxml2-bug-747437.patch
new file mode 100644
index 0000000..ea2ef0f
--- /dev/null
+++ b/gnu/packages/patches/libxml2-bug-747437.patch
@@ -0,0 +1,46 @@
+From 8985cde70901c62d3f0f04da225e73b7344a52d7 Mon Sep 17 00:00:00 2001
+From: Martin von Gagern <address@hidden>
+Date: Mon, 13 Apr 2015 16:32:14 +0800
+Subject: [PATCH] xmlMemUsed is not thread-safe
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=747437
+just use the mutex to protect access to those variables
+---
+ xmlmemory.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/xmlmemory.c b/xmlmemory.c
+index a3dc737..f24fd6d 100644
+--- a/xmlmemory.c
++++ b/xmlmemory.c
+@@ -554,7 +554,12 @@ xmlMemoryStrdup(const char *str) {
+ 
+ int
+ xmlMemUsed(void) {
+-     return(debugMemSize);
++    int res;
++
++    xmlMutexLock(xmlMemMutex);
++    res = debugMemSize;
++    xmlMutexUnlock(xmlMemMutex);
++    return(res);
+ }
+ 
+ /**
+@@ -567,7 +572,12 @@ xmlMemUsed(void) {
+ 
+ int
+ xmlMemBlocks(void) {
+-     return(debugMemBlocks);
++    int res;
++
++    xmlMutexLock(xmlMemMutex);
++    res = debugMemBlocks;
++    xmlMutexUnlock(xmlMemMutex);
++    return(res);
+ }
+ 
+ #ifdef MEM_LIST
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/libxml2-bug-751603.patch 
b/gnu/packages/patches/libxml2-bug-751603.patch
new file mode 100644
index 0000000..f27767f
--- /dev/null
+++ b/gnu/packages/patches/libxml2-bug-751603.patch
@@ -0,0 +1,38 @@
+From 9aa37588ee78a06ca1379a9d9356eab16686099c Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <address@hidden>
+Date: Mon, 29 Jun 2015 09:08:25 +0800
+Subject: [PATCH] Do not process encoding values if the declaration if broken
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=751603
+
+If the string is not properly terminated do not try to convert
+to the given encoding.
+---
+ parser.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index fe603ac..a3a9568 100644
+--- a/parser.c
++++ b/parser.c
+@@ -10404,6 +10404,8 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ctxt) {
+           encoding = xmlParseEncName(ctxt);
+           if (RAW != '"') {
+               xmlFatalErr(ctxt, XML_ERR_STRING_NOT_CLOSED, NULL);
++              xmlFree((xmlChar *) encoding);
++              return(NULL);
+           } else
+               NEXT;
+       } else if (RAW == '\''){
+@@ -10411,6 +10413,8 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ctxt) {
+           encoding = xmlParseEncName(ctxt);
+           if (RAW != '\'') {
+               xmlFatalErr(ctxt, XML_ERR_STRING_NOT_CLOSED, NULL);
++              xmlFree((xmlChar *) encoding);
++              return(NULL);
+           } else
+               NEXT;
+       } else {
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/libxml2-bug-751631.patch 
b/gnu/packages/patches/libxml2-bug-751631.patch
new file mode 100644
index 0000000..33344e3
--- /dev/null
+++ b/gnu/packages/patches/libxml2-bug-751631.patch
@@ -0,0 +1,35 @@
+From 709a952110e98621c9b78c4f26462a9d8333102e Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <address@hidden>
+Date: Mon, 29 Jun 2015 16:10:26 +0800
+Subject: [PATCH] Fail parsing early on if encoding conversion failed
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=751631
+
+If we fail conversing the current input stream while
+processing the encoding declaration of the XMLDecl
+then it's safer to just abort there and not try to
+report further errors.
+---
+ parser.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index a3a9568..0edd53b 100644
+--- a/parser.c
++++ b/parser.c
+@@ -10471,7 +10471,11 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ctxt) {
+ 
+             handler = xmlFindCharEncodingHandler((const char *) encoding);
+           if (handler != NULL) {
+-              xmlSwitchToEncoding(ctxt, handler);
++              if (xmlSwitchToEncoding(ctxt, handler) < 0) {
++                  /* failed to convert */
++                  ctxt->errNo = XML_ERR_UNSUPPORTED_ENCODING;
++                  return(NULL);
++              }
+           } else {
+               xmlFatalErrMsgStr(ctxt, XML_ERR_UNSUPPORTED_ENCODING,
+                       "Unsupported encoding %s\n", encoding);
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/libxml2-bug-754946.patch 
b/gnu/packages/patches/libxml2-bug-754946.patch
new file mode 100644
index 0000000..3b9223e
--- /dev/null
+++ b/gnu/packages/patches/libxml2-bug-754946.patch
@@ -0,0 +1,132 @@
+From 51f02b0a03ea1fa6c65b3f9fd88cf60fb5803783 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <address@hidden>
+Date: Tue, 15 Sep 2015 16:50:32 +0800
+Subject: [PATCH] Fix a bug on name parsing at the end of current input buffer
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=754946
+
+When hitting the end of the current input buffer while parsing
+a name we could end up loosing the beginning of the name, which
+led to various issues.
+---
+ parser.c                     | 29 ++++++++++++++++++++---------
+ result/errors/754946.xml     |  0
+ result/errors/754946.xml.err | 16 ++++++++++++++++
+ result/errors/754946.xml.str |  4 ++++
+ test/errors/754946.xml       |  1 +
+ 5 files changed, 41 insertions(+), 9 deletions(-)
+ create mode 100644 result/errors/754946.xml
+ create mode 100644 result/errors/754946.xml.err
+ create mode 100644 result/errors/754946.xml.str
+ create mode 100644 test/errors/754946.xml
+
+diff --git a/parser.c b/parser.c
+index 0edd53b..fd29a39 100644
+--- a/parser.c
++++ b/parser.c
+@@ -3491,7 +3491,14 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
+       c = CUR_CHAR(l);
+       if (c == 0) {
+           count = 0;
++          /*
++           * when shrinking to extend the buffer we really need to preserve
++           * the part of the name we already parsed. Hence rolling back
++           * by current lenght.
++           */
++          ctxt->input->cur -= l;
+           GROW;
++          ctxt->input->cur += l;
+             if (ctxt->instate == XML_PARSER_EOF)
+                 return(NULL);
+           end = ctxt->input->cur;
+@@ -3523,7 +3530,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
+ 
+ static const xmlChar *
+ xmlParseNCName(xmlParserCtxtPtr ctxt) {
+-    const xmlChar *in;
++    const xmlChar *in, *e;
+     const xmlChar *ret;
+     int count = 0;
+ 
+@@ -3535,16 +3542,19 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {
+      * Accelerator for simple ASCII names
+      */
+     in = ctxt->input->cur;
+-    if (((*in >= 0x61) && (*in <= 0x7A)) ||
+-      ((*in >= 0x41) && (*in <= 0x5A)) ||
+-      (*in == '_')) {
++    e = ctxt->input->end;
++    if ((((*in >= 0x61) && (*in <= 0x7A)) ||
++       ((*in >= 0x41) && (*in <= 0x5A)) ||
++       (*in == '_')) && (in < e)) {
+       in++;
+-      while (((*in >= 0x61) && (*in <= 0x7A)) ||
+-             ((*in >= 0x41) && (*in <= 0x5A)) ||
+-             ((*in >= 0x30) && (*in <= 0x39)) ||
+-             (*in == '_') || (*in == '-') ||
+-             (*in == '.'))
++      while ((((*in >= 0x61) && (*in <= 0x7A)) ||
++              ((*in >= 0x41) && (*in <= 0x5A)) ||
++              ((*in >= 0x30) && (*in <= 0x39)) ||
++              (*in == '_') || (*in == '-') ||
++              (*in == '.')) && (in < e))
+           in++;
++      if (in >= e)
++          goto complex;
+       if ((*in > 0) && (*in < 0x80)) {
+           count = in - ctxt->input->cur;
+             if ((count > XML_MAX_NAME_LENGTH) &&
+@@ -3562,6 +3572,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {
+           return(ret);
+       }
+     }
++complex:
+     return(xmlParseNCNameComplex(ctxt));
+ }
+ 
+diff --git a/result/errors/754946.xml b/result/errors/754946.xml
+new file mode 100644
+index 0000000..e69de29
+diff --git a/result/errors/754946.xml.err b/result/errors/754946.xml.err
+new file mode 100644
+index 0000000..423dff5
+--- /dev/null
++++ b/result/errors/754946.xml.err
+@@ -0,0 +1,16 @@
++Entity: line 1: parser error : internal error: xmlParseInternalSubset: error 
detected in Markup declaration
++
++ %SYSTEM; 
++         ^
++Entity: line 1: 
++A<lbbbbbbbbbbbbbbbbbbb_
++^
++Entity: line 1: parser error : DOCTYPE improperly terminated
++ %SYSTEM; 
++         ^
++Entity: line 1: 
++A<lbbbbbbbbbbbbbbbbbbb_
++^
++./test/errors/754946.xml:1: parser error : Extra content at the end of the 
document
++<!DOCTYPEA[<!ENTITY %
++  ^
+diff --git a/result/errors/754946.xml.str b/result/errors/754946.xml.str
+new file mode 100644
+index 0000000..3b748cc
+--- /dev/null
++++ b/result/errors/754946.xml.str
+@@ -0,0 +1,4 @@
++./test/errors/754946.xml:1: parser error : Extra content at the end of the 
document
++<!DOCTYPEA[<!ENTITY %
++          ^
++./test/errors/754946.xml : failed to parse
+diff --git a/test/errors/754946.xml b/test/errors/754946.xml
+new file mode 100644
+index 0000000..6b5f9b0
+--- /dev/null
++++ b/test/errors/754946.xml
+@@ -0,0 +1 @@
++<!DOCTYPEA[<!ENTITY %

SYSTEM "A<lbbbbbbbbbbbbbbbbbbb_"
>%SYSTEM;<![
+\ No newline at end of file
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/libxml2-bug-754947.patch 
b/gnu/packages/patches/libxml2-bug-754947.patch
new file mode 100644
index 0000000..5edbc5f
--- /dev/null
+++ b/gnu/packages/patches/libxml2-bug-754947.patch
@@ -0,0 +1,103 @@
+From 4a5d80aded1da94cd55294e7207109712201b75b Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <address@hidden>
+Date: Fri, 18 Sep 2015 15:06:46 +0800
+Subject: [PATCH] Fix a bug in CData error handling in the push parser
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=754947
+
+The checking function was returning incorrect args in some cases
+Adds the test to teh reg suite and fix one of the existing test output
+---
+ parser.c                     | 6 +++---
+ result/errors/754947.xml     | 0
+ result/errors/754947.xml.err | 7 +++++++
+ result/errors/754947.xml.str | 5 +++++
+ result/errors/cdata.xml.str  | 4 ++--
+ test/errors/754947.xml       | 1 +
+ 6 files changed, 18 insertions(+), 5 deletions(-)
+ create mode 100644 result/errors/754947.xml
+ create mode 100644 result/errors/754947.xml.err
+ create mode 100644 result/errors/754947.xml.str
+ create mode 100644 test/errors/754947.xml
+
+diff --git a/parser.c b/parser.c
+index fd29a39..f1724a9 100644
+--- a/parser.c
++++ b/parser.c
+@@ -11192,7 +11192,7 @@ xmlCheckCdataPush(const xmlChar *utf, int len) {
+           else
+               return(-ix);
+       } else if ((c & 0xe0) == 0xc0) {/* 2-byte code, starts with 110 */
+-          if (ix + 2 > len) return(ix);
++          if (ix + 2 > len) return(-ix);
+           if ((utf[ix+1] & 0xc0 ) != 0x80)
+               return(-ix);
+           codepoint = (utf[ix] & 0x1f) << 6;
+@@ -11201,7 +11201,7 @@ xmlCheckCdataPush(const xmlChar *utf, int len) {
+               return(-ix);
+           ix += 2;
+       } else if ((c & 0xf0) == 0xe0) {/* 3-byte code, starts with 1110 */
+-          if (ix + 3 > len) return(ix);
++          if (ix + 3 > len) return(-ix);
+           if (((utf[ix+1] & 0xc0) != 0x80) ||
+               ((utf[ix+2] & 0xc0) != 0x80))
+                   return(-ix);
+@@ -11212,7 +11212,7 @@ xmlCheckCdataPush(const xmlChar *utf, int len) {
+               return(-ix);
+           ix += 3;
+       } else if ((c & 0xf8) == 0xf0) {/* 4-byte code, starts with 11110 */
+-          if (ix + 4 > len) return(ix);
++          if (ix + 4 > len) return(-ix);
+           if (((utf[ix+1] & 0xc0) != 0x80) ||
+               ((utf[ix+2] & 0xc0) != 0x80) ||
+               ((utf[ix+3] & 0xc0) != 0x80))
+diff --git a/result/errors/754947.xml b/result/errors/754947.xml
+new file mode 100644
+index 0000000..e69de29
+diff --git a/result/errors/754947.xml.err b/result/errors/754947.xml.err
+new file mode 100644
+index 0000000..f45cb5a
+--- /dev/null
++++ b/result/errors/754947.xml.err
+@@ -0,0 +1,7 @@
++./test/errors/754947.xml:1: parser error : Input is not proper UTF-8, 
indicate encoding !
++Bytes: 0xEE 0x5D 0x5D 0x3E
++<d><![CDATA[0000000000000�]]>
++                         ^
++./test/errors/754947.xml:1: parser error : Premature end of data in tag d 
line 1
++<d><![CDATA[0000000000000�]]>
++                             ^
+diff --git a/result/errors/754947.xml.str b/result/errors/754947.xml.str
+new file mode 100644
+index 0000000..4d2f52e
+--- /dev/null
++++ b/result/errors/754947.xml.str
+@@ -0,0 +1,5 @@
++./test/errors/754947.xml:1: parser error : Input is not proper UTF-8, 
indicate encoding !
++Bytes: 0xEE 0x5D 0x5D 0x3E
++<d><![CDATA[0000000000000�]]>
++                         ^
++./test/errors/754947.xml : failed to parse
+diff --git a/result/errors/cdata.xml.str b/result/errors/cdata.xml.str
+index e043441..cf83d2b 100644
+--- a/result/errors/cdata.xml.str
++++ b/result/errors/cdata.xml.str
+@@ -1,5 +1,5 @@
+ ./test/errors/cdata.xml:2: parser error : Input is not proper UTF-8, indicate 
encoding !
+-Bytes: 0x5B 0x43 0xE1 0x72
++Bytes: 0xE1 0x72 0x5D 0x5D
+ <A><![CDATA[C�r]]></A>
+-           ^
++             ^
+ ./test/errors/cdata.xml : failed to parse
+diff --git a/test/errors/754947.xml b/test/errors/754947.xml
+new file mode 100644
+index 0000000..bd9997e
+--- /dev/null
++++ b/test/errors/754947.xml
+@@ -0,0 +1 @@
++<d><![CDATA[0000000000000�]]>
+\ No newline at end of file
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/libxml2-bug-755857.patch 
b/gnu/packages/patches/libxml2-bug-755857.patch
new file mode 100644
index 0000000..3f1efd3
--- /dev/null
+++ b/gnu/packages/patches/libxml2-bug-755857.patch
@@ -0,0 +1,43 @@
+From cf77e60515045bdd66f2c59c69a06e603b470eae Mon Sep 17 00:00:00 2001
+From: Gaurav Gupta <address@hidden>
+Date: Wed, 30 Sep 2015 14:46:29 +0200
+Subject: [PATCH] Add missing Null check in xmlParseExternalEntityPrivate
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=755857
+
+a case where we check for NULL but not everywhere
+---
+ parser.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index f1724a9..a65e4cc 100644
+--- a/parser.c
++++ b/parser.c
+@@ -13367,7 +13367,7 @@ xmlParseExternalEntityPrivate(xmlDocPtr doc, 
xmlParserCtxtPtr oldctxt,
+     /*
+      * Also record the size of the entity parsed
+      */
+-    if (ctxt->input != NULL) {
++    if (ctxt->input != NULL && oldctxt != NULL) {
+       oldctxt->sizeentities += ctxt->input->consumed;
+       oldctxt->sizeentities += (ctxt->input->cur - ctxt->input->base);
+     }
+@@ -13379,9 +13379,11 @@ xmlParseExternalEntityPrivate(xmlDocPtr doc, 
xmlParserCtxtPtr oldctxt,
+ 
+     if (sax != NULL)
+       ctxt->sax = oldsax;
+-    oldctxt->node_seq.maximum = ctxt->node_seq.maximum;
+-    oldctxt->node_seq.length = ctxt->node_seq.length;
+-    oldctxt->node_seq.buffer = ctxt->node_seq.buffer;
++    if (oldctxt != NULL) {
++        oldctxt->node_seq.maximum = ctxt->node_seq.maximum;
++        oldctxt->node_seq.length = ctxt->node_seq.length;
++        oldctxt->node_seq.buffer = ctxt->node_seq.buffer;
++    }
+     ctxt->node_seq.maximum = 0;
+     ctxt->node_seq.length = 0;
+     ctxt->node_seq.buffer = NULL;
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/libxml2-fix-catalog-corruption.patch 
b/gnu/packages/patches/libxml2-fix-catalog-corruption.patch
new file mode 100644
index 0000000..b75ee30
--- /dev/null
+++ b/gnu/packages/patches/libxml2-fix-catalog-corruption.patch
@@ -0,0 +1,29 @@
+From f65128f38289d77ff322d63aef2858cc0a819c34 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <address@hidden>
+Date: Fri, 17 Oct 2014 17:13:41 +0800
+Subject: [PATCH] Revert "Missing initialization for the catalog module"
+
+This reverts commit 054c716ea1bf001544127a4ab4f4346d1b9947e7.
+As this break xmlcatalog command
+https://bugzilla.redhat.com/show_bug.cgi?id=1153753
+---
+ parser.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index 1d93967..67c9dfd 100644
+--- a/parser.c
++++ b/parser.c
+@@ -14830,9 +14830,6 @@ xmlInitParser(void) {
+ #ifdef LIBXML_XPATH_ENABLED
+       xmlXPathInit();
+ #endif
+-#ifdef LIBXML_CATALOG_ENABLED
+-        xmlInitializeCatalog();
+-#endif
+       xmlParserInitialized = 1;
+ #ifdef LIBXML_THREAD_ENABLED
+     }
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/libxml2-id-attrs-in-xmlSetTreeDoc.patch 
b/gnu/packages/patches/libxml2-id-attrs-in-xmlSetTreeDoc.patch
new file mode 100644
index 0000000..a87f79b
--- /dev/null
+++ b/gnu/packages/patches/libxml2-id-attrs-in-xmlSetTreeDoc.patch
@@ -0,0 +1,36 @@
+From f54d6a929af2a570396f0595a0e29064c908c12e Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <address@hidden>
+Date: Fri, 19 Dec 2014 00:08:35 +0100
+Subject: [PATCH] Account for ID attributes in xmlSetTreeDoc
+
+---
+ tree.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/tree.c b/tree.c
+index 6ec9223..c6323b4 100644
+--- a/tree.c
++++ b/tree.c
+@@ -2799,8 +2799,19 @@ xmlSetTreeDoc(xmlNodePtr tree, xmlDocPtr doc) {
+       if(tree->type == XML_ELEMENT_NODE) {
+           prop = tree->properties;
+           while (prop != NULL) {
++                if (prop->atype == XML_ATTRIBUTE_ID) {
++                    xmlRemoveID(tree->doc, prop);
++                }
++
+               prop->doc = doc;
+               xmlSetListDoc(prop->children, doc);
++
++                if (xmlIsID(doc, tree, prop)) {
++                    xmlChar *idVal = xmlNodeListGetString(doc, prop->children,
++                                                          1);
++                    xmlAddID(NULL, doc, idVal, prop);
++                }
++
+               prop = prop->next;
+           }
+       }
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/libxml2-node-sort-order-pt1.patch 
b/gnu/packages/patches/libxml2-node-sort-order-pt1.patch
new file mode 100644
index 0000000..181a072
--- /dev/null
+++ b/gnu/packages/patches/libxml2-node-sort-order-pt1.patch
@@ -0,0 +1,33 @@
+From ba58f23c60862f2158b457f4d30031761bf4dde1 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <address@hidden>
+Date: Sun, 8 Mar 2015 16:44:11 +0100
+Subject: [PATCH] Fix order of root nodes
+
+Make sure root nodes are sorted before other nodes.
+---
+ xpath.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/xpath.c b/xpath.c
+index ffd2a48..e9f5bf9 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -361,13 +361,13 @@ turtle_comparison:
+     /*
+      * compute depth to root
+      */
+-    for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) {
++    for (depth2 = 0, cur = node2; cur != NULL; cur = cur->parent) {
+       if (cur == node1)
+           return(1);
+       depth2++;
+     }
+     root = cur;
+-    for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) {
++    for (depth1 = 0, cur = node1; cur != NULL; cur = cur->parent) {
+       if (cur == node2)
+           return(-1);
+       depth1++;
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/libxml2-node-sort-order-pt2.patch 
b/gnu/packages/patches/libxml2-node-sort-order-pt2.patch
new file mode 100644
index 0000000..d007713
--- /dev/null
+++ b/gnu/packages/patches/libxml2-node-sort-order-pt2.patch
@@ -0,0 +1,37 @@
+From 3eaedba1b64180668fdab7ad2eba549586017bf3 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <address@hidden>
+Date: Sat, 11 Jul 2015 14:27:34 +0200
+Subject: [PATCH] Fix previous change to node sort order
+
+Commit ba58f23 broke comparison of nodes from different documents.
+Thanks to Olli Pottonen for the report.
+---
+ xpath.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/xpath.c b/xpath.c
+index e9f5bf9..935fcff 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -361,14 +361,14 @@ turtle_comparison:
+     /*
+      * compute depth to root
+      */
+-    for (depth2 = 0, cur = node2; cur != NULL; cur = cur->parent) {
+-      if (cur == node1)
++    for (depth2 = 0, cur = node2; cur->parent != NULL; cur = cur->parent) {
++      if (cur->parent == node1)
+           return(1);
+       depth2++;
+     }
+     root = cur;
+-    for (depth1 = 0, cur = node1; cur != NULL; cur = cur->parent) {
+-      if (cur == node2)
++    for (depth1 = 0, cur = node1; cur->parent != NULL; cur = cur->parent) {
++      if (cur->parent == node2)
+           return(-1);
+       depth1++;
+     }
+-- 
+2.6.3
+
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index d9c92d6..90ad521 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -70,7 +70,28 @@ things the parser might find in the XML document (like start 
tags).")
                                  version ".tar.gz"))
              (sha256
               (base32
-               "1g6mf03xcabmk5ing1lwqmasr803616gb2xhn7pll10x2l5w6y2i"))))
+               "1g6mf03xcabmk5ing1lwqmasr803616gb2xhn7pll10x2l5w6y2i"))
+             (patches
+              (map search-patch
+                   '("libxml2-fix-catalog-corruption.patch"
+                     "libxml2-bug-738805.patch"
+                     "libxml2-id-attrs-in-xmlSetTreeDoc.patch"
+                     "libxml2-CVE-2015-7941-pt1.patch"
+                     "libxml2-CVE-2015-7941-pt2.patch"
+                     "libxml2-node-sort-order-pt1.patch"
+                     "libxml2-bug-747437.patch"
+                     "libxml2-CVE-2015-1819.patch"
+                     "libxml2-bug-751603.patch"
+                     "libxml2-bug-751631.patch"
+                     "libxml2-node-sort-order-pt2.patch"
+                     "libxml2-bug-737840.patch"
+                     "libxml2-bug-754946.patch"
+                     "libxml2-bug-754947.patch"
+                     "libxml2-bug-755857.patch"
+                     "libxml2-CVE-2015-7942-pt1.patch"
+                     "libxml2-CVE-2015-7942-pt2.patch"
+                     "libxml2-bug-746048.patch"
+                     "libxml2-CVE-2015-8035.patch")))))
     (build-system gnu-build-system)
     (home-page "http://www.xmlsoft.org/";)
     (synopsis "C parser for XML")



reply via email to

[Prev in Thread] Current Thread [Next in Thread]