gnu: libxml2: Fix CVE-2016-3627 and CVE-2016-3705.

* gnu/packages/patches/libxml2-CVE-2016-3627.patch,
gnu/packages/patches/libxml2-CVE-2016-3705.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/xml.scm (libxml2)[replacement]: New field.
(libxml2/fixed): New variable.

1 files changed, 68 insertions, 0 deletions

diff --git a/gnu/packages/patches/libxml2-CVE-2016-3705.patch b/gnu/packages/patches/libxml2-CVE-2016-3705.patch
new file mode 100644
index 0000000000..e803630f3a
--- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2016-3705.patch
@@ -0,0 +1,68 @@
+From <http://seclists.org/fulldisclosure/2016/May/10>.
+
+From 6f0af3f6b9b1c5f82a2bb5ded65923437fee5d21 Mon Sep 17 00:00:00 2001
+From: Peter Simons <psimons () suse com>
+Date: Fri, 15 Apr 2016 11:56:55 +0200
+Subject: [PATCH 2/2] Add missing increments of recursion depth counter to XML
+ parser.
+
+The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call
+xmlStringDecodeEntities() in a recursive context without incrementing the
+'depth' counter in the parser context. Because of that omission, the parser
+failed to detect attribute recursions in certain documents before running out
+of stack space.
+---
+ parser.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index 9604a72..4da151f 100644
+--- a/parser.c
++++ b/parser.c
+@@ -144,8 +144,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+ 
+ 	ent->checked = 1;
+ 
++        ++ctxt->depth;
+ 	rep = xmlStringDecodeEntities(ctxt, ent->content,
+ 				  XML_SUBSTITUTE_REF, 0, 0, 0);
++        --ctxt->depth;
+ 
+ 	ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
+ 	if (rep != NULL) {
+@@ -3966,8 +3968,10 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
+ 	 * an entity declaration, it is bypassed and left as is.
+ 	 * so XML_SUBSTITUTE_REF is not set here.
+ 	 */
++        ++ctxt->depth;
+ 	ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF,
+ 				      0, 0, 0);
++        --ctxt->depth;
+ 	if (orig != NULL)
+ 	    *orig = buf;
+ 	else
+@@ -4092,9 +4096,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+ 		} else if ((ent != NULL) &&
+ 		           (ctxt->replaceEntities != 0)) {
+ 		    if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) {
++			++ctxt->depth;
+ 			rep = xmlStringDecodeEntities(ctxt, ent->content,
+ 						      XML_SUBSTITUTE_REF,
+ 						      0, 0, 0);
++			--ctxt->depth;
+ 			if (rep != NULL) {
+ 			    current = rep;
+ 			    while (*current != 0) { /* non input consuming */
+@@ -4130,8 +4136,10 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+ 			(ent->content != NULL) && (ent->checked == 0)) {
+ 			unsigned long oldnbent = ctxt->nbentities;
+ 
++			++ctxt->depth;
+ 			rep = xmlStringDecodeEntities(ctxt, ent->content,
+ 						  XML_SUBSTITUTE_REF, 0, 0, 0);
++			--ctxt->depth;
+ 
+ 			ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
+ 			if (rep != NULL) {
+-- 
+2.8.1