Bug#774358: marked as done (libxml2: CVE-2014-3660 patch makes installation-guide FTBFS)

[Debian Bug Tracking System]

Your message dated Thu, 09 Apr 2015 21:32:16 +0000
with message-id <e1ygk3c-00037l...@franck.debian.org>
and subject line Bug#774358: fixed in libxml2 2.8.0+dfsg1-7+wheezy4
has caused the Debian Bug report #774358,
regarding libxml2: CVE-2014-3660 patch makes installation-guide FTBFS
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
774358: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774358
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: libxml2
Version: 2.8.0+dfsg1-7+wheezy2
Severity: serious
Justification: makes other package FTBFS

Hello,

The cve-2014-3660.patch patch makes installation-guide FTBFS: 

Entity: line 2: parser error : Detected an entity reference loop
<ulink url="&downloadable-file;images/orion5x/network-console/buffalo/kuroboxpro
                               ^
/tmp/manual/en/install-methods/download/arm.xml:40: parser error : Detected an 
entity reference loop
                              ^

while there is actually no reference loop there.


It seems cve-2014-3660.patch is assuming that git commit cff2546 is
applied: notably it copies this code as it is:

+                       ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;

but in libxml2 2.8.0, it was still

                       ent->checked = ctxt->nbentities - oldnbent + 1;

and other parts of the code assume that too.  The attached patch fixes
this confusion.

Samuel

-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'buildd-unstable'), (500, 'unstable'), 
(500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.18.0 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

-- 
Samuel
Accroche-toi au terminal, j'enlève le shell...
 -+- nojhan -+-

--- /tmp/libxml2-2.8.0+dfsg1/debian/patches/cve-2014-3660.patch.original        
2015-01-01 14:48:26.337554556 +0100
+++ /tmp/libxml2-2.8.0+dfsg1/debian/patches/cve-2014-3660.patch 2015-01-01 
14:48:53.000874666 +0100
@@ -6,11 +6,11 @@
  parser.c |   42 ++++++++++++++++++++++++++++++++++++++----
  1 file changed, 38 insertions(+), 4 deletions(-)
 
-diff --git a/parser.c b/parser.c
-index 7ef712d..b435913 100644
---- a/parser.c
-+++ b/parser.c
-@@ -127,6 +127,29 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+Index: libxml2-2.8.0+dfsg1/parser.c
+===================================================================
+--- libxml2-2.8.0+dfsg1.orig/parser.c  2015-01-01 13:20:23.913738969 +0000
++++ libxml2-2.8.0+dfsg1/parser.c       2015-01-01 13:47:31.930940787 +0000
+@@ -127,6 +127,27 @@
          return (0);
      if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
          return (1);
@@ -29,10 +29,8 @@
 +      rep = xmlStringDecodeEntities(ctxt, ent->content,
 +                                XML_SUBSTITUTE_REF, 0, 0, 0);
 +
-+      ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
++      ent->checked = ctxt->nbentities - oldnbent + 1;
 +      if (rep != NULL) {
-+          if (xmlStrchr(rep, '<'))
-+              ent->checked |= 1;
 +          xmlFree(rep);
 +          rep = NULL;
 +      }

--- End Message ---

--- Begin Message ---

Source: libxml2
Source-Version: 2.8.0+dfsg1-7+wheezy4

We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 774...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated libxml2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 04 Apr 2015 11:01:18 +0200
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-utils-dbg libxml2-dev libxml2-dbg 
libxml2-doc python-libxml2 python-libxml2-dbg
Architecture: source amd64 all
Version: 2.8.0+dfsg1-7+wheezy4
Distribution: wheezy-security
Urgency: high
Maintainer: Debian XML/SGML Group <debian-xml-sgml-p...@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Description: 
 libxml2    - GNOME XML library
 libxml2-dbg - Debugging symbols for the GNOME XML library
 libxml2-dev - Development files for the GNOME XML library
 libxml2-doc - Documentation for the GNOME XML library
 libxml2-utils - XML utilities
 libxml2-utils-dbg - XML utilities (debug extension)
 python-libxml2 - Python bindings for the GNOME XML library
 python-libxml2-dbg - Python bindings for the GNOME XML library (debug 
extension)
Closes: 774358
Changes: 
 libxml2 (2.8.0+dfsg1-7+wheezy4) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add missing required patches for CVE-2014-3660.
     The two upstream commits a3f1e3e5712257fd279917a9158278534e8f4b72 and
     cff2546f13503ac028e4c1f63c7b6d85f2f2d777 are required in addition to the
     commit be2a7edaf289c5da74a4f9ed3a0b6c733e775230 to fix CVE-2014-3660 due
     to changes in the use of ent->checked.
     Fixes "libxml2: CVE-2014-3660 patch makes installation-guide FTBFS".
     (Closes: #774358)
   * Refresh cve-2014-3660.patch patch
   * Refresh cve-2014-3660-bis.patch patch
Checksums-Sha1: 
 d91b54a3db38ff78742b45113e44d415d0343560 2500 libxml2_2.8.0+dfsg1-7+wheezy4.dsc
 220c813f26f6284c15f0c52f65e2c120b40928a5 43067 
libxml2_2.8.0+dfsg1-7+wheezy4.debian.tar.gz
 2a0fb99e24de568e1ba6b5f18f407750dce91b46 905002 
libxml2_2.8.0+dfsg1-7+wheezy4_amd64.deb
 644fc61c65b19a1416cc806097e57877102ee3d0 97090 
libxml2-utils_2.8.0+dfsg1-7+wheezy4_amd64.deb
 8fd6742a3d8600543d6aa27347ecd4efe4d759be 127648 
libxml2-utils-dbg_2.8.0+dfsg1-7+wheezy4_amd64.deb
 007db87fb7e75f365f198c1100f0ccd2ac598c9f 902366 
libxml2-dev_2.8.0+dfsg1-7+wheezy4_amd64.deb
 3114c42b2f85d7ac0190b27c55874abcc68c22c1 1401044 
libxml2-dbg_2.8.0+dfsg1-7+wheezy4_amd64.deb
 8c71ea1d987055c1129deb77f13c4fff66325d35 1397456 
libxml2-doc_2.8.0+dfsg1-7+wheezy4_all.deb
 3270173bed8836be737ca3d8204f2e69ec81a4d5 346202 
python-libxml2_2.8.0+dfsg1-7+wheezy4_amd64.deb
 ca8f6ecd9a32437124101bd8b6825a1a296139dd 728992 
python-libxml2-dbg_2.8.0+dfsg1-7+wheezy4_amd64.deb
Checksums-Sha256: 
 1ce6f6595c1132b67d8d99fea8232ff7eb77b09043debdfcb23d6a156d2e4ca9 2500 
libxml2_2.8.0+dfsg1-7+wheezy4.dsc
 d807f286f77babaf01bfa24e297281fb6b87d9f2f83e3a3eeb04a504702ca143 43067 
libxml2_2.8.0+dfsg1-7+wheezy4.debian.tar.gz
 36a9d42f2712c44e0c67fd1e6df8a379fe31b69bd7834fb729ba264db2455a34 905002 
libxml2_2.8.0+dfsg1-7+wheezy4_amd64.deb
 38f98f4c2c271d933fc8d9d5f6096ab2bd38df7bce9bbe3e7680de3a41b2a39a 97090 
libxml2-utils_2.8.0+dfsg1-7+wheezy4_amd64.deb
 74da54355e613c8b13c28a87e72b3701f4c5242ca9b6a3ef982b7a15e2bc09f3 127648 
libxml2-utils-dbg_2.8.0+dfsg1-7+wheezy4_amd64.deb
 546a8f4461a447036eab4e081ce455a321888b2d53027d7457a872a49d216991 902366 
libxml2-dev_2.8.0+dfsg1-7+wheezy4_amd64.deb
 a8d460b975be0c53f97423a9bf35d7fe200b684fa8aa64e6f3390f92fccf6e0c 1401044 
libxml2-dbg_2.8.0+dfsg1-7+wheezy4_amd64.deb
 10067f47e741941119ab1d74d251f6b060ef59bcaa423844be484a9749233b72 1397456 
libxml2-doc_2.8.0+dfsg1-7+wheezy4_all.deb
 593384bf33e4225ccacd3c087a9820712eb57bb17291a328907d424ccf95ae2e 346202 
python-libxml2_2.8.0+dfsg1-7+wheezy4_amd64.deb
 37e92801f6a585ba27f320c6c64270ec43c17c2dc5096f0e5fdd3b282a50f00e 728992 
python-libxml2-dbg_2.8.0+dfsg1-7+wheezy4_amd64.deb
Files: 
 1afc989f8349724918d1b3cbca1126a7 2500 libs optional 
libxml2_2.8.0+dfsg1-7+wheezy4.dsc
 581d8728c1afdb0c3714e8436ac30768 43067 libs optional 
libxml2_2.8.0+dfsg1-7+wheezy4.debian.tar.gz
 76dcf25e5464645b8facc52c75691160 905002 libs standard 
libxml2_2.8.0+dfsg1-7+wheezy4_amd64.deb
 760cb7abfd2f0d55883ba008a3f97d43 97090 text optional 
libxml2-utils_2.8.0+dfsg1-7+wheezy4_amd64.deb
 0a3e338caa937d44e5aef32dfbdce4c6 127648 debug extra 
libxml2-utils-dbg_2.8.0+dfsg1-7+wheezy4_amd64.deb
 12425aabb8ab3a268f965d4553fd402d 902366 libdevel optional 
libxml2-dev_2.8.0+dfsg1-7+wheezy4_amd64.deb
 d76351c16a7e85d7c44ca702df95466a 1401044 debug extra 
libxml2-dbg_2.8.0+dfsg1-7+wheezy4_amd64.deb
 80bdd23a4bbae93416a0558863e944c7 1397456 doc optional 
libxml2-doc_2.8.0+dfsg1-7+wheezy4_all.deb
 b4588e93b60f144b11e22a8f817435f0 346202 python optional 
python-libxml2_2.8.0+dfsg1-7+wheezy4_amd64.deb
 cbf3805dc192b538250e5b448b667974 728992 debug extra 
python-libxml2-dbg_2.8.0+dfsg1-7+wheezy4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVI+tgAAoJEAVMuPMTQ89EtAgP/AwoiUgxT8qWmlczpBYTqob9
1/60ycUnvSvHHtFlgImA4DLENTCpwlwaDM+VmR5CIWeY7rsTjdg2qMbUFX2J1wwE
mqWEcMX8sIKZxWS63ugI3PaD9kcI4dHqAoMZjkcCGE+qYdVytrhTrPcDPaweVs+X
pJqaiqwzvqsabmBu7EMgHnd90yybpSpiaLhq7y05L2ZmO21KDijUk5sdYTw2E3MF
dhml1HooP35fxmQQhP7R+u45JFVbq+vUCmoGjaIWBGUkA9Lyd3mVHz950EDHyDoc
REYJiz6Fg2LRqBQsIQl+r3LS+PvjNr/hbd5JQVRIJUEfU58C0M9jtnDjcH1FGRy4
6LTPpDiWj2yjA0njg28NRCh0UbL2JUbwjN3W3hbiF3wxj38zjWfQZBINpBd8Mt4G
HI2cGeVTgFpnjuY02cFn/+CcR0P4xK3VdE3tS5pFcQAKztXxMxwyDcOpp9MCV4Fv
+5dXxJry0i4+Iy07/LupHIe8uOzJgerfC/GCyCF+rRd+uKAA1CbndZwJo1iQYic8
y1rXDMG/4dGBo36TmkrRvd4rvTq60khZJ5dIVSKUNbyB4aRmRTRkuYV4VftBwRvD
0Aj469NKPY+H5HtjiS4gyHbCNEzq953qY4MMpXWZPZP+/nCegjOK65/sd00fG3yR
fNs6W5h3CPjS8nuFZHoK
=Xv/p
-----END PGP SIGNATURE-----

--- End Message ---