libxmltok (1.2-4ubuntu1) kinetic; urgency=medium
* SECURITY UPDATE: Incomplete validation of encoding
- debian/patches/CVE-2022-25235-1.patch: remove the unused macro
UTF8_GET_NAMING from xmltok/xmltok.c.
- debian/patches/CVE-2022-25235-2.patch: add verification calls to
IS_INVALID_CHAR() in CHECK_NAME_CASE, CHECK_NMSTRT_CASE and
prologTok methods.
- debian/patches/CVE-2022-25235-3.patch: add comments to BT_LEAD
cases in xmltok/xmltok_impl.c.
- CVE-2022-25235
* SECURITY UPDATE: Namespace-separator insertions
- debian/patches/CVE-2022-25236-1.patch: add a validation for
nameSpaceSeparator in addBinding() in xmlparse/xmlparse.c.
- debian/patches/CVE-2022-25236-2.patch: add a new method
is_rfc3986_uri_char() to the previous validation in addBinding()
in xmlparse/xmlparse.c.
- CVE-2022-25236
-- Rodrigo Figueiredo Zaiden <email address hidden> Fri, 15 Jul 2022 10:32:03 -0300