From unknown Sat Jun 14 18:05:24 2025
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
Content-Type: text/plain; charset=utf-8
From: bug#28294 <28294@debbugs.gnu.org>
To: bug#28294 <28294@debbugs.gnu.org>
Subject: Status: [PATCH] gnu: libxml2: Fix CVE-2017-{0663, 7375, 7376,
 9047, 9048, 9049, 9050}.
Reply-To: bug#28294 <28294@debbugs.gnu.org>
Date: Sun, 15 Jun 2025 01:05:24 +0000

retitle 28294 [PATCH] gnu: libxml2: Fix CVE-2017-{0663, 7375, 7376, 9047, 9=
048, 9049, 9050}.
reassign 28294 guix-patches
submitter 28294 Alex Vong <alexvong1995@gmail.com>
severity 28294 important
tag 28294 patch security

thanks


From debbugs-submit-bounces@debbugs.gnu.org Wed Aug 30 09:32:48 2017
Received: (at submit) by debbugs.gnu.org; 30 Aug 2017 13:32:48 +0000
Received: from localhost ([127.0.0.1]:33531 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1dn36n-0006i1-VK
	for submit@debbugs.gnu.org; Wed, 30 Aug 2017 09:32:47 -0400
Received: from eggs.gnu.org ([208.118.235.92]:34990)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <alexvong1995@gmail.com>) id 1dn36k-0006hn-8o
 for submit@debbugs.gnu.org; Wed, 30 Aug 2017 09:32:40 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <alexvong1995@gmail.com>) id 1dn36b-0001yS-94
 for submit@debbugs.gnu.org; Wed, 30 Aug 2017 09:32:33 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: *
X-Spam-Status: No, score=1.1 required=5.0 tests=BAYES_50,
 FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,T_DKIM_INVALID autolearn=disabled
 version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:34226)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <alexvong1995@gmail.com>)
 id 1dn36b-0001yM-3S
 for submit@debbugs.gnu.org; Wed, 30 Aug 2017 09:32:29 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:54155)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <alexvong1995@gmail.com>) id 1dn36W-0008Tk-Tk
 for guix-patches@gnu.org; Wed, 30 Aug 2017 09:32:28 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <alexvong1995@gmail.com>) id 1dn36S-0001vX-M0
 for guix-patches@gnu.org; Wed, 30 Aug 2017 09:32:24 -0400
Received: from mail-pg0-x231.google.com ([2607:f8b0:400e:c05::231]:37216)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <alexvong1995@gmail.com>)
 id 1dn36S-0001uw-78
 for guix-patches@gnu.org; Wed, 30 Aug 2017 09:32:20 -0400
Received: by mail-pg0-x231.google.com with SMTP id 83so19872260pgb.4
 for <guix-patches@gnu.org>; Wed, 30 Aug 2017 06:32:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:subject:date:message-id:user-agent:mime-version;
 bh=6+dat039dasrk/TIR7ibjP0dNELTLVV2NC83OLDlipw=;
 b=NHcP2/d1KMVw6kjhV71BMr6zCb2XrLYsYM8A7j9aaB9ZlULriAvEE/t2KOrdmsu8+h
 gpufP5UR01OjT0tu/KsPtAxF0NH/QKYR+2yY02qphllrd81CCMs2LVO/VmfqMyKRbg84
 v6w7nRVOokOEiN0823569WHBweFEEBHWrWhCajQnOmEM+BXRZ/8GysSY+xDL2Xxe8/PF
 IR7fPUeoBFqw71kFJWXYKJ62OTB/L4ln7mv4pn3vD5zGgdmfjHlAHT2UKvrEcM5p2QzM
 yiRstBHIepOAtyPdQ3X8AO5EkC9e9YHkcoPonlDuA7WrsqdtU/tjsitRO4hVgq+0eUP2
 PaKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:subject:date:message-id:user-agent
 :mime-version;
 bh=6+dat039dasrk/TIR7ibjP0dNELTLVV2NC83OLDlipw=;
 b=Prz1YQGLEM44ZUeiKapkBWSfcHGmCtbMh3ktog3JMn7GVSXz/eU7lW/ainy6H2lSaV
 eSIz+k7wM+2SKc3DtSMrQ+oxYnRdilOWsFoBzTgbVEvc8TbuvY2LgK6RktvQ16MKZogR
 hwOyhuhupSOg3uwZuJP8oIW8w/JMSWCRUOkdo2YyVRhfqJ07EdBRYF7uFZc+lxmX+c0F
 EVgjNIcgyw1OJDy/0HAUmlbKp7DRtzcwNwdKcGu4Zq2V/THxQtSKG87SK2SUNJwFlEfl
 llWFD2K8dzfWBcJ99JbUMmx1yLXIIpLq0wOdJdcjRTRqqdHe8ZH65iRQMG1EEuvka0Ia
 1VLA==
X-Gm-Message-State: AHYfb5jzOFY3NOW/YuJ8HfnBDNaSrjMYgrXYYfjyD6PP/I8pi/liR9BB
 WSsBL/PfnYdFJg==
X-Received: by 10.98.62.130 with SMTP id y2mr1614804pfj.167.1504099938090;
 Wed, 30 Aug 2017 06:32:18 -0700 (PDT)
Received: from debian (n218250043151.netvigator.com. [218.250.43.151])
 by smtp.gmail.com with ESMTPSA id p2sm9079934pfp.88.2017.08.30.06.32.16
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Wed, 30 Aug 2017 06:32:17 -0700 (PDT)
From: Alex Vong <alexvong1995@gmail.com>
To: guix-patches@gnu.org
Subject: [PATCH] gnu: libxml2: Fix CVE-2017-{0663, 7375, 7376, 9047, 9048, 9049,
 9050}.
Date: Wed, 30 Aug 2017 21:31:58 +0800
Message-ID: <87inh5uqpd.fsf@gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
 recognized.
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -3.8 (---)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 1.2 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  Severity: important Tags: patch security Hi, This patch fixes
    CVEs of libxml2. The changes to 'runtest.c' in 'libxml2-CVE-2017-9049+CVE-2017-9050.patch
    are removed since they introduce test failure. The changes only enable new
    tests so it should be fine to remove them. [...] 
 
 Content analysis details:   (1.2 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
  0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in
                             digit (alexvong1995[at]gmail.com)
  0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail provider
                             (alexvong1995[at]gmail.com)
  0.0 T_DKIM_INVALID         DKIM-Signature header exists but is not valid

--==-=-=
Content-Type: multipart/mixed; boundary="=-=-="

--=-=-=
Content-Type: text/plain

Severity: important
Tags: patch security

Hi,

This patch fixes CVEs of libxml2. The changes to 'runtest.c' in
'libxml2-CVE-2017-9049+CVE-2017-9050.patch are removed since they
introduce test failure. The changes only enable new tests so it should
be fine to remove them.


--=-=-=
Content-Type: text/x-diff; charset=utf-8
Content-Disposition: inline;
 filename=0001-gnu-libxml2-Fix-CVE-2017-0663-7375-7376-9047-9048-90.patch
Content-Transfer-Encoding: quoted-printable

From=2069182d050016889ee11d0c2459dcae1212f7579e Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Wed, 30 Aug 2017 21:21:21 +0800
Subject: [PATCH] gnu: libxml2: Fix
 CVE-2017-{0663,7375,7376,9047,9048,9049,9050}.

* gnu/packages/patches/libxml2-CVE-2017-0663.patch,
gnu/packages/patches/libxml2-CVE-2017-7375.patch,
gnu/packages/patches/libxml2-CVE-2017-7376.patch,
gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch,
gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/xml.scm (libxml2)[source]: Use them.
=2D--
 gnu/local.mk                                       |   5 +
 gnu/packages/patches/libxml2-CVE-2017-0663.patch   |  53 ++++
 gnu/packages/patches/libxml2-CVE-2017-7375.patch   |  45 +++
 gnu/packages/patches/libxml2-CVE-2017-7376.patch   |  41 +++
 .../libxml2-CVE-2017-9047+CVE-2017-9048.patch      | 130 +++++++++
 .../libxml2-CVE-2017-9049+CVE-2017-9050.patch      | 319 +++++++++++++++++=
++++
 gnu/packages/xml.scm                               |  10 +-
 7 files changed, 601 insertions(+), 2 deletions(-)
 create mode 100644 gnu/packages/patches/libxml2-CVE-2017-0663.patch
 create mode 100644 gnu/packages/patches/libxml2-CVE-2017-7375.patch
 create mode 100644 gnu/packages/patches/libxml2-CVE-2017-7376.patch
 create mode 100644 gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-904=
8.patch
 create mode 100644 gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-905=
0.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 10d4ab114..9baaa1687 100644
=2D-- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -804,6 +804,11 @@ dist_patch_DATA =3D						\
   %D%/packages/patches/libxcb-python-3.5-compat.patch		\
   %D%/packages/patches/libxml2-CVE-2016-4658.patch		\
   %D%/packages/patches/libxml2-CVE-2016-5131.patch		\
+  %D%/packages/patches/libxml2-CVE-2017-0663.patch		\
+  %D%/packages/patches/libxml2-CVE-2017-7375.patch		\
+  %D%/packages/patches/libxml2-CVE-2017-7376.patch		\
+  %D%/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch\
+  %D%/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch\
   %D%/packages/patches/libxslt-generated-ids.patch		\
   %D%/packages/patches/libxslt-CVE-2016-4738.patch		\
   %D%/packages/patches/libxt-guix-search-paths.patch		\
diff --git a/gnu/packages/patches/libxml2-CVE-2017-0663.patch b/gnu/package=
s/patches/libxml2-CVE-2017-0663.patch
new file mode 100644
index 000000000..b0277a2d2
=2D-- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2017-0663.patch
@@ -0,0 +1,53 @@
+Fix CVE-2017-0663:
+
+https://bugzilla.gnome.org/show_bug.cgi?id=3D780228 (not yet public)
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-0663
+https://security-tracker.debian.org/tracker/CVE-2017-0663
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/libxml2/commit/?id=3D92b9e8c8b3787068565a1820=
ba575d042f9eec66
+
+From 92b9e8c8b3787068565a1820ba575d042f9eec66 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 6 Jun 2017 12:56:28 +0200
+Subject: [PATCH] Fix type confusion in xmlValidateOneNamespace
+
+Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types on
+namespace declarations make no practical sense anyway.
+
+Fixes bug 780228.
+
+Found with libFuzzer and ASan.
+---
+ valid.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/valid.c b/valid.c
+index 8075d3a0..c51ea290 100644
+--- a/valid.c
++++ b/valid.c
+@@ -4627,6 +4627,12 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns=
, const xmlChar *value) {
+ 	}
+     }
+=20
++    /*
++     * Casting ns to xmlAttrPtr is wrong. We'd need separate functions
++     * xmlAddID and xmlAddRef for namespace declarations, but it makes
++     * no practical sense to use ID types anyway.
++     */
++#if 0
+     /* Validity Constraint: ID uniqueness */
+     if (attrDecl->atype =3D=3D XML_ATTRIBUTE_ID) {
+         if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) =3D=3D NULL)
+@@ -4638,6 +4644,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns,=
 const xmlChar *value) {
+         if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) =3D=3D NULL)
+ 	    ret =3D 0;
+     }
++#endif
+=20
+     /* Validity Constraint: Notation Attributes */
+     if (attrDecl->atype =3D=3D XML_ATTRIBUTE_NOTATION) {
+--=20
+2.14.1
+
diff --git a/gnu/packages/patches/libxml2-CVE-2017-7375.patch b/gnu/package=
s/patches/libxml2-CVE-2017-7375.patch
new file mode 100644
index 000000000..32af1ff6b
=2D-- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2017-7375.patch
@@ -0,0 +1,45 @@
+Fix CVE-2017-7375:
+
+https://bugzilla.gnome.org/show_bug.cgi?id=3D780691 (not yet public)
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-7375
+https://security-tracker.debian.org/tracker/CVE-2017-7375
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/libxml2/commit/?id=3D90ccb58242866b0ba3edbef8=
fe44214a101c2b3e
+
+From 90ccb58242866b0ba3edbef8fe44214a101c2b3e Mon Sep 17 00:00:00 2001
+From: Neel Mehta <nmehta@google.com>
+Date: Fri, 7 Apr 2017 17:43:02 +0200
+Subject: [PATCH] Prevent unwanted external entity reference
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=3D780691
+
+* parser.c: add a specific check to avoid PE reference
+---
+ parser.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index 609a2703..c2c812de 100644
+--- a/parser.c
++++ b/parser.c
+@@ -8123,6 +8123,15 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
+ 	    if (xmlPushInput(ctxt, input) < 0)
+ 		return;
+ 	} else {
++	    if ((entity->etype =3D=3D XML_EXTERNAL_PARAMETER_ENTITY) &&
++	        ((ctxt->options & XML_PARSE_NOENT) =3D=3D 0) &&
++		((ctxt->options & XML_PARSE_DTDVALID) =3D=3D 0) &&
++		((ctxt->options & XML_PARSE_DTDLOAD) =3D=3D 0) &&
++		((ctxt->options & XML_PARSE_DTDATTR) =3D=3D 0) &&
++		(ctxt->replaceEntities =3D=3D 0) &&
++		(ctxt->validate =3D=3D 0))
++		return;
++
+ 	    /*
+ 	     * TODO !!!
+ 	     * handle the extra spaces added before and after
+--=20
+2.14.1
+
diff --git a/gnu/packages/patches/libxml2-CVE-2017-7376.patch b/gnu/package=
s/patches/libxml2-CVE-2017-7376.patch
new file mode 100644
index 000000000..5b9e45bd8
=2D-- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2017-7376.patch
@@ -0,0 +1,41 @@
+Fix CVE-2017-7376:
+
+https://bugzilla.gnome.org/show_bug.cgi?id=3D780690 (not yet public)
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-7376
+https://security-tracker.debian.org/tracker/CVE-2017-7376
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/libxml2/commit/?id=3D5dca9eea1bd4263bfa4d037a=
b2443de1cd730f7e
+
+From 5dca9eea1bd4263bfa4d037ab2443de1cd730f7e Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 7 Apr 2017 17:13:28 +0200
+Subject: [PATCH] Increase buffer space for port in HTTP redirect support
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=3D780690
+
+nanohttp.c: the code wrongly assumed a short int port value.
+---
+ nanohttp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/nanohttp.c b/nanohttp.c
+index e109ad75..373425de 100644
+--- a/nanohttp.c
++++ b/nanohttp.c
+@@ -1423,9 +1423,9 @@ retry:
+     if (ctxt->port !=3D 80) {
+ 	/* reserve space for ':xxxxx', incl. potential proxy */
+ 	if (proxy)
+-	    blen +=3D 12;
++	    blen +=3D 17;
+ 	else
+-	    blen +=3D 6;
++	    blen +=3D 11;
+     }
+     bp =3D (char*)xmlMallocAtomic(blen);
+     if ( bp =3D=3D NULL ) {
+--=20
+2.14.1
+
diff --git a/gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch=
 b/gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch
new file mode 100644
index 000000000..0a0e6d34c
=2D-- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch
@@ -0,0 +1,130 @@
+Fix CVE-2017-{9047,9048}:
+
+https://bugzilla.gnome.org/show_bug.cgi?id=3D781333 (not yet public)
+https://bugzilla.gnome.org/show_bug.cgi?id=3D781701 (not yet public)
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-9047
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-9048
+http://www.openwall.com/lists/oss-security/2017/05/15/1
+https://security-tracker.debian.org/tracker/CVE-2017-9047
+https://security-tracker.debian.org/tracker/CVE-2017-9048
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/libxml2/commit/?id=3D932cc9896ab41475d4aa429c=
27d9afd175959d74
+
+From 932cc9896ab41475d4aa429c27d9afd175959d74 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 3 Jun 2017 02:01:29 +0200
+Subject: [PATCH] Fix buffer size checks in xmlSnprintfElementContent
+MIME-Version: 1.0
+Content-Type: text/plain; charset=3DUTF-8
+Content-Transfer-Encoding: 8bit
+
+xmlSnprintfElementContent failed to correctly check the available
+buffer space in two locations.
+
+Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048).
+
+Thanks to Marcel B=C3=B6hme and Thuan Pham for the report.
+---
+ result/valid/781333.xml         |  5 +++++
+ result/valid/781333.xml.err     |  3 +++
+ result/valid/781333.xml.err.rdr |  6 ++++++
+ test/valid/781333.xml           |  4 ++++
+ valid.c                         | 20 +++++++++++---------
+ 5 files changed, 29 insertions(+), 9 deletions(-)
+ create mode 100644 result/valid/781333.xml
+ create mode 100644 result/valid/781333.xml.err
+ create mode 100644 result/valid/781333.xml.err.rdr
+ create mode 100644 test/valid/781333.xml
+
+diff --git a/result/valid/781333.xml b/result/valid/781333.xml
+new file mode 100644
+index 00000000..45dc451d
+--- /dev/null
++++ b/result/valid/781333.xml
+@@ -0,0 +1,5 @@
++<?xml version=3D"1.0"?>
++<!DOCTYPE a [
++<!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
pppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
llllllllllllllll)>
++]>
++<a/>
+diff --git a/result/valid/781333.xml.err b/result/valid/781333.xml.err
+new file mode 100644
+index 00000000..b401b49a
+--- /dev/null
++++ b/result/valid/781333.xml.err
+@@ -0,0 +1,3 @@
++./test/valid/781333.xml:4: element a: validity error : Element a content =
does not follow the DTD, expecting ( ..., got=20
++<a/>
++    ^
+diff --git a/result/valid/781333.xml.err.rdr b/result/valid/781333.xml.err=
.rdr
+new file mode 100644
+index 00000000..5ff56992
+--- /dev/null
++++ b/result/valid/781333.xml.err.rdr
+@@ -0,0 +1,6 @@
++./test/valid/781333.xml:4: element a: validity error : Element a content =
does not follow the DTD, expecting ( ..., got=20
++<a/>
++    ^
++./test/valid/781333.xml:5: element a: validity error : Element a content =
does not follow the DTD, Expecting more child
++
++^
+diff --git a/test/valid/781333.xml b/test/valid/781333.xml
+new file mode 100644
+index 00000000..b29e5a68
+--- /dev/null
++++ b/test/valid/781333.xml
+@@ -0,0 +1,4 @@
++<!DOCTYPE a [
++    <!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
pppppppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
llllllllllllllllllll)>
++]>
++<a/>
+diff --git a/valid.c b/valid.c
+index 19f84b82..9b2df56a 100644
+--- a/valid.c
++++ b/valid.c
+@@ -1262,22 +1262,23 @@ xmlSnprintfElementContent(char *buf, int size, xml=
ElementContentPtr content, int
+         case XML_ELEMENT_CONTENT_PCDATA:
+             strcat(buf, "#PCDATA");
+ 	    break;
+-	case XML_ELEMENT_CONTENT_ELEMENT:
++	case XML_ELEMENT_CONTENT_ELEMENT: {
++            int qnameLen =3D xmlStrlen(content->name);
++
++	    if (content->prefix !=3D NULL)
++                qnameLen +=3D xmlStrlen(content->prefix) + 1;
++	    if (size - len < qnameLen + 10) {
++		strcat(buf, " ...");
++		return;
++	    }
+ 	    if (content->prefix !=3D NULL) {
+-		if (size - len < xmlStrlen(content->prefix) + 10) {
+-		    strcat(buf, " ...");
+-		    return;
+-		}
+ 		strcat(buf, (char *) content->prefix);
+ 		strcat(buf, ":");
+ 	    }
+-	    if (size - len < xmlStrlen(content->name) + 10) {
+-		strcat(buf, " ...");
+-		return;
+-	    }
+ 	    if (content->name !=3D NULL)
+ 		strcat(buf, (char *) content->name);
+ 	    break;
++        }
+ 	case XML_ELEMENT_CONTENT_SEQ:
+ 	    if ((content->c1->type =3D=3D XML_ELEMENT_CONTENT_OR) ||
+ 	        (content->c1->type =3D=3D XML_ELEMENT_CONTENT_SEQ))
+@@ -1319,6 +1320,7 @@ xmlSnprintfElementContent(char *buf, int size, xmlEl=
ementContentPtr content, int
+ 		xmlSnprintfElementContent(buf, size, content->c2, 0);
+ 	    break;
+     }
++    if (size - strlen(buf) <=3D 2) return;
+     if (englob)
+         strcat(buf, ")");
+     switch (content->ocur) {
+--=20
+2.14.1
+
diff --git a/gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch=
 b/gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch
new file mode 100644
index 000000000..890e9c228
=2D-- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch
@@ -0,0 +1,319 @@
+Fix CVE-2017-{9049,9050}:
+
+https://bugzilla.gnome.org/show_bug.cgi?id=3D781205 (not yet public)
+https://bugzilla.gnome.org/show_bug.cgi?id=3D781361 (not yet public)
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-9049
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-9050
+http://www.openwall.com/lists/oss-security/2017/05/15/1
+https://security-tracker.debian.org/tracker/CVE-2017-9049
+https://security-tracker.debian.org/tracker/CVE-2017-9050
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/libxml2/commit/?id=3De26630548e7d138d2c560844=
c43820b6767251e3
+
+Changes to 'runtest.c' are removed since they introduce test failure
+when applying to libxml2 2.9.4 release tarball.
+
+From e26630548e7d138d2c560844c43820b6767251e3 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 5 Jun 2017 15:37:17 +0200
+Subject: [PATCH] Fix handling of parameter-entity references
+MIME-Version: 1.0
+Content-Type: text/plain; charset=3DUTF-8
+Content-Transfer-Encoding: 8bit
+
+There were two bugs where parameter-entity references could lead to an
+unexpected change of the input buffer in xmlParseNameComplex and
+xmlDictLookup being called with an invalid pointer.
+
+Percent sign in DTD Names
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+
+The NEXTL macro used to call xmlParserHandlePEReference. When parsing
+"complex" names inside the DTD, this could result in entity expansion
+which created a new input buffer. The fix is to simply remove the call
+to xmlParserHandlePEReference from the NEXTL macro. This is safe because
+no users of the macro require expansion of parameter entities.
+
+- xmlParseNameComplex
+- xmlParseNCNameComplex
+- xmlParseNmtoken
+
+The percent sign is not allowed in names, which are grammatical tokens.
+
+- xmlParseEntityValue
+
+Parameter-entity references in entity values are expanded but this
+happens in a separate step in this function.
+
+- xmlParseSystemLiteral
+
+Parameter-entity references are ignored in the system literal.
+
+- xmlParseAttValueComplex
+- xmlParseCharDataComplex
+- xmlParseCommentComplex
+- xmlParsePI
+- xmlParseCDSect
+
+Parameter-entity references are ignored outside the DTD.
+
+- xmlLoadEntityContent
+
+This function is only called from xmlStringLenDecodeEntities and
+entities are replaced in a separate step immediately after the function
+call.
+
+This bug could also be triggered with an internal subset and double
+entity expansion.
+
+This fixes bug 766956 initially reported by Wei Lei and independently by
+Chromium's ClusterFuzz, Hanno B=C3=B6ck, and Marco Grassi. Thanks to every=
one
+involved.
+
+xmlParseNameComplex with XML_PARSE_OLD10
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+
+When parsing Names inside an expanded parameter entity with the
+XML_PARSE_OLD10 option, xmlParseNameComplex would call xmlGROW via the
+GROW macro if the input buffer was exhausted. At the end of the
+parameter entity's replacement text, this function would then call
+xmlPopInput which invalidated the input buffer.
+
+There should be no need to invoke GROW in this situation because the
+buffer is grown periodically every XML_PARSER_CHUNK_SIZE characters and,
+at least for UTF-8, in xmlCurrentChar. This also matches the code path
+executed when XML_PARSE_OLD10 is not set.
+
+This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).
+Thanks to Marcel B=C3=B6hme and Thuan Pham for the report.
+
+Additional hardening
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+
+A separate check was added in xmlParseNameComplex to validate the
+buffer size.
+---
+ Makefile.am                     | 18 ++++++++++++++++++
+ parser.c                        | 18 ++++++++++--------
+ result/errors10/781205.xml      |  0
+ result/errors10/781205.xml.err  | 21 +++++++++++++++++++++
+ result/errors10/781361.xml      |  0
+ result/errors10/781361.xml.err  | 13 +++++++++++++
+ result/valid/766956.xml         |  0
+ result/valid/766956.xml.err     |  9 +++++++++
+ result/valid/766956.xml.err.rdr | 10 ++++++++++
+ runtest.c                       |  3 +++
+ test/errors10/781205.xml        |  3 +++
+ test/errors10/781361.xml        |  3 +++
+ test/valid/766956.xml           |  2 ++
+ test/valid/dtds/766956.dtd      |  2 ++
+ 14 files changed, 94 insertions(+), 8 deletions(-)
+ create mode 100644 result/errors10/781205.xml
+ create mode 100644 result/errors10/781205.xml.err
+ create mode 100644 result/errors10/781361.xml
+ create mode 100644 result/errors10/781361.xml.err
+ create mode 100644 result/valid/766956.xml
+ create mode 100644 result/valid/766956.xml.err
+ create mode 100644 result/valid/766956.xml.err.rdr
+ create mode 100644 test/errors10/781205.xml
+ create mode 100644 test/errors10/781361.xml
+ create mode 100644 test/valid/766956.xml
+ create mode 100644 test/valid/dtds/766956.dtd
+
+diff --git a/Makefile.am b/Makefile.am
+index 6fc8ffa9..10e716a5 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -427,6 +427,24 @@ Errtests : xmllint$(EXEEXT)
+ 	      if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \
+ 	      rm result.$$name error.$$name ; \
+ 	  fi ; fi ; done)
++	@echo "## Error cases regression tests (old 1.0)"
++	-@(for i in $(srcdir)/test/errors10/*.xml ; do \
++	  name=3D`basename $$i`; \
++	  if [ ! -d $$i ] ; then \
++	  if [ ! -f $(srcdir)/result/errors10/$$name ] ; then \
++	      echo New test file $$name ; \
++	      $(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i \
++	         2> $(srcdir)/result/errors10/$$name.err \
++		 > $(srcdir)/result/errors10/$$name ; \
++	      grep "MORY ALLO" .memdump  | grep -v "MEMORY ALLOCATED : 0"; \
++	  else \
++	      log=3D`$(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i 2> error.=
$$name > result.$$name ; \
++	      grep "MORY ALLO" .memdump  | grep -v "MEMORY ALLOCATED : 0"; \
++	      diff $(srcdir)/result/errors10/$$name result.$$name ; \
++	      diff $(srcdir)/result/errors10/$$name.err error.$$name` ; \
++	      if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \
++	      rm result.$$name error.$$name ; \
++	  fi ; fi ; done)
+ 	@echo "## Error cases stream regression tests"
+ 	-@(for i in $(srcdir)/test/errors/*.xml ; do \
+ 	  name=3D`basename $$i`; \
+diff --git a/parser.c b/parser.c
+index df2efa55..a175ac4e 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2121,7 +2121,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
+ 	ctxt->input->line++; ctxt->input->col =3D 1;			\
+     } else ctxt->input->col++;						\
+     ctxt->input->cur +=3D l;				\
+-    if (*ctxt->input->cur =3D=3D '%') xmlParserHandlePEReference(ctxt);	\
+   } while (0)
+=20
+ #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l)
+@@ -3412,13 +3411,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+ 	    len +=3D l;
+ 	    NEXTL(l);
+ 	    c =3D CUR_CHAR(l);
+-	    if (c =3D=3D 0) {
+-		count =3D 0;
+-		GROW;
+-                if (ctxt->instate =3D=3D XML_PARSER_EOF)
+-                    return(NULL);
+-		c =3D CUR_CHAR(l);
+-	    }
+ 	}
+     }
+     if ((len > XML_MAX_NAME_LENGTH) &&
+@@ -3426,6 +3418,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+         xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
+         return(NULL);
+     }
++    if (ctxt->input->cur - ctxt->input->base < len) {
++        /*
++         * There were a couple of bugs where PERefs lead to to a change
++         * of the buffer. Check the buffer size to avoid passing an inval=
id
++         * pointer to xmlDictLookup.
++         */
++        xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
++                    "unexpected change of input buffer");
++        return (NULL);
++    }
+     if ((*ctxt->input->cur =3D=3D '\n') && (ctxt->input->cur[-1] =3D=3D '=
\r'))
+         return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), le=
n));
+     return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
+diff --git a/result/errors10/781205.xml b/result/errors10/781205.xml
+new file mode 100644
+index 00000000..e69de29b
+diff --git a/result/errors10/781205.xml.err b/result/errors10/781205.xml.e=
rr
+new file mode 100644
+index 00000000..da15c3f7
+--- /dev/null
++++ b/result/errors10/781205.xml.err
+@@ -0,0 +1,21 @@
++Entity: line 1: parser error : internal error: xmlParseInternalSubset: er=
ror detected in Markup declaration
++
++ %a;=20
++    ^
++Entity: line 1:=20
++<:0000
++^
++Entity: line 1: parser error : DOCTYPE improperly terminated
++ %a;=20
++    ^
++Entity: line 1:=20
++<:0000
++^
++namespace error : Failed to parse QName ':0000'
++ %a;=20
++    ^
++<:0000
++      ^
++./test/errors10/781205.xml:4: parser error : Couldn't find end of Start T=
ag :0000 line 1
++
++^
+diff --git a/result/errors10/781361.xml b/result/errors10/781361.xml
+new file mode 100644
+index 00000000..e69de29b
+diff --git a/result/errors10/781361.xml.err b/result/errors10/781361.xml.e=
rr
+new file mode 100644
+index 00000000..655f41a2
+--- /dev/null
++++ b/result/errors10/781361.xml.err
+@@ -0,0 +1,13 @@
++./test/errors10/781361.xml:4: parser error : xmlParseElementDecl: 'EMPTY'=
, 'ANY' or '(' expected
++
++^
++./test/errors10/781361.xml:4: parser error : internal error: xmlParseInte=
rnalSubset: error detected in Markup declaration
++
++
++^
++./test/errors10/781361.xml:4: parser error : DOCTYPE improperly terminated
++
++^
++./test/errors10/781361.xml:4: parser error : Start tag expected, '<' not =
found
++
++^
+diff --git a/result/valid/766956.xml b/result/valid/766956.xml
+new file mode 100644
+index 00000000..e69de29b
+diff --git a/result/valid/766956.xml.err b/result/valid/766956.xml.err
+new file mode 100644
+index 00000000..34b1dae6
+--- /dev/null
++++ b/result/valid/766956.xml.err
+@@ -0,0 +1,9 @@
++test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
++%=C3=A4%ent;
++   ^
++Entity: line 1: parser error : Content error in the external subset
++ %ent;=20
++      ^
++Entity: line 1:=20
++value
++^
+diff --git a/result/valid/766956.xml.err.rdr b/result/valid/766956.xml.err=
.rdr
+new file mode 100644
+index 00000000..77603462
+--- /dev/null
++++ b/result/valid/766956.xml.err.rdr
+@@ -0,0 +1,10 @@
++test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
++%=C3=A4%ent;
++   ^
++Entity: line 1: parser error : Content error in the external subset
++ %ent;=20
++      ^
++Entity: line 1:=20
++value
++^
++./test/valid/766956.xml : failed to parse
+diff --git a/test/errors10/781205.xml b/test/errors10/781205.xml
+new file mode 100644
+index 00000000..d9e9e839
+--- /dev/null
++++ b/test/errors10/781205.xml
+@@ -0,0 +1,3 @@
++<!DOCTYPE D [
++  <!ENTITY % a "<:0000">
++  %a;
+diff --git a/test/errors10/781361.xml b/test/errors10/781361.xml
+new file mode 100644
+index 00000000..67476bcb
+--- /dev/null
++++ b/test/errors10/781361.xml
+@@ -0,0 +1,3 @@
++<!DOCTYPE doc [
++  <!ENTITY % elem "<!ELEMENT e0000000000">
++  %elem;
+diff --git a/test/valid/766956.xml b/test/valid/766956.xml
+new file mode 100644
+index 00000000..19a95a0e
+--- /dev/null
++++ b/test/valid/766956.xml
+@@ -0,0 +1,2 @@
++<!DOCTYPE test SYSTEM "dtds/766956.dtd">
++<test/>
+diff --git a/test/valid/dtds/766956.dtd b/test/valid/dtds/766956.dtd
+new file mode 100644
+index 00000000..dddde68b
+--- /dev/null
++++ b/test/valid/dtds/766956.dtd
+@@ -0,0 +1,2 @@
++<!ENTITY % ent "value">
++%=C3=A4%ent;
+--=20
+2.14.1
+
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index dd229ba73..30ecbe72d 100644
=2D-- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -114,8 +114,14 @@ hierarchical form with variable field lengths.")
              (method url-fetch)
              (uri (string-append "ftp://xmlsoft.org/libxml2/libxml2-"
                                  version ".tar.gz"))
=2D             (patches (search-patches "libxml2-CVE-2016-4658.patch"
=2D                                      "libxml2-CVE-2016-5131.patch"))
+             (patches
+              (search-patches "libxml2-CVE-2016-4658.patch"
+                              "libxml2-CVE-2016-5131.patch"
+                              "libxml2-CVE-2017-0663.patch"
+                              "libxml2-CVE-2017-7375.patch"
+                              "libxml2-CVE-2017-7376.patch"
+                              "libxml2-CVE-2017-9047+CVE-2017-9048.patch"
+                              "libxml2-CVE-2017-9049+CVE-2017-9050.patch"))
              (sha256
               (base32
                "0g336cr0bw6dax1q48bblphmchgihx9p1pjmxdnrd6sh3qci3fgz"))))
=2D-=20
2.14.1


--=-=-=
Content-Type: text/plain


Cheers,
Alex

--=-=-=--

--==-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAlmmvk8ACgkQxYq4eRf1
Ea48CxAAn1QJe2xZqi31Y99F2lsAygsYKg0n11V2oQh5mTGxuqn0MdTq00roScx0
x30liZKse1Rw6FjAFXxxk+S8I/mJiDHZbiijPin2Inn5GfsJOZsZ8ZjgzwQpcAqT
slJUdFP3wRAewkvi47DylaZArdko2DhioEUzD30voD09bni2UIMxdpLjwtjOVwO/
y3fhVxerboDSewf5YXYCLUxPd5qC0GbWnH9NQzHJ9x9TtrWE1lMjkFlBaV2rV8y4
NefD1qJFfxlr5eez59c/3dshtx5B+Y7fnVNPmXW3HDCEw2zcG/MNX+GxbLf/dtxO
RZ6xVomXJ4odaycy4hrUFwCEQ3UGza3G/IGlFjXGWeneYsdFP9N1PP2wTy6bmvgR
irT3sCsxmhtYg4d26UwiQZ1aHj8kYKTq6KZ6VQvFP7J4fv831OwGQHHEDaBS943O
BelikIylCLQZCorJ40dlc4jksksvAfjAokKTDeyxYf+R1LGp/z+dUEV4wA4clRQP
EGZYG1FHXZrAIQ0SBPI4Z33EMj0VfM7rlJ0aezYBL5ea6l6zudOgnUorMwGAmJSI
q6/GvIDLCtaEZT9z2kvrxp92HXua2CT8cvNdKZItFF5ITQcGtX+OEmusJVRnD9ud
ItbY1wfsVodOLBQj/jhiJFOegUmpgnKcyWJAwyhDL8l4eU5nx+0=
=+xeu
-----END PGP SIGNATURE-----
--==-=-=--




From debbugs-submit-bounces@debbugs.gnu.org Wed Aug 30 14:57:42 2017
Received: (at 28294) by debbugs.gnu.org; 30 Aug 2017 18:57:42 +0000
Received: from localhost ([127.0.0.1]:34976 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1dn8BK-0003QS-5g
	for submit@debbugs.gnu.org; Wed, 30 Aug 2017 14:57:42 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:55941)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mbakke@fastmail.com>) id 1dn8BJ-0003QL-I6
 for 28294@debbugs.gnu.org; Wed, 30 Aug 2017 14:57:41 -0400
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
 by mailout.nyi.internal (Postfix) with ESMTP id 7A125211D3;
 Wed, 30 Aug 2017 14:57:39 -0400 (EDT)
Received: from frontend2 ([10.202.2.161])
 by compute5.internal (MEProxy); Wed, 30 Aug 2017 14:57:39 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h=
 content-type:date:from:in-reply-to:message-id:mime-version
 :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc
 :x-sasl-enc; s=fm1; bh=JtUFOuHqxj4SkB8SWjTLfkJyCUglsdBmBmXRCiJb1
 aA=; b=AWWrlwMEKX5zffrAdm8R8tnTMQwLvJ8om4E9k6yGJH7A++jW3j1+NYwDp
 bepmwLmWkSKpvOa+oTxQrt8b5iNQpa1ZdH1MUylpErXwpeqB6euCOnbZtZOMM6Lp
 NyNqiaEuKY0xKdJ7vYjkzDqRpkZZ+znwk5uJnSR7XNXCDhT67vqaxYKVIDU86gPs
 AZAxbbl3ThqAOx8u5LJuoqn8Dvn2+NCgyGQqACvYqTTQIugqn6JCPm2Zjzz2Jq/2
 Dq7GrRGnjIo/ief7SXxKRjo7TG770mS1pF+YD6Opa1clWHOGCXzlRzLed96F48uB
 iA2t7hJwuQ8dF+bQNQSzO+1+qTgug==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-sender
 :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=JtUFOuHqxj4SkB8SWj
 TLfkJyCUglsdBmBmXRCiJb1aA=; b=G1yF4SgzanbXZ5ZNILNWs4gKeFJU4R0+FV
 UhLm85D5K/y1xIHLyiZyozS2StnMbIRHh63QtcxMoKHrTX58sFYASRPPhxnMnw5j
 FMboY1lirCdH7qZLNEoke039zVqCV5CMc+6aPEtX0Ffavr65+B9QbBGxpp/qoSk4
 FZ1wnz631ZKMqouHzoAnIvUlv4D6x65p/T3Ks++7ARo+LhjZWEqyAGY4HoFRCOMQ
 CVyCV8IJ0Q40llQfenmt7pt4Xzh651NW/L21AeD0vCrdUw77gG/OC4frTvCWAv9c
 zjY71kRr/qijfGNMvmpvvwwgmwemmkaHJz+ksSd6iEz8seV93Ncw==
X-ME-Sender: <xms:owqnWU97ODEN-EUz0i2gOrgDZcYIBtDZ0oGSxPeG6Qsoy3BtEjSptw>
X-Sasl-enc: NxUbayx+krOkx1NwOyCWjvwHYaU5SVJeKjPa7qGl4q5J 1504119459
Received: from localhost (unknown [188.113.81.93])
 by mail.messagingengine.com (Postfix) with ESMTPA id 03C23246D5;
 Wed, 30 Aug 2017 14:57:38 -0400 (EDT)
From: Marius Bakke <mbakke@fastmail.com>
To: Alex Vong <alexvong1995@gmail.com>, 28294@debbugs.gnu.org
Subject: Re: [bug#28294] [PATCH] gnu: libxml2: Fix CVE-2017-{0663, 7375, 7376,
 9047, 9048, 9049, 9050}.
In-Reply-To: <87inh5uqpd.fsf@gmail.com>
References: <87inh5uqpd.fsf@gmail.com>
User-Agent: Notmuch/0.25 (https://notmuchmail.org) Emacs/25.2.1
 (x86_64-unknown-linux-gnu)
Date: Wed, 30 Aug 2017 20:57:37 +0200
Message-ID: <87inh4lw7y.fsf@fastmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 28294
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

--=-=-=
Content-Type: text/plain

Alex Vong <alexvong1995@gmail.com> writes:

> Severity: important
> Tags: patch security
>
> Hi,
>
> This patch fixes CVEs of libxml2. The changes to 'runtest.c' in
> 'libxml2-CVE-2017-9049+CVE-2017-9050.patch are removed since they
> introduce test failure. The changes only enable new tests so it should
> be fine to remove them.

Thanks for this!  I think we have to graft this fix since changing
'libxml2' would rebuild 2/3 of the tree.  Can you try that?

PS: Do you have a Savannah account?  I'm sure Ludo or someone can add
you given the steady rate of quality commits.

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlmnCqEACgkQoqBt8qM6
VPpgUAgAt8wF7MOg7CNzSWdo75yanqUCZizJmlk8hOCRZuXCWbOLoZw7eRQcmL8W
Lolnv1HfuW12ds1pBV2b0LT97CsFvA1fYpncogvIdRDBexQGYcYXNOqB/AhQoTjI
8hscQ0edaoAjNXOx3lnYbxH5JcxpQhhYbQlks0xHz1VzTTnqfduOI+FMNhve79dm
uqr0i85zdfNfDgGA9H4/bTgyd6ghN6K9UZHbrkyDJFOapGrp9y14rlbd29iPz6xA
wLZPucdvyBcEq9r+alc8F/xPdmyxTvk0qujWmGJcX/cKAcxaFQXhmnwcH9bXemCo
2gAyVjR0A9Xn9xedci2achKvMLlK2A==
=s9Cq
-----END PGP SIGNATURE-----
--=-=-=--




From debbugs-submit-bounces@debbugs.gnu.org Thu Aug 31 06:41:16 2017
Received: (at 28294) by debbugs.gnu.org; 31 Aug 2017 10:41:16 +0000
Received: from localhost ([127.0.0.1]:36265 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1dnMuK-0001QS-TV
	for submit@debbugs.gnu.org; Thu, 31 Aug 2017 06:41:16 -0400
Received: from mail-pf0-f179.google.com ([209.85.192.179]:35249)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <alexvong1995@gmail.com>) id 1dnMuG-0001Po-Qh
 for 28294@debbugs.gnu.org; Thu, 31 Aug 2017 06:41:07 -0400
Received: by mail-pf0-f179.google.com with SMTP id g13so818521pfm.2
 for <28294@debbugs.gnu.org>; Thu, 31 Aug 2017 03:41:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:references:date:in-reply-to:message-id
 :user-agent:mime-version;
 bh=LnkxJ60Me70dPFQWzlXp2UVf409Z6YXKiSUrlpHIIYg=;
 b=rWHI9SmUPldn1rGOCCTXqgMPLFYzSuk6yHH4Pl0CfHh7FCCLtrf3nHJbmGBZESiJ8X
 QxO8AJNPFKNn6aoy8fUZ653P1Hv21cbJb8EzmjjJmkw+Hy/HN0xakd8FBN1DCAms6Q4R
 2zDINWqiMGqg1VF4URtsZEckr5kfpVui9LwNi3IndJzi/qatuKWSB5Pvjcq3GrY1tSHD
 YCfz1RVEakSdwqn6SyHl7SJ+hUhuCTRF7ubc9c5QDwuTuP1GkFdYC7QqG60vdB0v+qXK
 b3T4kq0q8cvihaqZPXWyommv8J1pFsca4nZkopKfWDw0TYQAQaaAGrWkgDc9dqCKL6+2
 gQqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to
 :message-id:user-agent:mime-version;
 bh=LnkxJ60Me70dPFQWzlXp2UVf409Z6YXKiSUrlpHIIYg=;
 b=rtG4AA9cTJjoUzyXdyhtm68WziYRNo1I9/qT49Yw6S9lcAI4dxcana9hC1NDeoQZ+Q
 EOGhQhEXifBtVYFQRBkzQJ+v2RSDDbDszdJjYrfs9kunc+aY/93z0PIIBupLr3HTOOAi
 I5u5A/Uxh71xZl49u1HAA+L5XvORiJuMvSg1XHdzZldpusSnkldYKBODOOZN0VOWj0Km
 hS+trFDVdHkE9jw2/YdVDdz+pSqRTIgbTweKLHAZTxFtXrPvzUOkOPpI0pysFD13RTL1
 fEqRqLF58SS6J3vj5mBH8KVc+rpD1mrZn4VbmJ3TvLmvh7ai+DVkZZFp8NgypDB89/8Y
 KxFQ==
X-Gm-Message-State: AHYfb5hJyuL25Fry/Ib/WPLGft8xq2nboQ92nD2xz5LgNhwMraEM/l0Y
 cvrYK7+FMI5rvg==
X-Received: by 10.101.83.196 with SMTP id z4mr1870451pgr.306.1504176058794;
 Thu, 31 Aug 2017 03:40:58 -0700 (PDT)
Received: from debian (n218250043131.netvigator.com. [218.250.43.131])
 by smtp.gmail.com with ESMTPSA id o18sm14764268pgd.15.2017.08.31.03.40.56
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Thu, 31 Aug 2017 03:40:57 -0700 (PDT)
From: Alex Vong <alexvong1995@gmail.com>
To: Marius Bakke <mbakke@fastmail.com>
Subject: Re: [bug#28294] [PATCH] gnu: libxml2: Fix CVE-2017-{0663, 7375, 7376,
 9047, 9048, 9049, 9050}.
References: <87inh5uqpd.fsf@gmail.com> <87inh4lw7y.fsf@fastmail.com>
Date: Thu, 31 Aug 2017 18:40:42 +0800
In-Reply-To: <87inh4lw7y.fsf@fastmail.com> (Marius Bakke's message of "Wed, 30
 Aug 2017 20:57:37 +0200")
Message-ID: <87y3q0ow9h.fsf@gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: -2.5 (--)
X-Debbugs-Envelope-To: 28294
Cc: 28294@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 0.3 (/)

--==-=-=
Content-Type: multipart/mixed; boundary="=-=-="

--=-=-=
Content-Type: text/plain

Marius Bakke <mbakke@fastmail.com> writes:

> Alex Vong <alexvong1995@gmail.com> writes:
>
>> Severity: important
>> Tags: patch security
>>
>> Hi,
>>
>> This patch fixes CVEs of libxml2. The changes to 'runtest.c' in
>> 'libxml2-CVE-2017-9049+CVE-2017-9050.patch are removed since they
>> introduce test failure. The changes only enable new tests so it should
>> be fine to remove them.
>
> Thanks for this!  I think we have to graft this fix since changing
> 'libxml2' would rebuild 2/3 of the tree.  Can you try that?
>
> PS: Do you have a Savannah account?  I'm sure Ludo or someone can add
> you given the steady rate of quality commits.

Sure, here is the new patch:


--=-=-=
Content-Type: text/x-diff; charset=utf-8
Content-Disposition: inline;
 filename=0001-gnu-libxml2-Fix-CVE-2017-0663-7375-7376-9047-9048-90.patch
Content-Transfer-Encoding: quoted-printable

From=20b20f6c0ef6ed8577cec87517579012a0ce7d9991 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Wed, 30 Aug 2017 21:21:21 +0800
Subject: [PATCH] gnu: libxml2: Fix
 CVE-2017-{0663,7375,7376,9047,9048,9049,9050}.

* gnu/packages/patches/libxml2-CVE-2017-0663.patch,
gnu/packages/patches/libxml2-CVE-2017-7375.patch,
gnu/packages/patches/libxml2-CVE-2017-7376.patch,
gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch,
gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/xml.scm (libxml2)[replacement]: New field.
(libxml2/fixed): New variable.
=2D--
 gnu/local.mk                                       |   5 +
 gnu/packages/patches/libxml2-CVE-2017-0663.patch   |  53 ++++
 gnu/packages/patches/libxml2-CVE-2017-7375.patch   |  45 +++
 gnu/packages/patches/libxml2-CVE-2017-7376.patch   |  41 +++
 .../libxml2-CVE-2017-9047+CVE-2017-9048.patch      | 130 +++++++++
 .../libxml2-CVE-2017-9049+CVE-2017-9050.patch      | 319 +++++++++++++++++=
++++
 gnu/packages/xml.scm                               |  15 +
 7 files changed, 608 insertions(+)
 create mode 100644 gnu/packages/patches/libxml2-CVE-2017-0663.patch
 create mode 100644 gnu/packages/patches/libxml2-CVE-2017-7375.patch
 create mode 100644 gnu/packages/patches/libxml2-CVE-2017-7376.patch
 create mode 100644 gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-904=
8.patch
 create mode 100644 gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-905=
0.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 10d4ab114..9baaa1687 100644
=2D-- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -804,6 +804,11 @@ dist_patch_DATA =3D						\
   %D%/packages/patches/libxcb-python-3.5-compat.patch		\
   %D%/packages/patches/libxml2-CVE-2016-4658.patch		\
   %D%/packages/patches/libxml2-CVE-2016-5131.patch		\
+  %D%/packages/patches/libxml2-CVE-2017-0663.patch		\
+  %D%/packages/patches/libxml2-CVE-2017-7375.patch		\
+  %D%/packages/patches/libxml2-CVE-2017-7376.patch		\
+  %D%/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch\
+  %D%/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch\
   %D%/packages/patches/libxslt-generated-ids.patch		\
   %D%/packages/patches/libxslt-CVE-2016-4738.patch		\
   %D%/packages/patches/libxt-guix-search-paths.patch		\
diff --git a/gnu/packages/patches/libxml2-CVE-2017-0663.patch b/gnu/package=
s/patches/libxml2-CVE-2017-0663.patch
new file mode 100644
index 000000000..b0277a2d2
=2D-- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2017-0663.patch
@@ -0,0 +1,53 @@
+Fix CVE-2017-0663:
+
+https://bugzilla.gnome.org/show_bug.cgi?id=3D780228 (not yet public)
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-0663
+https://security-tracker.debian.org/tracker/CVE-2017-0663
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/libxml2/commit/?id=3D92b9e8c8b3787068565a1820=
ba575d042f9eec66
+
+From 92b9e8c8b3787068565a1820ba575d042f9eec66 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 6 Jun 2017 12:56:28 +0200
+Subject: [PATCH] Fix type confusion in xmlValidateOneNamespace
+
+Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types on
+namespace declarations make no practical sense anyway.
+
+Fixes bug 780228.
+
+Found with libFuzzer and ASan.
+---
+ valid.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/valid.c b/valid.c
+index 8075d3a0..c51ea290 100644
+--- a/valid.c
++++ b/valid.c
+@@ -4627,6 +4627,12 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns=
, const xmlChar *value) {
+ 	}
+     }
+=20
++    /*
++     * Casting ns to xmlAttrPtr is wrong. We'd need separate functions
++     * xmlAddID and xmlAddRef for namespace declarations, but it makes
++     * no practical sense to use ID types anyway.
++     */
++#if 0
+     /* Validity Constraint: ID uniqueness */
+     if (attrDecl->atype =3D=3D XML_ATTRIBUTE_ID) {
+         if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) =3D=3D NULL)
+@@ -4638,6 +4644,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns,=
 const xmlChar *value) {
+         if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) =3D=3D NULL)
+ 	    ret =3D 0;
+     }
++#endif
+=20
+     /* Validity Constraint: Notation Attributes */
+     if (attrDecl->atype =3D=3D XML_ATTRIBUTE_NOTATION) {
+--=20
+2.14.1
+
diff --git a/gnu/packages/patches/libxml2-CVE-2017-7375.patch b/gnu/package=
s/patches/libxml2-CVE-2017-7375.patch
new file mode 100644
index 000000000..32af1ff6b
=2D-- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2017-7375.patch
@@ -0,0 +1,45 @@
+Fix CVE-2017-7375:
+
+https://bugzilla.gnome.org/show_bug.cgi?id=3D780691 (not yet public)
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-7375
+https://security-tracker.debian.org/tracker/CVE-2017-7375
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/libxml2/commit/?id=3D90ccb58242866b0ba3edbef8=
fe44214a101c2b3e
+
+From 90ccb58242866b0ba3edbef8fe44214a101c2b3e Mon Sep 17 00:00:00 2001
+From: Neel Mehta <nmehta@google.com>
+Date: Fri, 7 Apr 2017 17:43:02 +0200
+Subject: [PATCH] Prevent unwanted external entity reference
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=3D780691
+
+* parser.c: add a specific check to avoid PE reference
+---
+ parser.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index 609a2703..c2c812de 100644
+--- a/parser.c
++++ b/parser.c
+@@ -8123,6 +8123,15 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
+ 	    if (xmlPushInput(ctxt, input) < 0)
+ 		return;
+ 	} else {
++	    if ((entity->etype =3D=3D XML_EXTERNAL_PARAMETER_ENTITY) &&
++	        ((ctxt->options & XML_PARSE_NOENT) =3D=3D 0) &&
++		((ctxt->options & XML_PARSE_DTDVALID) =3D=3D 0) &&
++		((ctxt->options & XML_PARSE_DTDLOAD) =3D=3D 0) &&
++		((ctxt->options & XML_PARSE_DTDATTR) =3D=3D 0) &&
++		(ctxt->replaceEntities =3D=3D 0) &&
++		(ctxt->validate =3D=3D 0))
++		return;
++
+ 	    /*
+ 	     * TODO !!!
+ 	     * handle the extra spaces added before and after
+--=20
+2.14.1
+
diff --git a/gnu/packages/patches/libxml2-CVE-2017-7376.patch b/gnu/package=
s/patches/libxml2-CVE-2017-7376.patch
new file mode 100644
index 000000000..5b9e45bd8
=2D-- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2017-7376.patch
@@ -0,0 +1,41 @@
+Fix CVE-2017-7376:
+
+https://bugzilla.gnome.org/show_bug.cgi?id=3D780690 (not yet public)
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-7376
+https://security-tracker.debian.org/tracker/CVE-2017-7376
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/libxml2/commit/?id=3D5dca9eea1bd4263bfa4d037a=
b2443de1cd730f7e
+
+From 5dca9eea1bd4263bfa4d037ab2443de1cd730f7e Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 7 Apr 2017 17:13:28 +0200
+Subject: [PATCH] Increase buffer space for port in HTTP redirect support
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=3D780690
+
+nanohttp.c: the code wrongly assumed a short int port value.
+---
+ nanohttp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/nanohttp.c b/nanohttp.c
+index e109ad75..373425de 100644
+--- a/nanohttp.c
++++ b/nanohttp.c
+@@ -1423,9 +1423,9 @@ retry:
+     if (ctxt->port !=3D 80) {
+ 	/* reserve space for ':xxxxx', incl. potential proxy */
+ 	if (proxy)
+-	    blen +=3D 12;
++	    blen +=3D 17;
+ 	else
+-	    blen +=3D 6;
++	    blen +=3D 11;
+     }
+     bp =3D (char*)xmlMallocAtomic(blen);
+     if ( bp =3D=3D NULL ) {
+--=20
+2.14.1
+
diff --git a/gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch=
 b/gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch
new file mode 100644
index 000000000..0a0e6d34c
=2D-- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch
@@ -0,0 +1,130 @@
+Fix CVE-2017-{9047,9048}:
+
+https://bugzilla.gnome.org/show_bug.cgi?id=3D781333 (not yet public)
+https://bugzilla.gnome.org/show_bug.cgi?id=3D781701 (not yet public)
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-9047
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-9048
+http://www.openwall.com/lists/oss-security/2017/05/15/1
+https://security-tracker.debian.org/tracker/CVE-2017-9047
+https://security-tracker.debian.org/tracker/CVE-2017-9048
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/libxml2/commit/?id=3D932cc9896ab41475d4aa429c=
27d9afd175959d74
+
+From 932cc9896ab41475d4aa429c27d9afd175959d74 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 3 Jun 2017 02:01:29 +0200
+Subject: [PATCH] Fix buffer size checks in xmlSnprintfElementContent
+MIME-Version: 1.0
+Content-Type: text/plain; charset=3DUTF-8
+Content-Transfer-Encoding: 8bit
+
+xmlSnprintfElementContent failed to correctly check the available
+buffer space in two locations.
+
+Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048).
+
+Thanks to Marcel B=C3=B6hme and Thuan Pham for the report.
+---
+ result/valid/781333.xml         |  5 +++++
+ result/valid/781333.xml.err     |  3 +++
+ result/valid/781333.xml.err.rdr |  6 ++++++
+ test/valid/781333.xml           |  4 ++++
+ valid.c                         | 20 +++++++++++---------
+ 5 files changed, 29 insertions(+), 9 deletions(-)
+ create mode 100644 result/valid/781333.xml
+ create mode 100644 result/valid/781333.xml.err
+ create mode 100644 result/valid/781333.xml.err.rdr
+ create mode 100644 test/valid/781333.xml
+
+diff --git a/result/valid/781333.xml b/result/valid/781333.xml
+new file mode 100644
+index 00000000..45dc451d
+--- /dev/null
++++ b/result/valid/781333.xml
+@@ -0,0 +1,5 @@
++<?xml version=3D"1.0"?>
++<!DOCTYPE a [
++<!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
pppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
llllllllllllllll)>
++]>
++<a/>
+diff --git a/result/valid/781333.xml.err b/result/valid/781333.xml.err
+new file mode 100644
+index 00000000..b401b49a
+--- /dev/null
++++ b/result/valid/781333.xml.err
+@@ -0,0 +1,3 @@
++./test/valid/781333.xml:4: element a: validity error : Element a content =
does not follow the DTD, expecting ( ..., got=20
++<a/>
++    ^
+diff --git a/result/valid/781333.xml.err.rdr b/result/valid/781333.xml.err=
.rdr
+new file mode 100644
+index 00000000..5ff56992
+--- /dev/null
++++ b/result/valid/781333.xml.err.rdr
+@@ -0,0 +1,6 @@
++./test/valid/781333.xml:4: element a: validity error : Element a content =
does not follow the DTD, expecting ( ..., got=20
++<a/>
++    ^
++./test/valid/781333.xml:5: element a: validity error : Element a content =
does not follow the DTD, Expecting more child
++
++^
+diff --git a/test/valid/781333.xml b/test/valid/781333.xml
+new file mode 100644
+index 00000000..b29e5a68
+--- /dev/null
++++ b/test/valid/781333.xml
+@@ -0,0 +1,4 @@
++<!DOCTYPE a [
++    <!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp=
pppppppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll=
llllllllllllllllllll)>
++]>
++<a/>
+diff --git a/valid.c b/valid.c
+index 19f84b82..9b2df56a 100644
+--- a/valid.c
++++ b/valid.c
+@@ -1262,22 +1262,23 @@ xmlSnprintfElementContent(char *buf, int size, xml=
ElementContentPtr content, int
+         case XML_ELEMENT_CONTENT_PCDATA:
+             strcat(buf, "#PCDATA");
+ 	    break;
+-	case XML_ELEMENT_CONTENT_ELEMENT:
++	case XML_ELEMENT_CONTENT_ELEMENT: {
++            int qnameLen =3D xmlStrlen(content->name);
++
++	    if (content->prefix !=3D NULL)
++                qnameLen +=3D xmlStrlen(content->prefix) + 1;
++	    if (size - len < qnameLen + 10) {
++		strcat(buf, " ...");
++		return;
++	    }
+ 	    if (content->prefix !=3D NULL) {
+-		if (size - len < xmlStrlen(content->prefix) + 10) {
+-		    strcat(buf, " ...");
+-		    return;
+-		}
+ 		strcat(buf, (char *) content->prefix);
+ 		strcat(buf, ":");
+ 	    }
+-	    if (size - len < xmlStrlen(content->name) + 10) {
+-		strcat(buf, " ...");
+-		return;
+-	    }
+ 	    if (content->name !=3D NULL)
+ 		strcat(buf, (char *) content->name);
+ 	    break;
++        }
+ 	case XML_ELEMENT_CONTENT_SEQ:
+ 	    if ((content->c1->type =3D=3D XML_ELEMENT_CONTENT_OR) ||
+ 	        (content->c1->type =3D=3D XML_ELEMENT_CONTENT_SEQ))
+@@ -1319,6 +1320,7 @@ xmlSnprintfElementContent(char *buf, int size, xmlEl=
ementContentPtr content, int
+ 		xmlSnprintfElementContent(buf, size, content->c2, 0);
+ 	    break;
+     }
++    if (size - strlen(buf) <=3D 2) return;
+     if (englob)
+         strcat(buf, ")");
+     switch (content->ocur) {
+--=20
+2.14.1
+
diff --git a/gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch=
 b/gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch
new file mode 100644
index 000000000..890e9c228
=2D-- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch
@@ -0,0 +1,319 @@
+Fix CVE-2017-{9049,9050}:
+
+https://bugzilla.gnome.org/show_bug.cgi?id=3D781205 (not yet public)
+https://bugzilla.gnome.org/show_bug.cgi?id=3D781361 (not yet public)
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-9049
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-9050
+http://www.openwall.com/lists/oss-security/2017/05/15/1
+https://security-tracker.debian.org/tracker/CVE-2017-9049
+https://security-tracker.debian.org/tracker/CVE-2017-9050
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/libxml2/commit/?id=3De26630548e7d138d2c560844=
c43820b6767251e3
+
+Changes to 'runtest.c' are removed since they introduce test failure
+when applying to libxml2 2.9.4 release tarball.
+
+From e26630548e7d138d2c560844c43820b6767251e3 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 5 Jun 2017 15:37:17 +0200
+Subject: [PATCH] Fix handling of parameter-entity references
+MIME-Version: 1.0
+Content-Type: text/plain; charset=3DUTF-8
+Content-Transfer-Encoding: 8bit
+
+There were two bugs where parameter-entity references could lead to an
+unexpected change of the input buffer in xmlParseNameComplex and
+xmlDictLookup being called with an invalid pointer.
+
+Percent sign in DTD Names
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+
+The NEXTL macro used to call xmlParserHandlePEReference. When parsing
+"complex" names inside the DTD, this could result in entity expansion
+which created a new input buffer. The fix is to simply remove the call
+to xmlParserHandlePEReference from the NEXTL macro. This is safe because
+no users of the macro require expansion of parameter entities.
+
+- xmlParseNameComplex
+- xmlParseNCNameComplex
+- xmlParseNmtoken
+
+The percent sign is not allowed in names, which are grammatical tokens.
+
+- xmlParseEntityValue
+
+Parameter-entity references in entity values are expanded but this
+happens in a separate step in this function.
+
+- xmlParseSystemLiteral
+
+Parameter-entity references are ignored in the system literal.
+
+- xmlParseAttValueComplex
+- xmlParseCharDataComplex
+- xmlParseCommentComplex
+- xmlParsePI
+- xmlParseCDSect
+
+Parameter-entity references are ignored outside the DTD.
+
+- xmlLoadEntityContent
+
+This function is only called from xmlStringLenDecodeEntities and
+entities are replaced in a separate step immediately after the function
+call.
+
+This bug could also be triggered with an internal subset and double
+entity expansion.
+
+This fixes bug 766956 initially reported by Wei Lei and independently by
+Chromium's ClusterFuzz, Hanno B=C3=B6ck, and Marco Grassi. Thanks to every=
one
+involved.
+
+xmlParseNameComplex with XML_PARSE_OLD10
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+
+When parsing Names inside an expanded parameter entity with the
+XML_PARSE_OLD10 option, xmlParseNameComplex would call xmlGROW via the
+GROW macro if the input buffer was exhausted. At the end of the
+parameter entity's replacement text, this function would then call
+xmlPopInput which invalidated the input buffer.
+
+There should be no need to invoke GROW in this situation because the
+buffer is grown periodically every XML_PARSER_CHUNK_SIZE characters and,
+at least for UTF-8, in xmlCurrentChar. This also matches the code path
+executed when XML_PARSE_OLD10 is not set.
+
+This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).
+Thanks to Marcel B=C3=B6hme and Thuan Pham for the report.
+
+Additional hardening
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+
+A separate check was added in xmlParseNameComplex to validate the
+buffer size.
+---
+ Makefile.am                     | 18 ++++++++++++++++++
+ parser.c                        | 18 ++++++++++--------
+ result/errors10/781205.xml      |  0
+ result/errors10/781205.xml.err  | 21 +++++++++++++++++++++
+ result/errors10/781361.xml      |  0
+ result/errors10/781361.xml.err  | 13 +++++++++++++
+ result/valid/766956.xml         |  0
+ result/valid/766956.xml.err     |  9 +++++++++
+ result/valid/766956.xml.err.rdr | 10 ++++++++++
+ runtest.c                       |  3 +++
+ test/errors10/781205.xml        |  3 +++
+ test/errors10/781361.xml        |  3 +++
+ test/valid/766956.xml           |  2 ++
+ test/valid/dtds/766956.dtd      |  2 ++
+ 14 files changed, 94 insertions(+), 8 deletions(-)
+ create mode 100644 result/errors10/781205.xml
+ create mode 100644 result/errors10/781205.xml.err
+ create mode 100644 result/errors10/781361.xml
+ create mode 100644 result/errors10/781361.xml.err
+ create mode 100644 result/valid/766956.xml
+ create mode 100644 result/valid/766956.xml.err
+ create mode 100644 result/valid/766956.xml.err.rdr
+ create mode 100644 test/errors10/781205.xml
+ create mode 100644 test/errors10/781361.xml
+ create mode 100644 test/valid/766956.xml
+ create mode 100644 test/valid/dtds/766956.dtd
+
+diff --git a/Makefile.am b/Makefile.am
+index 6fc8ffa9..10e716a5 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -427,6 +427,24 @@ Errtests : xmllint$(EXEEXT)
+ 	      if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \
+ 	      rm result.$$name error.$$name ; \
+ 	  fi ; fi ; done)
++	@echo "## Error cases regression tests (old 1.0)"
++	-@(for i in $(srcdir)/test/errors10/*.xml ; do \
++	  name=3D`basename $$i`; \
++	  if [ ! -d $$i ] ; then \
++	  if [ ! -f $(srcdir)/result/errors10/$$name ] ; then \
++	      echo New test file $$name ; \
++	      $(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i \
++	         2> $(srcdir)/result/errors10/$$name.err \
++		 > $(srcdir)/result/errors10/$$name ; \
++	      grep "MORY ALLO" .memdump  | grep -v "MEMORY ALLOCATED : 0"; \
++	  else \
++	      log=3D`$(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i 2> error.=
$$name > result.$$name ; \
++	      grep "MORY ALLO" .memdump  | grep -v "MEMORY ALLOCATED : 0"; \
++	      diff $(srcdir)/result/errors10/$$name result.$$name ; \
++	      diff $(srcdir)/result/errors10/$$name.err error.$$name` ; \
++	      if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \
++	      rm result.$$name error.$$name ; \
++	  fi ; fi ; done)
+ 	@echo "## Error cases stream regression tests"
+ 	-@(for i in $(srcdir)/test/errors/*.xml ; do \
+ 	  name=3D`basename $$i`; \
+diff --git a/parser.c b/parser.c
+index df2efa55..a175ac4e 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2121,7 +2121,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
+ 	ctxt->input->line++; ctxt->input->col =3D 1;			\
+     } else ctxt->input->col++;						\
+     ctxt->input->cur +=3D l;				\
+-    if (*ctxt->input->cur =3D=3D '%') xmlParserHandlePEReference(ctxt);	\
+   } while (0)
+=20
+ #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l)
+@@ -3412,13 +3411,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+ 	    len +=3D l;
+ 	    NEXTL(l);
+ 	    c =3D CUR_CHAR(l);
+-	    if (c =3D=3D 0) {
+-		count =3D 0;
+-		GROW;
+-                if (ctxt->instate =3D=3D XML_PARSER_EOF)
+-                    return(NULL);
+-		c =3D CUR_CHAR(l);
+-	    }
+ 	}
+     }
+     if ((len > XML_MAX_NAME_LENGTH) &&
+@@ -3426,6 +3418,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+         xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
+         return(NULL);
+     }
++    if (ctxt->input->cur - ctxt->input->base < len) {
++        /*
++         * There were a couple of bugs where PERefs lead to to a change
++         * of the buffer. Check the buffer size to avoid passing an inval=
id
++         * pointer to xmlDictLookup.
++         */
++        xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
++                    "unexpected change of input buffer");
++        return (NULL);
++    }
+     if ((*ctxt->input->cur =3D=3D '\n') && (ctxt->input->cur[-1] =3D=3D '=
\r'))
+         return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), le=
n));
+     return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
+diff --git a/result/errors10/781205.xml b/result/errors10/781205.xml
+new file mode 100644
+index 00000000..e69de29b
+diff --git a/result/errors10/781205.xml.err b/result/errors10/781205.xml.e=
rr
+new file mode 100644
+index 00000000..da15c3f7
+--- /dev/null
++++ b/result/errors10/781205.xml.err
+@@ -0,0 +1,21 @@
++Entity: line 1: parser error : internal error: xmlParseInternalSubset: er=
ror detected in Markup declaration
++
++ %a;=20
++    ^
++Entity: line 1:=20
++<:0000
++^
++Entity: line 1: parser error : DOCTYPE improperly terminated
++ %a;=20
++    ^
++Entity: line 1:=20
++<:0000
++^
++namespace error : Failed to parse QName ':0000'
++ %a;=20
++    ^
++<:0000
++      ^
++./test/errors10/781205.xml:4: parser error : Couldn't find end of Start T=
ag :0000 line 1
++
++^
+diff --git a/result/errors10/781361.xml b/result/errors10/781361.xml
+new file mode 100644
+index 00000000..e69de29b
+diff --git a/result/errors10/781361.xml.err b/result/errors10/781361.xml.e=
rr
+new file mode 100644
+index 00000000..655f41a2
+--- /dev/null
++++ b/result/errors10/781361.xml.err
+@@ -0,0 +1,13 @@
++./test/errors10/781361.xml:4: parser error : xmlParseElementDecl: 'EMPTY'=
, 'ANY' or '(' expected
++
++^
++./test/errors10/781361.xml:4: parser error : internal error: xmlParseInte=
rnalSubset: error detected in Markup declaration
++
++
++^
++./test/errors10/781361.xml:4: parser error : DOCTYPE improperly terminated
++
++^
++./test/errors10/781361.xml:4: parser error : Start tag expected, '<' not =
found
++
++^
+diff --git a/result/valid/766956.xml b/result/valid/766956.xml
+new file mode 100644
+index 00000000..e69de29b
+diff --git a/result/valid/766956.xml.err b/result/valid/766956.xml.err
+new file mode 100644
+index 00000000..34b1dae6
+--- /dev/null
++++ b/result/valid/766956.xml.err
+@@ -0,0 +1,9 @@
++test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
++%=C3=A4%ent;
++   ^
++Entity: line 1: parser error : Content error in the external subset
++ %ent;=20
++      ^
++Entity: line 1:=20
++value
++^
+diff --git a/result/valid/766956.xml.err.rdr b/result/valid/766956.xml.err=
.rdr
+new file mode 100644
+index 00000000..77603462
+--- /dev/null
++++ b/result/valid/766956.xml.err.rdr
+@@ -0,0 +1,10 @@
++test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
++%=C3=A4%ent;
++   ^
++Entity: line 1: parser error : Content error in the external subset
++ %ent;=20
++      ^
++Entity: line 1:=20
++value
++^
++./test/valid/766956.xml : failed to parse
+diff --git a/test/errors10/781205.xml b/test/errors10/781205.xml
+new file mode 100644
+index 00000000..d9e9e839
+--- /dev/null
++++ b/test/errors10/781205.xml
+@@ -0,0 +1,3 @@
++<!DOCTYPE D [
++  <!ENTITY % a "<:0000">
++  %a;
+diff --git a/test/errors10/781361.xml b/test/errors10/781361.xml
+new file mode 100644
+index 00000000..67476bcb
+--- /dev/null
++++ b/test/errors10/781361.xml
+@@ -0,0 +1,3 @@
++<!DOCTYPE doc [
++  <!ENTITY % elem "<!ELEMENT e0000000000">
++  %elem;
+diff --git a/test/valid/766956.xml b/test/valid/766956.xml
+new file mode 100644
+index 00000000..19a95a0e
+--- /dev/null
++++ b/test/valid/766956.xml
+@@ -0,0 +1,2 @@
++<!DOCTYPE test SYSTEM "dtds/766956.dtd">
++<test/>
+diff --git a/test/valid/dtds/766956.dtd b/test/valid/dtds/766956.dtd
+new file mode 100644
+index 00000000..dddde68b
+--- /dev/null
++++ b/test/valid/dtds/766956.dtd
+@@ -0,0 +1,2 @@
++<!ENTITY % ent "value">
++%=C3=A4%ent;
+--=20
+2.14.1
+
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index dd229ba73..b4aa89e88 100644
=2D-- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -16,6 +16,7 @@
 ;;; Copyright =C2=A9 2016, 2017 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright =C2=A9 2017 Adriano Peluso <catonano@gmail.com>
 ;;; Copyright =C2=A9 2017 Gregor Giesen <giesen@zaehlwerk.net>
+;;; Copyright =C2=A9 2017 Alex Vong <alexvong1995@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -110,6 +111,7 @@ hierarchical form with variable field lengths.")
   (package
     (name "libxml2")
     (version "2.9.4")
+    (replacement libxml2/fixed)
     (source (origin
              (method url-fetch)
              (uri (string-append "ftp://xmlsoft.org/libxml2/libxml2-"
@@ -138,6 +140,19 @@ hierarchical form with variable field lengths.")
 project (but it is usable outside of the Gnome platform).")
     (license license:x11)))
=20
+(define libxml2/fixed
+  (package
+    (inherit libxml2)
+    (source
+     (origin
+       (inherit (package-source libxml2))
+       (patches
+        (search-patches "libxml2-CVE-2017-0663.patch"
+                        "libxml2-CVE-2017-7375.patch"
+                        "libxml2-CVE-2017-7376.patch"
+                        "libxml2-CVE-2017-9047+CVE-2017-9048.patch"
+                        "libxml2-CVE-2017-9049+CVE-2017-9050.patch"))))))
+
 (define-public python-libxml2
   (package (inherit libxml2)
     (name "python-libxml2")
=2D-=20
2.14.1


--=-=-=
Content-Type: text/plain


Previously, I had a Savannah account, but then I deleted it, since I
didn't use it. Now I realize I cannot create a new account with the same
username... I am asking for help from the Savannah admin.

--=-=-=--

--==-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAlmn56oACgkQxYq4eRf1
Ea7xgA/+MhiG/BuZpS8bph3ZTDLlAwknUBvffetoxuvdyEDO0dBS62RLcQ/8xzSH
HavuSjOAimbbZ7Z41F4gQflhVOtO+3E4n8tetgiZXK/fdacOA/tzgVFOiXk+bl8t
cCN31MYN8vjTBbXVjeIODTMSdaIHmPFbtmjKB5B2sgeeSO9pZgnIrxL9LziYOjHr
Nkqg3fQJFDHPeiSju4KO+gkxzIpQLcPLpVCmFd6GNy4ChR/Ai91hChC0CvqzmQBZ
CqFcT0paJfwbIX5032mNZHXt1wg1CQ8uFXljCXoOmgA0pCBq6qPw/CbdjdlUDRyy
YAcc/vVgasAnOEYV5nPMfR47ukK3IkCgwzXxKkim0Qt1wJnAk4YoZyesFUo0uSht
uo7VIYxrVgtclhicXRlMProalAGO3S3P+aDQ/rCMoOKzlEUX+xfmKEOF+vDSM6OU
NQlurq0RYOHZ1AH65L7fQCMXtgM6y2dujSYnVQVtaVGfzYuvX4pE5PnpvCaW2i6Y
xrwdvYRBuLTOHdkySYBKFW9dRPypEkr4TU6/biJGF3QxTI0bAqmTdzXaXnZmF04u
F1mBiEIqyZZay3Gefzz+l361TF/8oj3dAOnd72dA+0O20Gcrpd4OZrpkVU1UCoeB
liphHaSit1SAFN7dUiQG4DVgTcnkK3OzcU+DXzxbNu3zPoimrQk=
=ajFD
-----END PGP SIGNATURE-----
--==-=-=--




From debbugs-submit-bounces@debbugs.gnu.org Thu Aug 31 15:52:55 2017
Received: (at 28294-done) by debbugs.gnu.org; 31 Aug 2017 19:52:55 +0000
Received: from localhost ([127.0.0.1]:38089 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1dnVWI-0000uv-NY
	for submit@debbugs.gnu.org; Thu, 31 Aug 2017 15:52:54 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:57277)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mbakke@fastmail.com>) id 1dnVWG-0000un-S0
 for 28294-done@debbugs.gnu.org; Thu, 31 Aug 2017 15:52:53 -0400
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
 by mailout.nyi.internal (Postfix) with ESMTP id 13E1420DCE;
 Thu, 31 Aug 2017 15:52:52 -0400 (EDT)
Received: from frontend1 ([10.202.2.160])
 by compute5.internal (MEProxy); Thu, 31 Aug 2017 15:52:52 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h=
 cc:content-type:date:from:in-reply-to:message-id:mime-version
 :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc
 :x-sasl-enc; s=fm1; bh=UQeO0OjPLDVFmtDMjRVSSaUwKPEMhPSRzRukr7Zbc
 zA=; b=2bO6F/t5MnpiRI7SUlr+4ny5o2Nj/y2KW6x+VKqhaIen6F4q0nxJv5Aof
 aR8uOT/fu34bGO4DV1xmB7UMOT3lpSS+7N8ZeQjtiQOem6WalfQcoSjtwLe/IwKD
 okPG8LX1vvgpqRSWR3tyj4zbrYLBxti4ghG0hB7Rb4ApF/3EvxSHXXNacA7CXUg4
 jYOjlRdIB1LEndKRmbJgUH5kB35tqw0fAJDBaUTR2E1QseG6aCAc1vwnDYL/JBK9
 1JL03lXUVCPxuf+TOu3rbfhmGo3NPaufo51OOh/Bx+aqjivTHYAAySaRFy5qoiQo
 YhpyUC1/qjA8s/1uGyxRir7tu7ZTQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-sender
 :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=UQeO0OjPLDVFmtDMjR
 VSSaUwKPEMhPSRzRukr7ZbczA=; b=GqXv8d/iYu4E0GmYLwUZsWLGP1nIMg9xYO
 SOFhYKn+Y8mL88CrR0EIoF4QCNYjJGhrRb8D4HMpdJUpnOmu9p5iZ9YBjrhk5DPq
 mDFjMpAzszeoH5bzbZZw96hv9K44vA/++kNiT138ywepT66MNUqMpfyvLZHxJf/M
 Mj4bkQZR6IQQB9dfZRUc9azh+9cwImMenlD1Izn5e5fUrSlcvNOjozvdDpUoR0LU
 CjwJnJMWdseEcN8GEL/ClvwVCEly/Ng8FTwmafbKPjn9FGFESRcqB0kjmAWhB8nV
 S5bV8qkk0ccTpssqEHgEBvI6uvSspG4cH9ITQhFVrmF2VFe4U3IA==
X-ME-Sender: <xms:E2moWdQc_DabUTpeK8jjFWMKDwxKEhAiwLFXui5Rh_F7HmJKM3QvYQ>
X-Sasl-enc: FZinTbFvg2cuhoBjRT4ev42MSbenfl0aILKJycvbelHz 1504209171
Received: from localhost (unknown [188.113.81.93])
 by mail.messagingengine.com (Postfix) with ESMTPA id 7D8F57E7AD;
 Thu, 31 Aug 2017 15:52:51 -0400 (EDT)
From: Marius Bakke <mbakke@fastmail.com>
To: Alex Vong <alexvong1995@gmail.com>
Subject: Re: [bug#28294] [PATCH] gnu: libxml2: Fix CVE-2017-{0663, 7375, 7376,
 9047, 9048, 9049, 9050}.
In-Reply-To: <87y3q0ow9h.fsf@gmail.com>
References: <87inh5uqpd.fsf@gmail.com> <87inh4lw7y.fsf@fastmail.com>
 <87y3q0ow9h.fsf@gmail.com>
User-Agent: Notmuch/0.25 (https://notmuchmail.org) Emacs/25.2.1
 (x86_64-unknown-linux-gnu)
Date: Thu, 31 Aug 2017 21:52:49 +0200
Message-ID: <87k21jjyzy.fsf@fastmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 28294-done
Cc: 28294-done@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

--=-=-=
Content-Type: text/plain

Alex Vong <alexvong1995@gmail.com> writes:

> Marius Bakke <mbakke@fastmail.com> writes:
>
>> Alex Vong <alexvong1995@gmail.com> writes:
>>
>>> Severity: important
>>> Tags: patch security
>>>
>>> Hi,
>>>
>>> This patch fixes CVEs of libxml2. The changes to 'runtest.c' in
>>> 'libxml2-CVE-2017-9049+CVE-2017-9050.patch are removed since they
>>> introduce test failure. The changes only enable new tests so it should
>>> be fine to remove them.
>>
>> Thanks for this!  I think we have to graft this fix since changing
>> 'libxml2' would rebuild 2/3 of the tree.  Can you try that?
>>
>> PS: Do you have a Savannah account?  I'm sure Ludo or someone can add
>> you given the steady rate of quality commits.
>
> Sure, here is the new patch:

Pushed, thanks!  I added tabs before the line breaks in gnu/local.mk,
but otherwise untouched.

Side note: I think we should start adding patches as origins instead of
copying them wholesale, to try and keep the git repository slim.

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlmoaRIACgkQoqBt8qM6
VPpsYAf/Y02dcsAJHQm5cl+xuYVxoplU82N55Xgl+wr6LwcnhNsntBtCqsAnlhqd
W/8nDw87P+j4SlD2kXjGPDtu2taxYIskpqr82nNH9613dOnGO5Q3G2ZIWUXiRehH
ew0OiKkBLakEj09caeUIef5ckjjFt4wqxuvRIpktaaA04r45Cik1iehru8CLlLHr
1r+ffZE7todyYqcTA3+qdP8Hw5CT0pWjLc2Eds/hMsEUXdmpP3i9wk6+LwrfKHdF
NJAcpTYS/nB9EnD5x/grjzM0+ZNc/xl5MxMJThl1XmzQz0TUsCDdtceWzr85hXHH
9zPDL6Ur9z0Yntxd8WZpQOi68GP0FA==
=7x2G
-----END PGP SIGNATURE-----
--=-=-=--




From unknown Sat Jun 14 18:05:24 2025
Received: (at fakecontrol) by fakecontrolmessage;
To: internal_control@debbugs.gnu.org
From: Debbugs Internal Request <help-debbugs@gnu.org>
Subject: Internal Control
Message-Id: bug archived.
Date: Fri, 29 Sep 2017 11:24:06 +0000
User-Agent: Fakemail v42.6.9

# This is a fake control message.
#
# The action:
# bug archived.
thanks
# This fakemail brought to you by your local debbugs
# administrator