diff --git a/SOURCES/libxml2-Add-xmlHaltParser-to-stop-the-parser.patch b/SOURCES/libxml2-Add-xmlHaltParser-to-stop-the-parser.patch
new file mode 100644
index 0000000..c3cdbe1
--- /dev/null
+++ b/SOURCES/libxml2-Add-xmlHaltParser-to-stop-the-parser.patch
@@ -0,0 +1,84 @@
+From d6b6dc7bb5e68fa11cb980bc08c4d9ea3f39b190 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 20 Nov 2015 14:55:30 +0800
+Subject: [PATCH] Add xmlHaltParser() to stop the parser
+To: libvir-list@redhat.com
+
+The problem is doing it in a consistent and safe fashion
+It's more complex than just setting ctxt->instate = XML_PARSER_EOF
+Update the public function to reuse that new internal routine
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c | 34 +++++++++++++++++++++++++++++-----
+ 1 file changed, 29 insertions(+), 5 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index e536e54..5b4f719 100644
+--- a/parser.c
++++ b/parser.c
+@@ -94,6 +94,8 @@ static xmlParserCtxtPtr
+ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID,
+ const xmlChar *base, xmlParserCtxtPtr pctx);
+
++static void xmlHaltParser(xmlParserCtxtPtr ctxt);
++
+ /************************************************************************
+ * *
+ * Arbitrary limits set in the parser. See XML_PARSE_HUGE *
+@@ -12558,25 +12560,47 @@ xmlCreatePushParserCtxt(xmlSAXHandlerPtr sax, void *user_data,
+ #endif /* LIBXML_PUSH_ENABLED */
+
+ /**
+- * xmlStopParser:
++ * xmlHaltParser:
+ * @ctxt: an XML parser context
+ *
+- * Blocks further parser processing
++ * Blocks further parser processing don't override error
++ * for internal use
+ */
+-void
+-xmlStopParser(xmlParserCtxtPtr ctxt) {
++static void
++xmlHaltParser(xmlParserCtxtPtr ctxt) {
+ if (ctxt == NULL)
+ return;
+ ctxt->instate = XML_PARSER_EOF;
+- ctxt->errNo = XML_ERR_USER_STOP;
+ ctxt->disableSAX = 1;
+ if (ctxt->input != NULL) {
++ /*
++ * in case there was a specific allocation deallocate before
++ * overriding base
++ */
++ if (ctxt->input->free != NULL) {
++ ctxt->input->free((xmlChar *) ctxt->input->base);
++ ctxt->input->free = NULL;
++ }
+ ctxt->input->cur = BAD_CAST"";
+ ctxt->input->base = ctxt->input->cur;
+ }
+ }
+
+ /**
++ * xmlStopParser:
++ * @ctxt: an XML parser context
++ *
++ * Blocks further parser processing
++ */
++void
++xmlStopParser(xmlParserCtxtPtr ctxt) {
++ if (ctxt == NULL)
++ return;
++ xmlHaltParser(ctxt);
++ ctxt->errNo = XML_ERR_USER_STOP;
++}
++
++/**
+ * xmlCreateIOParserCtxt:
+ * @sax: a SAX handler
+ * @user_data: The user data returned on SAX callbacks
+--
+2.5.0
+
diff --git a/SOURCES/libxml2-Another-variation-of-overflow-in-Conditional-sections.patch b/SOURCES/libxml2-Another-variation-of-overflow-in-Conditional-sections.patch
new file mode 100644
index 0000000..07186c3
--- /dev/null
+++ b/SOURCES/libxml2-Another-variation-of-overflow-in-Conditional-sections.patch
@@ -0,0 +1,35 @@
+From 8d9f8c6dca5fd34743ed11ef0c570c4306db10e5 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 23 Oct 2015 19:02:28 +0800
+Subject: [PATCH] Another variation of overflow in Conditional sections
+To: libvir-list@redhat.com
+
+Which happen after the previous fix to
+https://bugzilla.gnome.org/show_bug.cgi?id=756456
+
+But stopping the parser and exiting we didn't pop the intermediary entities
+and doing the SKIP there applies on an input which may be too small
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index e2e0ad8..4926ab0 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6895,7 +6895,9 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ "All markup of the conditional section is not in the same entity\n",
+ NULL, NULL);
+ }
+- SKIP(3);
++ if ((ctxt-> instate != XML_PARSER_EOF) &&
++ ((ctxt->input->cur + 3) < ctxt->input->end))
++ SKIP(3);
+ }
+ }
+
+--
+2.5.0
+
diff --git a/SOURCES/libxml2-Avoid-extra-processing-of-MarkupDecl-when-EOF.patch b/SOURCES/libxml2-Avoid-extra-processing-of-MarkupDecl-when-EOF.patch
new file mode 100644
index 0000000..dccb5d0
--- /dev/null
+++ b/SOURCES/libxml2-Avoid-extra-processing-of-MarkupDecl-when-EOF.patch
@@ -0,0 +1,38 @@
+From eb1114e90b22e09d500840bac1e171763e8baa16 Mon Sep 17 00:00:00 2001
+From: Hugh Davenport <hugh@allthethings.co.nz>
+Date: Tue, 3 Nov 2015 20:40:49 +0800
+Subject: [PATCH] Avoid extra processing of MarkupDecl when EOF
+To: libvir-list@redhat.com
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756263
+
+One place where ctxt->instate == XML_PARSER_EOF whic was set up
+by entity detection issues doesn't get noticed, and even overrided
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index b56d94c..262db1e 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6952,6 +6952,14 @@ xmlParseMarkupDecl(xmlParserCtxtPtr ctxt) {
+ xmlParsePI(ctxt);
+ }
+ }
++
++ /*
++ * detect requirement to exit there and act accordingly
++ * and avoid having instate overriden later on
++ */
++ if (ctxt->instate == XML_PARSER_EOF)
++ return;
++
+ /*
+ * This is only for internal subset. On external entities,
+ * the replacement is done before parsing stage
+--
+2.5.0
+
diff --git a/SOURCES/libxml2-Avoid-processing-entities-after-encoding-conversion-failures.patch b/SOURCES/libxml2-Avoid-processing-entities-after-encoding-conversion-failures.patch
new file mode 100644
index 0000000..540cf7b
--- /dev/null
+++ b/SOURCES/libxml2-Avoid-processing-entities-after-encoding-conversion-failures.patch
@@ -0,0 +1,85 @@
+From 7c2be3213eeddd202c3e4c600cf3cfac06fb128a Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 9 Nov 2015 18:07:18 +0800
+Subject: [PATCH] Avoid processing entities after encoding conversion failures
+To: libvir-list@redhat.com
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756527
+and was also raised by Chromium team in the past
+
+When we hit a convwersion failure when switching encoding
+it is bestter to stop parsing there, this was treated as a
+fatal error but the parser was continuing to process to extract
+more errors, unfortunately that makes little sense as the data
+is obviously corrupt and can potentially lead to unexpected behaviour.
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c | 7 +++++--
+ parserInternals.c | 11 ++++++++++-
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index 262db1e..134ea7f 100644
+--- a/parser.c
++++ b/parser.c
+@@ -10598,7 +10598,8 @@ xmlParseXMLDecl(xmlParserCtxtPtr ctxt) {
+ xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, "Blank needed here\n");
+ }
+ xmlParseEncodingDecl(ctxt);
+- if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) {
++ if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) ||
++ (ctxt->instate == XML_PARSER_EOF)) {
+ /*
+ * The XML REC instructs us to stop parsing right here
+ */
+@@ -10722,6 +10723,7 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) {
+
+ if (CUR == 0) {
+ xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL);
++ return(-1);
+ }
+
+ /*
+@@ -10739,7 +10741,8 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) {
+ * Note that we will switch encoding on the fly.
+ */
+ xmlParseXMLDecl(ctxt);
+- if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) {
++ if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) ||
++ (ctxt->instate == XML_PARSER_EOF)) {
+ /*
+ * The XML REC instructs us to stop parsing right here
+ */
+diff --git a/parserInternals.c b/parserInternals.c
+index f8a7041..9acfea4 100644
+--- a/parserInternals.c
++++ b/parserInternals.c
+@@ -937,6 +937,7 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc)
+ {
+ xmlCharEncodingHandlerPtr handler;
+ int len = -1;
++ int ret;
+
+ if (ctxt == NULL) return(-1);
+ switch (enc) {
+@@ -1097,7 +1098,15 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc)
+ if (handler == NULL)
+ return(-1);
+ ctxt->charset = XML_CHAR_ENCODING_UTF8;
+- return(xmlSwitchToEncodingInt(ctxt, handler, len));
++ ret = xmlSwitchToEncodingInt(ctxt, handler, len);
++ if ((ret < 0) || (ctxt->errNo == XML_I18N_CONV_FAILED)) {
++ /*
++ * on encoding conversion errors, stop the parser
++ */
++ xmlStopParser(ctxt);
++ ctxt->errNo = XML_I18N_CONV_FAILED;
++ }
++ return(ret);
+ }
+
+ /**
+--
+2.5.0
+
diff --git a/SOURCES/libxml2-Bug-on-creating-new-stream-from-entity.patch b/SOURCES/libxml2-Bug-on-creating-new-stream-from-entity.patch
new file mode 100644
index 0000000..ad95ae3
--- /dev/null
+++ b/SOURCES/libxml2-Bug-on-creating-new-stream-from-entity.patch
@@ -0,0 +1,30 @@
+From 3154c607f22497fa843b8ad8a596ef5523d42ee6 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 20 Nov 2015 15:07:38 +0800
+Subject: [PATCH] Bug on creating new stream from entity
+To: libvir-list@redhat.com
+
+sometimes the entity could have a lenght of 0, i.e. it wasn't
+parsed or used yet, and we ended up with an incoherent input state
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parserInternals.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/parserInternals.c b/parserInternals.c
+index 9acfea4..1fe1f6a 100644
+--- a/parserInternals.c
++++ b/parserInternals.c
+@@ -1459,6 +1459,8 @@ xmlNewEntityInputStream(xmlParserCtxtPtr ctxt, xmlEntityPtr entity) {
+ if (entity->URI != NULL)
+ input->filename = (char *) xmlStrdup((xmlChar *) entity->URI);
+ input->base = entity->content;
++ if (entity->length == 0)
++ entity->length = xmlStrlen(entity->content);
+ input->cur = entity->content;
+ input->length = entity->length;
+ input->end = &entity->content[input->length];
+--
+2.5.0
+
diff --git a/SOURCES/libxml2-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-memory.patch b/SOURCES/libxml2-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-memory.patch
new file mode 100644
index 0000000..704ff96
--- /dev/null
+++ b/SOURCES/libxml2-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-memory.patch
@@ -0,0 +1,179 @@
+From 5cec67e3f8d56e6e5fda2f90e102950cbb09e3d1 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 14 Apr 2015 17:41:48 +0800
+Subject: [PATCH] CVE-2015-1819 Enforce the reader to run in constant memory
+To: libvir-list@redhat.com
+
+One of the operation on the reader could resolve entities
+leading to the classic expansion issue. Make sure the
+buffer used for xmlreader operation is bounded.
+Introduce a new allocation type for the buffers for this effect.
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ buf.c | 43 ++++++++++++++++++++++++++++++++++++++++++-
+ include/libxml/tree.h | 3 ++-
+ xmlreader.c | 20 +++++++++++++++++++-
+ 3 files changed, 63 insertions(+), 3 deletions(-)
+
+diff --git a/buf.c b/buf.c
+index d1756c4..b52e41d 100644
+--- a/buf.c
++++ b/buf.c
+@@ -27,6 +27,7 @@
+ #include <libxml/tree.h>
+ #include <libxml/globals.h>
+ #include <libxml/tree.h>
++#include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */
+ #include "buf.h"
+
+ #define WITH_BUFFER_COMPAT
+@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf,
+ if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) ||
+ (scheme == XML_BUFFER_ALLOC_EXACT) ||
+ (scheme == XML_BUFFER_ALLOC_HYBRID) ||
+- (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) {
++ (scheme == XML_BUFFER_ALLOC_IMMUTABLE) ||
++ (scheme == XML_BUFFER_ALLOC_BOUNDED)) {
+ buf->alloc = scheme;
+ if (buf->buffer)
+ buf->buffer->alloc = scheme;
+@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) {
+ size = buf->use + len + 100;
+ #endif
+
++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++ /*
++ * Used to provide parsing limits
++ */
++ if ((buf->use + len >= XML_MAX_TEXT_LENGTH) ||
++ (buf->size >= XML_MAX_TEXT_LENGTH)) {
++ xmlBufMemoryError(buf, "buffer error: text too long\n");
++ return(0);
++ }
++ if (size >= XML_MAX_TEXT_LENGTH)
++ size = XML_MAX_TEXT_LENGTH;
++ }
+ if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {
+ size_t start_buf = buf->content - buf->contentIO;
+
+@@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size)
+ CHECK_COMPAT(buf)
+
+ if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++ /*
++ * Used to provide parsing limits
++ */
++ if (size >= XML_MAX_TEXT_LENGTH) {
++ xmlBufMemoryError(buf, "buffer error: text too long\n");
++ return(0);
++ }
++ }
+
+ /* Don't resize if we don't have to */
+ if (size < buf->size)
+@@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {
+
+ needSize = buf->use + len + 2;
+ if (needSize > buf->size){
++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++ /*
++ * Used to provide parsing limits
++ */
++ if (needSize >= XML_MAX_TEXT_LENGTH) {
++ xmlBufMemoryError(buf, "buffer error: text too long\n");
++ return(-1);
++ }
++ }
+ if (!xmlBufResize(buf, needSize)){
+ xmlBufMemoryError(buf, "growing buffer");
+ return XML_ERR_NO_MEMORY;
+@@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) {
+ }
+ needSize = buf->use + len + 2;
+ if (needSize > buf->size){
++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++ /*
++ * Used to provide parsing limits
++ */
++ if (needSize >= XML_MAX_TEXT_LENGTH) {
++ xmlBufMemoryError(buf, "buffer error: text too long\n");
++ return(-1);
++ }
++ }
+ if (!xmlBufResize(buf, needSize)){
+ xmlBufMemoryError(buf, "growing buffer");
+ return XML_ERR_NO_MEMORY;
+diff --git a/include/libxml/tree.h b/include/libxml/tree.h
+index 7e06686..d904a44 100644
+--- a/include/libxml/tree.h
++++ b/include/libxml/tree.h
+@@ -76,7 +76,8 @@ typedef enum {
+ XML_BUFFER_ALLOC_EXACT, /* grow only to the minimal size */
+ XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */
+ XML_BUFFER_ALLOC_IO, /* special allocation scheme used for I/O */
+- XML_BUFFER_ALLOC_HYBRID /* exact up to a threshold, and doubleit thereafter */
++ XML_BUFFER_ALLOC_HYBRID, /* exact up to a threshold, and doubleit thereafter */
++ XML_BUFFER_ALLOC_BOUNDED /* limit the upper size of the buffer */
+ } xmlBufferAllocationScheme;
+
+ /**
+diff --git a/xmlreader.c b/xmlreader.c
+index 00083d0..4fabaa9 100644
+--- a/xmlreader.c
++++ b/xmlreader.c
+@@ -2077,6 +2077,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) {
+ "xmlNewTextReader : malloc failed\n");
+ return(NULL);
+ }
++ /* no operation on a reader should require a huge buffer */
++ xmlBufSetAllocationScheme(ret->buffer,
++ XML_BUFFER_ALLOC_BOUNDED);
+ ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
+ if (ret->sax == NULL) {
+ xmlBufFree(ret->buffer);
+@@ -3602,6 +3605,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
+ return(((xmlNsPtr) node)->href);
+ case XML_ATTRIBUTE_NODE:{
+ xmlAttrPtr attr = (xmlAttrPtr) node;
++ const xmlChar *ret;
+
+ if ((attr->children != NULL) &&
+ (attr->children->type == XML_TEXT_NODE) &&
+@@ -3615,10 +3619,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
+ "xmlTextReaderSetup : malloc failed\n");
+ return (NULL);
+ }
++ xmlBufSetAllocationScheme(reader->buffer,
++ XML_BUFFER_ALLOC_BOUNDED);
+ } else
+ xmlBufEmpty(reader->buffer);
+ xmlBufGetNodeContent(reader->buffer, node);
+- return(xmlBufContent(reader->buffer));
++ ret = xmlBufContent(reader->buffer);
++ if (ret == NULL) {
++ /* error on the buffer best to reallocate */
++ xmlBufFree(reader->buffer);
++ reader->buffer = xmlBufCreateSize(100);
++ xmlBufSetAllocationScheme(reader->buffer,
++ XML_BUFFER_ALLOC_BOUNDED);
++ ret = BAD_CAST "";
++ }
++ return(ret);
+ }
+ break;
+ }
+@@ -5117,6 +5132,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader,
+ "xmlTextReaderSetup : malloc failed\n");
+ return (-1);
+ }
++ /* no operation on a reader should require a huge buffer */
++ xmlBufSetAllocationScheme(reader->buffer,
++ XML_BUFFER_ALLOC_BOUNDED);
+ if (reader->sax == NULL)
+ reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
+ if (reader->sax == NULL) {
+--
+2.5.0
+
diff --git a/SOURCES/libxml2-CVE-2015-5312-Another-entity-expansion-issue.patch b/SOURCES/libxml2-CVE-2015-5312-Another-entity-expansion-issue.patch
new file mode 100644
index 0000000..2a56a4b
--- /dev/null
+++ b/SOURCES/libxml2-CVE-2015-5312-Another-entity-expansion-issue.patch
@@ -0,0 +1,35 @@
+From 4e1ea576167520bbc2bad50797119983e133af74 Mon Sep 17 00:00:00 2001
+From: David Drysdale <drysdale@google.com>
+Date: Fri, 20 Nov 2015 11:13:45 +0800
+Subject: [PATCH] CVE-2015-5312 Another entity expansion issue
+To: libvir-list@redhat.com
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756733
+It is one case where the code in place to detect entities expansions
+failed to exit when the situation was detected, leading to DoS
+Problem reported by Kostya Serebryany @ Google
+Patch provided by David Drysdale @ Google
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index a58dda3..e536e54 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2801,6 +2801,10 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+ 0, 0, 0);
+ ctxt->depth--;
+
++ if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) ||
++ (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR))
++ goto int_error;
++
+ if (rep != NULL) {
+ current = rep;
+ while (*current != 0) { /* non input consuming loop */
+--
+2.5.0
+
diff --git a/SOURCES/libxml2-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDictComputeFastQKey.patch b/SOURCES/libxml2-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDictComputeFastQKey.patch
new file mode 100644
index 0000000..3739993
--- /dev/null
+++ b/SOURCES/libxml2-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDictComputeFastQKey.patch
@@ -0,0 +1,36 @@
+From 540a3b58c233db4f2d2becea9c2b79b3ce190055 Mon Sep 17 00:00:00 2001
+From: David Drysdale <drysdale@google.com>
+Date: Fri, 20 Nov 2015 10:47:12 +0800
+Subject: [PATCH] CVE-2015-7497 Avoid an heap buffer overflow in
+ xmlDictComputeFastQKey
+To: libvir-list@redhat.com
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756528
+It was possible to hit a negative offset in the name indexing
+used to randomize the dictionary key generation
+Reported and fix provided by David Drysdale @ Google
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ dict.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/dict.c b/dict.c
+index 5f71d55..8c8f931 100644
+--- a/dict.c
++++ b/dict.c
+@@ -486,7 +486,10 @@ xmlDictComputeFastQKey(const xmlChar *prefix, int plen,
+ value += 30 * (*prefix);
+
+ if (len > 10) {
+- value += name[len - (plen + 1 + 1)];
++ int offset = len - (plen + 1 + 1);
++ if (offset < 0)
++ offset = len - (10 + 1);
++ value += name[offset];
+ len = 10;
+ if (plen > 10)
+ plen = 10;
+--
+2.5.0
+
diff --git a/SOURCES/libxml2-CVE-2015-7500-Fix-memory-access-error-due-to-incorrect-entities-boundaries.patch b/SOURCES/libxml2-CVE-2015-7500-Fix-memory-access-error-due-to-incorrect-entities-boundaries.patch
new file mode 100644
index 0000000..cf46f38
--- /dev/null
+++ b/SOURCES/libxml2-CVE-2015-7500-Fix-memory-access-error-due-to-incorrect-entities-boundaries.patch
@@ -0,0 +1,108 @@
+From d9825f106532a898bb6df46effa0bf099ec16a47 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 20 Nov 2015 16:06:59 +0800
+Subject: [PATCH] CVE-2015-7500 Fix memory access error due to incorrect
+ entities boundaries
+To: libvir-list@redhat.com
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756525
+handle properly the case where we popped out of the current entity
+while processing a start tag
+Reported by Kostya Serebryany @ Google
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c | 28 ++++++++++++++++++++++------
+ 1 file changed, 22 insertions(+), 6 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index cc45e17..f4fc310 100644
+--- a/parser.c
++++ b/parser.c
+@@ -9309,7 +9309,7 @@ xmlParseStartTag2(xmlParserCtxtPtr ctxt, const xmlChar **pref,
+ const xmlChar **atts = ctxt->atts;
+ int maxatts = ctxt->maxatts;
+ int nratts, nbatts, nbdef;
+- int i, j, nbNs, attval, oldline, oldcol;
++ int i, j, nbNs, attval, oldline, oldcol, inputNr;
+ const xmlChar *base;
+ unsigned long cur;
+ int nsNr = ctxt->nsNr;
+@@ -9328,6 +9328,7 @@ reparse:
+ SHRINK;
+ base = ctxt->input->base;
+ cur = ctxt->input->cur - ctxt->input->base;
++ inputNr = ctxt->inputNr;
+ oldline = ctxt->input->line;
+ oldcol = ctxt->input->col;
+ nbatts = 0;
+@@ -9353,7 +9354,8 @@ reparse:
+ */
+ SKIP_BLANKS;
+ GROW;
+- if (ctxt->input->base != base) goto base_changed;
++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
++ goto base_changed;
+
+ while (((RAW != '>') &&
+ ((RAW != '/') || (NXT(1) != '>')) &&
+@@ -9364,7 +9366,7 @@ reparse:
+
+ attname = xmlParseAttribute2(ctxt, prefix, localname,
+ &aprefix, &attvalue, &len, &alloc);
+- if (ctxt->input->base != base) {
++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) {
+ if ((attvalue != NULL) && (alloc != 0))
+ xmlFree(attvalue);
+ attvalue = NULL;
+@@ -9493,7 +9495,8 @@ skip_default_ns:
+ skip_ns:
+ if (alloc != 0) xmlFree(attvalue);
+ SKIP_BLANKS;
+- if (ctxt->input->base != base) goto base_changed;
++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
++ goto base_changed;
+ continue;
+ }
+
+@@ -9530,7 +9533,8 @@ failed:
+ GROW
+ if (ctxt->instate == XML_PARSER_EOF)
+ break;
+- if (ctxt->input->base != base) goto base_changed;
++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
++ goto base_changed;
+ if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
+ break;
+ if (!IS_BLANK_CH(RAW)) {
+@@ -9546,7 +9550,8 @@ failed:
+ break;
+ }
+ GROW;
+- if (ctxt->input->base != base) goto base_changed;
++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
++ goto base_changed;
+ }
+
+ /*
+@@ -9713,6 +9718,17 @@ base_changed:
+ if ((ctxt->attallocs[j] != 0) && (atts[i] != NULL))
+ xmlFree((xmlChar *) atts[i]);
+ }
++
++ /*
++ * We can't switch from one entity to another in the middle
++ * of a start tag
++ */
++ if (inputNr != ctxt->inputNr) {
++ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
++ "Start tag doesn't start and stop in the same entity\n");
++ return(NULL);
++ }
++
+ ctxt->input->cur = ctxt->input->base + cur;
+ ctxt->input->line = oldline;
+ ctxt->input->col = oldcol;
+--
+2.5.0
+
diff --git a/SOURCES/libxml2-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-push-mode.patch b/SOURCES/libxml2-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-push-mode.patch
new file mode 100644
index 0000000..41afdb0
--- /dev/null
+++ b/SOURCES/libxml2-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-push-mode.patch
@@ -0,0 +1,45 @@
+From ebf48b59943833b5f57e909e5d00f0d6e75e874e Mon Sep 17 00:00:00 2001
+From: Hugh Davenport <hugh@allthethings.co.nz>
+Date: Fri, 20 Nov 2015 17:16:06 +0800
+Subject: [PATCH] CVE-2015-8242 Buffer overead with HTML parser in push mode
+To: libvir-list@redhat.com
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756372
+Error in the code pointing to the codepoint in the stack for the
+current char value instead of the pointer in the input that the SAX
+callback expects
+Reported and fixed by Hugh Davenport
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ HTMLparser.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/HTMLparser.c b/HTMLparser.c
+index cab499a..4331d53 100644
+--- a/HTMLparser.c
++++ b/HTMLparser.c
+@@ -5708,17 +5708,17 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {
+ if (ctxt->keepBlanks) {
+ if (ctxt->sax->characters != NULL)
+ ctxt->sax->characters(
+- ctxt->userData, &cur, 1);
++ ctxt->userData, &in->cur[0], 1);
+ } else {
+ if (ctxt->sax->ignorableWhitespace != NULL)
+ ctxt->sax->ignorableWhitespace(
+- ctxt->userData, &cur, 1);
++ ctxt->userData, &in->cur[0], 1);
+ }
+ } else {
+ htmlCheckParagraph(ctxt);
+ if (ctxt->sax->characters != NULL)
+ ctxt->sax->characters(
+- ctxt->userData, &cur, 1);
++ ctxt->userData, &in->cur[0], 1);
+ }
+ }
+ ctxt->token = 0;
+--
+2.5.0
+
diff --git a/SOURCES/libxml2-Cleanup-conditional-section-error-handling.patch b/SOURCES/libxml2-Cleanup-conditional-section-error-handling.patch
new file mode 100644
index 0000000..834b0a8
--- /dev/null
+++ b/SOURCES/libxml2-Cleanup-conditional-section-error-handling.patch
@@ -0,0 +1,52 @@
+From 5b47a2c6666f0293a5164f094b9e8031914b1f8f Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 23 Feb 2015 11:29:20 +0800
+Subject: [PATCH] Cleanup conditional section error handling
+To: libvir-list@redhat.com
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=744980
+
+The error handling of Conditional Section also need to be
+straightened as the structure of the document can't be
+guessed on a failure there and it's better to stop parsing
+as further errors are likely to be irrelevant.
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index d790f8e..dc14e5c 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6761,6 +6761,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ SKIP_BLANKS;
+ if (RAW != '[') {
+ xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
++ xmlStopParser(ctxt);
++ return;
+ } else {
+ if (ctxt->input->id != id) {
+ xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
+@@ -6821,6 +6823,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ SKIP_BLANKS;
+ if (RAW != '[') {
+ xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
++ xmlStopParser(ctxt);
++ return;
+ } else {
+ if (ctxt->input->id != id) {
+ xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
+@@ -6876,6 +6880,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+
+ } else {
+ xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
++ xmlStopParser(ctxt);
++ return;
+ }
+
+ if (RAW == 0)
+--
+2.5.0
+
diff --git a/SOURCES/libxml2-Detect-incoherency-on-GROW.patch b/SOURCES/libxml2-Detect-incoherency-on-GROW.patch
new file mode 100644
index 0000000..088a961
--- /dev/null
+++ b/SOURCES/libxml2-Detect-incoherency-on-GROW.patch
@@ -0,0 +1,39 @@
+From dfc5aae623e97336323e59a94450f1a708eb7c0c Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 20 Nov 2015 15:04:09 +0800
+Subject: [PATCH] Detect incoherency on GROW
+To: libvir-list@redhat.com
+
+the current pointer to the input has to be between the base and end
+if not stop everything we have an internal state error.
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index 9aed98d..7602498 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2072,9 +2072,16 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
+ ((ctxt->input->buf) && (ctxt->input->buf->readcallback != (xmlInputReadCallback) xmlNop)) &&
+ ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup");
+- ctxt->instate = XML_PARSER_EOF;
++ xmlHaltParser(ctxt);
++ return;
+ }
+ xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
++ if ((ctxt->input->cur > ctxt->input->end) ||
++ (ctxt->input->cur < ctxt->input->base)) {
++ xmlHaltParser(ctxt);
++ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "cur index out of bound");
++ return;
++ }
+ if ((ctxt->input->cur != NULL) && (*ctxt->input->cur == 0) &&
+ (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0))
+ xmlPopInput(ctxt);
+--
+2.5.0
+
diff --git a/SOURCES/libxml2-Do-not-print-error-context-when-there-is-none.patch b/SOURCES/libxml2-Do-not-print-error-context-when-there-is-none.patch
new file mode 100644
index 0000000..8318b4b
--- /dev/null
+++ b/SOURCES/libxml2-Do-not-print-error-context-when-there-is-none.patch
@@ -0,0 +1,31 @@
+From c5031779667ff362d670e34a42e9bc4f5a430793 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 20 Nov 2015 15:01:22 +0800
+Subject: [PATCH] Do not print error context when there is none
+To: libvir-list@redhat.com
+
+Which now happens more frequently du to xmlHaltParser use
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ error.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/error.c b/error.c
+index cbcf5c9..9c45040 100644
+--- a/error.c
++++ b/error.c
+@@ -177,7 +177,9 @@ xmlParserPrintFileContextInternal(xmlParserInputPtr input ,
+ xmlChar content[81]; /* space for 80 chars + line terminator */
+ xmlChar *ctnt;
+
+- if (input == NULL) return;
++ if ((input == NULL) || (input->cur == NULL) ||
++ (*input->cur == 0)) return;
++
+ cur = input->cur;
+ base = input->base;
+ /* skip backwards over any end-of-lines */
+--
+2.5.0
+
diff --git a/SOURCES/libxml2-Fail-parsing-early-on-if-encoding-conversion-failed.patch b/SOURCES/libxml2-Fail-parsing-early-on-if-encoding-conversion-failed.patch
new file mode 100644
index 0000000..983eae4
--- /dev/null
+++ b/SOURCES/libxml2-Fail-parsing-early-on-if-encoding-conversion-failed.patch
@@ -0,0 +1,38 @@
+From c171a25d614097e53ab84f64639de4dfbc197613 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 29 Jun 2015 16:10:26 +0800
+Subject: [PATCH] Fail parsing early on if encoding conversion failed
+To: libvir-list@redhat.com
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=751631
+
+If we fail conversing the current input stream while
+processing the encoding declaration of the XMLDecl
+then it's safer to just abort there and not try to
+report further errors.
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index dc14e5c..e2e0ad8 100644
+--- a/parser.c
++++ b/parser.c
+@@ -10415,7 +10415,11 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ctxt) {
+
+ handler = xmlFindCharEncodingHandler((const char *) encoding);
+ if (handler != NULL) {
+- xmlSwitchToEncoding(ctxt, handler);
++ if (xmlSwitchToEncoding(ctxt, handler) < 0) {
++ /* failed to convert */
++ ctxt->errNo = XML_ERR_UNSUPPORTED_ENCODING;
++ return(NULL);
++ }
+ } else {
+ xmlFatalErrMsgStr(ctxt, XML_ERR_UNSUPPORTED_ENCODING,
+ "Unsupported encoding %s\n", encoding);
+--
+2.5.0
+
diff --git a/SOURCES/libxml2-Fix-an-error-in-previous-Conditional-section-patch.patch b/SOURCES/libxml2-Fix-an-error-in-previous-Conditional-section-patch.patch
new file mode 100644
index 0000000..6a97263
--- /dev/null
+++ b/SOURCES/libxml2-Fix-an-error-in-previous-Conditional-section-patch.patch
@@ -0,0 +1,31 @@
+From 519455f1d543b1aa8f560dac03ec4127dfbab038 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 27 Oct 2015 10:53:44 +0800
+Subject: [PATCH] Fix an error in previous Conditional section patch
+To: libvir-list@redhat.com
+
+an off by one mistake in the change, led to error on correct
+document where the end of the included entity was exactly
+the end of the conditional section, leading to regtest failure
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index 4926ab0..b56d94c 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6896,7 +6896,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ NULL, NULL);
+ }
+ if ((ctxt-> instate != XML_PARSER_EOF) &&
+- ((ctxt->input->cur + 3) < ctxt->input->end))
++ ((ctxt->input->cur + 3) <= ctxt->input->end))
+ SKIP(3);
+ }
+ }
+--
+2.5.0
+
diff --git a/SOURCES/libxml2-Fix-parsing-short-unclosed-comment-uninitialized-access.patch b/SOURCES/libxml2-Fix-parsing-short-unclosed-comment-uninitialized-access.patch
new file mode 100644
index 0000000..47f8b3c
--- /dev/null
+++ b/SOURCES/libxml2-Fix-parsing-short-unclosed-comment-uninitialized-access.patch
@@ -0,0 +1,68 @@
+From 466ef17b8cf8d68393f3a56cda8e7a5504aacf98 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 30 Oct 2015 21:14:55 +0800
+Subject: [PATCH] Fix parsing short unclosed comment uninitialized access
+To: libvir-list@redhat.com
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=746048
+The HTML parser was too optimistic when processing comments and
+didn't check for the end of the stream on the first 2 characters
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ HTMLparser.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/HTMLparser.c b/HTMLparser.c
+index dd0c1ea..cab499a 100644
+--- a/HTMLparser.c
++++ b/HTMLparser.c
+@@ -3245,12 +3245,17 @@ htmlParseComment(htmlParserCtxtPtr ctxt) {
+ ctxt->instate = state;
+ return;
+ }
++ len = 0;
++ buf[len] = 0;
+ q = CUR_CHAR(ql);
++ if (!IS_CHAR(q))
++ goto unfinished;
+ NEXTL(ql);
+ r = CUR_CHAR(rl);
++ if (!IS_CHAR(r))
++ goto unfinished;
+ NEXTL(rl);
+ cur = CUR_CHAR(l);
+- len = 0;
+ while (IS_CHAR(cur) &&
+ ((cur != '>') ||
+ (r != '-') || (q != '-'))) {
+@@ -3281,18 +3286,20 @@ htmlParseComment(htmlParserCtxtPtr ctxt) {
+ }
+ }
+ buf[len] = 0;
+- if (!IS_CHAR(cur)) {
+- htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
+- "Comment not terminated \n<!--%.50s\n", buf, NULL);
+- xmlFree(buf);
+- } else {
++ if (IS_CHAR(cur)) {
+ NEXT;
+ if ((ctxt->sax != NULL) && (ctxt->sax->comment != NULL) &&
+ (!ctxt->disableSAX))
+ ctxt->sax->comment(ctxt->userData, buf);
+ xmlFree(buf);
++ ctxt->instate = state;
++ return;
+ }
+- ctxt->instate = state;
++
++unfinished:
++ htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
++ "Comment not terminated \n<!--%.50s\n", buf, NULL);
++ xmlFree(buf);
+ }
+
+ /**
+--
+2.5.0
+
diff --git a/SOURCES/libxml2-Fix-some-loop-issues-embedding-NEXT.patch b/SOURCES/libxml2-Fix-some-loop-issues-embedding-NEXT.patch
new file mode 100644
index 0000000..7c17de6
--- /dev/null
+++ b/SOURCES/libxml2-Fix-some-loop-issues-embedding-NEXT.patch
@@ -0,0 +1,41 @@
+From 6dfc7fd442351269c421a525d91506e43e18208e Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 20 Nov 2015 15:06:02 +0800
+Subject: [PATCH] Fix some loop issues embedding NEXT
+To: libvir-list@redhat.com
+
+Next can switch the parser back to XML_PARSER_EOF state, we
+need to consider those in loops consuming input
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index 7602498..cc45e17 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2155,7 +2155,8 @@ xmlSkipBlankChars(xmlParserCtxtPtr ctxt) {
+ int cur;
+ do {
+ cur = CUR;
+- while (IS_BLANK_CH(cur)) { /* CHECKED tstblanks.xml */
++ while ((IS_BLANK_CH(cur) && /* CHECKED tstblanks.xml */
++ (ctxt->instate != XML_PARSER_EOF))) {
+ NEXT;
+ cur = CUR;
+ res++;
+@@ -2169,7 +2170,8 @@ xmlSkipBlankChars(xmlParserCtxtPtr ctxt) {
+ * Need to handle support of entities branching here
+ */
+ if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt);
+- } while (IS_BLANK(cur)); /* CHECKED tstblanks.xml */
++ } while ((IS_BLANK(cur)) && /* CHECKED tstblanks.xml */
++ (ctxt->instate != XML_PARSER_EOF));
+ }
+ return(res);
+ }
+--
+2.5.0
+
diff --git a/SOURCES/libxml2-Reuse-xmlHaltParser-where-it-makes-sense.patch b/SOURCES/libxml2-Reuse-xmlHaltParser-where-it-makes-sense.patch
new file mode 100644
index 0000000..566ea04
--- /dev/null
+++ b/SOURCES/libxml2-Reuse-xmlHaltParser-where-it-makes-sense.patch
@@ -0,0 +1,178 @@
+From 586849318286965d6ede2932ccd31176b4f7fe81 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 20 Nov 2015 14:59:30 +0800
+Subject: [PATCH] Reuse xmlHaltParser() where it makes sense
+To: libvir-list@redhat.com
+
+Unify the various place where either xmlStopParser was called
+(which resets the error as a side effect) and places where we
+used ctxt->instate = XML_PARSER_EOF to stop further processing
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c | 37 +++++++++++++++++--------------------
+ 1 file changed, 17 insertions(+), 20 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index 5b4f719..9aed98d 100644
+--- a/parser.c
++++ b/parser.c
+@@ -1773,7 +1773,7 @@ nodePush(xmlParserCtxtPtr ctxt, xmlNodePtr value)
+ xmlFatalErrMsgInt(ctxt, XML_ERR_INTERNAL_ERROR,
+ "Excessive depth in document: %d use XML_PARSE_HUGE option\n",
+ xmlParserMaxDepth);
+- ctxt->instate = XML_PARSER_EOF;
++ xmlHaltParser(ctxt);
+ return(-1);
+ }
+ ctxt->nodeTab[ctxt->nodeNr] = value;
+@@ -5655,7 +5655,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) {
+ if (RAW != '>') {
+ xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
+ "xmlParseEntityDecl: entity %s not terminated\n", name);
+- xmlStopParser(ctxt);
++ xmlHaltParser(ctxt);
+ } else {
+ if (input != ctxt->input) {
+ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
+@@ -6767,8 +6767,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ SKIP_BLANKS;
+ if (RAW != '[') {
+ xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
+- xmlStopParser(ctxt);
+- ctxt->errNo = XML_ERR_CONDSEC_INVALID;
++ xmlHaltParser(ctxt);
+ return;
+ } else {
+ if (ctxt->input->id != id) {
+@@ -6830,8 +6829,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ SKIP_BLANKS;
+ if (RAW != '[') {
+ xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
+- xmlStopParser(ctxt);
+- ctxt->errNo = XML_ERR_CONDSEC_INVALID;
++ xmlHaltParser(ctxt);
+ return;
+ } else {
+ if (ctxt->input->id != id) {
+@@ -6888,8 +6886,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+
+ } else {
+ xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
+- xmlStopParser(ctxt);
+- ctxt->errNo = XML_ERR_CONDSEC_INVALID_KEYWORD;
++ xmlHaltParser(ctxt);
+ return;
+ }
+
+@@ -7100,7 +7097,7 @@ xmlParseExternalSubset(xmlParserCtxtPtr ctxt, const xmlChar *ExternalID,
+ /*
+ * The XML REC instructs us to stop parsing right here
+ */
+- ctxt->instate = XML_PARSER_EOF;
++ xmlHaltParser(ctxt);
+ return;
+ }
+ }
+@@ -8087,7 +8084,7 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
+ * The XML REC instructs us to stop parsing
+ * right here
+ */
+- ctxt->instate = XML_PARSER_EOF;
++ xmlHaltParser(ctxt);
+ return;
+ }
+ }
+@@ -9986,7 +9983,7 @@ xmlParseContent(xmlParserCtxtPtr ctxt) {
+ if ((cons == ctxt->input->consumed) && (test == CUR_PTR)) {
+ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
+ "detected an error in element content\n");
+- ctxt->instate = XML_PARSER_EOF;
++ xmlHaltParser(ctxt);
+ break;
+ }
+ }
+@@ -10021,7 +10018,7 @@ xmlParseElement(xmlParserCtxtPtr ctxt) {
+ xmlFatalErrMsgInt(ctxt, XML_ERR_INTERNAL_ERROR,
+ "Excessive depth in document: %d use XML_PARSE_HUGE option\n",
+ xmlParserMaxDepth);
+- ctxt->instate = XML_PARSER_EOF;
++ xmlHaltParser(ctxt);
+ return;
+ }
+
+@@ -11345,7 +11342,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
+ ctxt->sax->setDocumentLocator(ctxt->userData,
+ &xmlDefaultSAXLocator);
+ xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL);
+- ctxt->instate = XML_PARSER_EOF;
++ xmlHaltParser(ctxt);
+ #ifdef DEBUG_PUSH
+ xmlGenericError(xmlGenericErrorContext,
+ "PP: entering EOF\n");
+@@ -11378,7 +11375,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
+ * The XML REC instructs us to stop parsing right
+ * here
+ */
+- ctxt->instate = XML_PARSER_EOF;
++ xmlHaltParser(ctxt);
+ return(0);
+ }
+ ctxt->standalone = ctxt->input->standalone;
+@@ -11434,7 +11431,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
+ cur = ctxt->input->cur[0];
+ if (cur != '<') {
+ xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL);
+- ctxt->instate = XML_PARSER_EOF;
++ xmlHaltParser(ctxt);
+ if ((ctxt->sax) && (ctxt->sax->endDocument != NULL))
+ ctxt->sax->endDocument(ctxt->userData);
+ goto done;
+@@ -11466,7 +11463,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
+ goto done;
+ if (name == NULL) {
+ spacePop(ctxt);
+- ctxt->instate = XML_PARSER_EOF;
++ xmlHaltParser(ctxt);
+ if ((ctxt->sax) && (ctxt->sax->endDocument != NULL))
+ ctxt->sax->endDocument(ctxt->userData);
+ goto done;
+@@ -11633,7 +11630,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
+ if ((cons == ctxt->input->consumed) && (test == CUR_PTR)) {
+ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
+ "detected an error in element content\n");
+- ctxt->instate = XML_PARSER_EOF;
++ xmlHaltParser(ctxt);
+ break;
+ }
+ break;
+@@ -11954,7 +11951,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
+ goto done;
+ } else {
+ xmlFatalErr(ctxt, XML_ERR_DOCUMENT_END, NULL);
+- ctxt->instate = XML_PARSER_EOF;
++ xmlHaltParser(ctxt);
+ #ifdef DEBUG_PUSH
+ xmlGenericError(xmlGenericErrorContext,
+ "PP: entering EOF\n");
+@@ -12318,7 +12315,7 @@ xmldecl_done:
+ res = xmlParserInputBufferPush(ctxt->input->buf, size, chunk);
+ if (res < 0) {
+ ctxt->errNo = XML_PARSER_EOF;
+- ctxt->disableSAX = 1;
++ xmlHaltParser(ctxt);
+ return (XML_PARSER_EOF);
+ }
+ xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input, base, cur);
+@@ -12372,7 +12369,7 @@ xmldecl_done:
+ ((ctxt->input->cur - ctxt->input->base) > XML_MAX_LOOKUP_LIMIT)) &&
+ ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup");
+- ctxt->instate = XML_PARSER_EOF;
++ xmlHaltParser(ctxt);
+ }
+ if ((ctxt->errNo != XML_ERR_OK) && (ctxt->disableSAX == 1))
+ return(ctxt->errNo);
+--
+2.5.0
+
diff --git a/SOURCES/libxml2-Stop-parsing-on-entities-boundaries-errors.patch b/SOURCES/libxml2-Stop-parsing-on-entities-boundaries-errors.patch
new file mode 100644
index 0000000..e3cc538
--- /dev/null
+++ b/SOURCES/libxml2-Stop-parsing-on-entities-boundaries-errors.patch
@@ -0,0 +1,35 @@
+From f0dbfaebd1a4a647ed1902ca16839ecfcb89c422 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 23 Feb 2015 11:17:35 +0800
+Subject: [PATCH] Stop parsing on entities boundaries errors
+To: libvir-list@redhat.com
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=744980
+
+There are times, like on unterminated entities that it's preferable to
+stop parsing, even if that means less error reporting. Entities are
+feeding the parser on further processing, and if they are ill defined
+then it's possible to get the parser to bug. Also do the same on
+Conditional Sections if the input is broken, as the structure of
+the document can't be guessed.
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/parser.c b/parser.c
+index f70d2b5..d790f8e 100644
+--- a/parser.c
++++ b/parser.c
+@@ -5649,6 +5649,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) {
+ if (RAW != '>') {
+ xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
+ "xmlParseEntityDecl: entity %s not terminated\n", name);
++ xmlStopParser(ctxt);
+ } else {
+ if (input != ctxt->input) {
+ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
+--
+2.5.0
+
diff --git a/SOURCES/libxml2-xmlStopParser-reset-errNo.patch b/SOURCES/libxml2-xmlStopParser-reset-errNo.patch
new file mode 100644
index 0000000..85f8edc
--- /dev/null
+++ b/SOURCES/libxml2-xmlStopParser-reset-errNo.patch
@@ -0,0 +1,44 @@
+From 5b3397ee81277ed70af58a247a0d731de9c7a6c7 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 9 Nov 2015 18:16:00 +0800
+Subject: [PATCH] xmlStopParser reset errNo
+To: libvir-list@redhat.com
+
+I had used it in contexts where that information ought to be preserved
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index 134ea7f..a58dda3 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6762,6 +6762,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ if (RAW != '[') {
+ xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
+ xmlStopParser(ctxt);
++ ctxt->errNo = XML_ERR_CONDSEC_INVALID;
+ return;
+ } else {
+ if (ctxt->input->id != id) {
+@@ -6824,6 +6825,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ if (RAW != '[') {
+ xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
+ xmlStopParser(ctxt);
++ ctxt->errNo = XML_ERR_CONDSEC_INVALID;
+ return;
+ } else {
+ if (ctxt->input->id != id) {
+@@ -6881,6 +6883,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ } else {
+ xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
+ xmlStopParser(ctxt);
++ ctxt->errNo = XML_ERR_CONDSEC_INVALID_KEYWORD;
+ return;
+ }
+
+--
+2.5.0
+
diff --git a/SPECS/libxml2.spec b/SPECS/libxml2.spec
index 82d6207..1c28885 100644
--- a/SPECS/libxml2.spec
+++ b/SPECS/libxml2.spec
@@ -4,7 +4,7 @@
Summary: Library providing XML and HTML support
Name: libxml2
Version: 2.9.1
-Release: 5%{?dist}%{?extra_release}.2
+Release: 6%{?dist}%{?extra_release}.2
License: MIT
Group: Development/Libraries
Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
@@ -19,6 +19,26 @@ Patch101: CVE-2014-3660-rhel7.patch
Patch102: libxml2-Fix-missing-entities-after-CVE-2014-3660-fix.patch
Patch103: libxml2-Do-not-fetch-external-parameter-entities.patch
Patch104: libxml2-Fix-regression-introduced-by-CVE-2014-0191.patch
+Patch105: libxml2-Stop-parsing-on-entities-boundaries-errors.patch
+Patch106: libxml2-Cleanup-conditional-section-error-handling.patch
+Patch107: libxml2-Fail-parsing-early-on-if-encoding-conversion-failed.patch
+Patch108: libxml2-Another-variation-of-overflow-in-Conditional-sections.patch
+Patch109: libxml2-Fix-an-error-in-previous-Conditional-section-patch.patch
+Patch110: libxml2-Fix-parsing-short-unclosed-comment-uninitialized-access.patch
+Patch111: libxml2-Avoid-extra-processing-of-MarkupDecl-when-EOF.patch
+Patch112: libxml2-Avoid-processing-entities-after-encoding-conversion-failures.patch
+Patch113: libxml2-xmlStopParser-reset-errNo.patch
+Patch114: libxml2-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDictComputeFastQKey.patch
+Patch115: libxml2-CVE-2015-5312-Another-entity-expansion-issue.patch
+Patch116: libxml2-Add-xmlHaltParser-to-stop-the-parser.patch
+Patch117: libxml2-Reuse-xmlHaltParser-where-it-makes-sense.patch
+Patch118: libxml2-Do-not-print-error-context-when-there-is-none.patch
+Patch119: libxml2-Detect-incoherency-on-GROW.patch
+Patch120: libxml2-Fix-some-loop-issues-embedding-NEXT.patch
+Patch121: libxml2-Bug-on-creating-new-stream-from-entity.patch
+Patch122: libxml2-CVE-2015-7500-Fix-memory-access-error-due-to-incorrect-entities-boundaries.patch
+Patch123: libxml2-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-push-mode.patch
+Patch124: libxml2-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-memory.patch
%description
This library allows to manipulate XML files. It includes support
@@ -86,6 +106,26 @@ at parse time or later once the document has been modified.
%patch102 -p1
%patch103 -p1
%patch104 -p1
+%patch105 -p1
+%patch106 -p1
+%patch107 -p1
+%patch108 -p1
+%patch109 -p1
+%patch110 -p1
+%patch111 -p1
+%patch112 -p1
+%patch113 -p1
+%patch114 -p1
+%patch115 -p1
+%patch116 -p1
+%patch117 -p1
+%patch118 -p1
+%patch119 -p1
+%patch120 -p1
+%patch121 -p1
+%patch122 -p1
+%patch123 -p1
+%patch124 -p1
%build
%configure
@@ -168,9 +208,26 @@ rm -fr %{buildroot}
%doc doc/python.html
%changelog
-* Mon Mar 23 2015 Daniel Veillard <veillard@redhat.com> - 2.9.1-5.2
+* Mon Nov 30 2015 Daniel Veillard <veillard@redhat.com> - 2.9.1-6.2
+- Fix a series of CVEs (rhbz#1286496)
+- CVE-2015-7941 Stop parsing on entities boundaries errors
+- CVE-2015-7941 Cleanup conditional section error handling
+- CVE-2015-8317 Fail parsing early on if encoding conversion failed
+- CVE-2015-7942 Another variation of overflow in Conditional sections
+- CVE-2015-7942 Fix an error in previous Conditional section patch
+- Fix parsing short unclosed comment uninitialized access
+- CVE-2015-7498 Avoid processing entities after encoding conversion failures
+- CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey
+- CVE-2015-5312 Another entity expansion issue
+- CVE-2015-7499 Add xmlHaltParser() to stop the parser
+- CVE-2015-7499 Detect incoherency on GROW
+- CVE-2015-7500 Fix memory access error due to incorrect entities boundaries
+- CVE-2015-8242 Buffer overead with HTML parser in push mode
+- CVE-2015-1819 Enforce the reader to run in constant memory
+
+* Mon Mar 23 2015 Daniel Veillard <veillard@redhat.com> - 2.9.1-6
- Fix missing entities after CVE-2014-3660 fix
-- CVE-2014-0191 Do not fetch external parameter entities (rhbz#1195649)
+- CVE-2014-0191 Do not fetch external parameter entities (rhbz#1195650)
- Fix regressions introduced by CVE-2014-0191 patch
* Sat Oct 11 2014 Daniel Veillard <veillard@redhat.com> - 2.9.1-5.1