diff --git a/SOURCES/libxml2-Add-xmlHaltParser-to-stop-the-parser.patch b/SOURCES/libxml2-Add-xmlHaltParser-to-stop-the-parser.patch
new file mode 100644
index 0000000..c3cdbe1
--- /dev/null
+++ b/SOURCES/libxml2-Add-xmlHaltParser-to-stop-the-parser.patch
@@ -0,0 +1,84 @@
+From d6b6dc7bb5e68fa11cb980bc08c4d9ea3f39b190 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 20 Nov 2015 14:55:30 +0800
+Subject: [PATCH] Add xmlHaltParser() to stop the parser
+To: libvir-list@redhat.com
+
+The problem is doing it in a consistent and safe fashion
+It's more complex than just setting ctxt->instate = XML_PARSER_EOF
+Update the public function to reuse that new internal routine
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c | 34 +++++++++++++++++++++++++++++-----
+ 1 file changed, 29 insertions(+), 5 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index e536e54..5b4f719 100644
+--- a/parser.c
++++ b/parser.c
+@@ -94,6 +94,8 @@ static xmlParserCtxtPtr
+ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID,
+ 	                  const xmlChar *base, xmlParserCtxtPtr pctx);
+ 
++static void xmlHaltParser(xmlParserCtxtPtr ctxt);
++
+ /************************************************************************
+  *									*
+  *	Arbitrary limits set in the parser. See XML_PARSE_HUGE		*
+@@ -12558,25 +12560,47 @@ xmlCreatePushParserCtxt(xmlSAXHandlerPtr sax, void *user_data,
+ #endif /* LIBXML_PUSH_ENABLED */
+ 
+ /**
+- * xmlStopParser:
++ * xmlHaltParser:
+  * @ctxt:  an XML parser context
+  *
+- * Blocks further parser processing
++ * Blocks further parser processing don't override error
++ * for internal use
+  */
+-void
+-xmlStopParser(xmlParserCtxtPtr ctxt) {
++static void
++xmlHaltParser(xmlParserCtxtPtr ctxt) {
+     if (ctxt == NULL)
+         return;
+     ctxt->instate = XML_PARSER_EOF;
+-    ctxt->errNo = XML_ERR_USER_STOP;
+     ctxt->disableSAX = 1;
+     if (ctxt->input != NULL) {
++        /*
++	 * in case there was a specific allocation deallocate before
++	 * overriding base
++	 */
++        if (ctxt->input->free != NULL) {
++	    ctxt->input->free((xmlChar *) ctxt->input->base);
++	    ctxt->input->free = NULL;
++	}
+ 	ctxt->input->cur = BAD_CAST"";
+ 	ctxt->input->base = ctxt->input->cur;
+     }
+ }
+ 
+ /**
++ * xmlStopParser:
++ * @ctxt:  an XML parser context
++ *
++ * Blocks further parser processing
++ */
++void
++xmlStopParser(xmlParserCtxtPtr ctxt) {
++    if (ctxt == NULL)
++        return;
++    xmlHaltParser(ctxt);
++    ctxt->errNo = XML_ERR_USER_STOP;
++}
++
++/**
+  * xmlCreateIOParserCtxt:
+  * @sax:  a SAX handler
+  * @user_data:  The user data returned on SAX callbacks
+-- 
+2.5.0
+
diff --git a/SOURCES/libxml2-Another-variation-of-overflow-in-Conditional-sections.patch b/SOURCES/libxml2-Another-variation-of-overflow-in-Conditional-sections.patch
new file mode 100644
index 0000000..07186c3
--- /dev/null
+++ b/SOURCES/libxml2-Another-variation-of-overflow-in-Conditional-sections.patch
@@ -0,0 +1,35 @@
+From 8d9f8c6dca5fd34743ed11ef0c570c4306db10e5 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 23 Oct 2015 19:02:28 +0800
+Subject: [PATCH] Another variation of overflow in Conditional sections
+To: libvir-list@redhat.com
+
+Which happen after the previous fix to
+https://bugzilla.gnome.org/show_bug.cgi?id=756456
+
+But stopping the parser and exiting we didn't pop the intermediary entities
+and doing the SKIP there applies on an input which may be too small
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index e2e0ad8..4926ab0 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6895,7 +6895,9 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 	"All markup of the conditional section is not in the same entity\n",
+ 				 NULL, NULL);
+ 	}
+-        SKIP(3);
++	if ((ctxt-> instate != XML_PARSER_EOF) &&
++	    ((ctxt->input->cur + 3) < ctxt->input->end))
++	    SKIP(3);
+     }
+ }
+ 
+-- 
+2.5.0
+
diff --git a/SOURCES/libxml2-Avoid-extra-processing-of-MarkupDecl-when-EOF.patch b/SOURCES/libxml2-Avoid-extra-processing-of-MarkupDecl-when-EOF.patch
new file mode 100644
index 0000000..dccb5d0
--- /dev/null
+++ b/SOURCES/libxml2-Avoid-extra-processing-of-MarkupDecl-when-EOF.patch
@@ -0,0 +1,38 @@
+From eb1114e90b22e09d500840bac1e171763e8baa16 Mon Sep 17 00:00:00 2001
+From: Hugh Davenport <hugh@allthethings.co.nz>
+Date: Tue, 3 Nov 2015 20:40:49 +0800
+Subject: [PATCH] Avoid extra processing of MarkupDecl when EOF
+To: libvir-list@redhat.com
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756263
+
+One place where ctxt->instate == XML_PARSER_EOF whic was set up
+by entity detection issues doesn't get noticed, and even overrided
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index b56d94c..262db1e 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6952,6 +6952,14 @@ xmlParseMarkupDecl(xmlParserCtxtPtr ctxt) {
+ 	    xmlParsePI(ctxt);
+ 	}
+     }
++
++    /*
++     * detect requirement to exit there and act accordingly
++     * and avoid having instate overriden later on
++     */
++    if (ctxt->instate == XML_PARSER_EOF)
++        return;
++
+     /*
+      * This is only for internal subset. On external entities,
+      * the replacement is done before parsing stage
+-- 
+2.5.0
+
diff --git a/SOURCES/libxml2-Avoid-processing-entities-after-encoding-conversion-failures.patch b/SOURCES/libxml2-Avoid-processing-entities-after-encoding-conversion-failures.patch
new file mode 100644
index 0000000..540cf7b
--- /dev/null
+++ b/SOURCES/libxml2-Avoid-processing-entities-after-encoding-conversion-failures.patch
@@ -0,0 +1,85 @@
+From 7c2be3213eeddd202c3e4c600cf3cfac06fb128a Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 9 Nov 2015 18:07:18 +0800
+Subject: [PATCH] Avoid processing entities after encoding conversion failures
+To: libvir-list@redhat.com
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756527
+and was also raised by Chromium team in the past
+
+When we hit a convwersion failure when switching encoding
+it is bestter to stop parsing there, this was treated as a
+fatal error but the parser was continuing to process to extract
+more errors, unfortunately that makes little sense as the data
+is obviously corrupt and can potentially lead to unexpected behaviour.
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c          |  7 +++++--
+ parserInternals.c | 11 ++++++++++-
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index 262db1e..134ea7f 100644
+--- a/parser.c
++++ b/parser.c
+@@ -10598,7 +10598,8 @@ xmlParseXMLDecl(xmlParserCtxtPtr ctxt) {
+ 	xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, "Blank needed here\n");
+     }
+     xmlParseEncodingDecl(ctxt);
+-    if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) {
++    if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) ||
++         (ctxt->instate == XML_PARSER_EOF)) {
+ 	/*
+ 	 * The XML REC instructs us to stop parsing right here
+ 	 */
+@@ -10722,6 +10723,7 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) {
+ 
+     if (CUR == 0) {
+ 	xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL);
++	return(-1);
+     }
+ 
+     /*
+@@ -10739,7 +10741,8 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) {
+ 	 * Note that we will switch encoding on the fly.
+ 	 */
+ 	xmlParseXMLDecl(ctxt);
+-	if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) {
++	if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) ||
++	    (ctxt->instate == XML_PARSER_EOF)) {
+ 	    /*
+ 	     * The XML REC instructs us to stop parsing right here
+ 	     */
+diff --git a/parserInternals.c b/parserInternals.c
+index f8a7041..9acfea4 100644
+--- a/parserInternals.c
++++ b/parserInternals.c
+@@ -937,6 +937,7 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc)
+ {
+     xmlCharEncodingHandlerPtr handler;
+     int len = -1;
++    int ret;
+ 
+     if (ctxt == NULL) return(-1);
+     switch (enc) {
+@@ -1097,7 +1098,15 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc)
+     if (handler == NULL)
+ 	return(-1);
+     ctxt->charset = XML_CHAR_ENCODING_UTF8;
+-    return(xmlSwitchToEncodingInt(ctxt, handler, len));
++    ret = xmlSwitchToEncodingInt(ctxt, handler, len);
++    if ((ret < 0) || (ctxt->errNo == XML_I18N_CONV_FAILED)) {
++        /*
++	 * on encoding conversion errors, stop the parser
++	 */
++        xmlStopParser(ctxt);
++	ctxt->errNo = XML_I18N_CONV_FAILED;
++    }
++    return(ret);
+ }
+ 
+ /**
+-- 
+2.5.0
+
diff --git a/SOURCES/libxml2-Bug-on-creating-new-stream-from-entity.patch b/SOURCES/libxml2-Bug-on-creating-new-stream-from-entity.patch
new file mode 100644
index 0000000..ad95ae3
--- /dev/null
+++ b/SOURCES/libxml2-Bug-on-creating-new-stream-from-entity.patch
@@ -0,0 +1,30 @@
+From 3154c607f22497fa843b8ad8a596ef5523d42ee6 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 20 Nov 2015 15:07:38 +0800
+Subject: [PATCH] Bug on creating new stream from entity
+To: libvir-list@redhat.com
+
+sometimes the entity could have a lenght of 0, i.e. it wasn't
+parsed or used yet, and we ended up with an incoherent input state
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parserInternals.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/parserInternals.c b/parserInternals.c
+index 9acfea4..1fe1f6a 100644
+--- a/parserInternals.c
++++ b/parserInternals.c
+@@ -1459,6 +1459,8 @@ xmlNewEntityInputStream(xmlParserCtxtPtr ctxt, xmlEntityPtr entity) {
+     if (entity->URI != NULL)
+ 	input->filename = (char *) xmlStrdup((xmlChar *) entity->URI);
+     input->base = entity->content;
++    if (entity->length == 0)
++        entity->length = xmlStrlen(entity->content);
+     input->cur = entity->content;
+     input->length = entity->length;
+     input->end = &entity->content[input->length];
+-- 
+2.5.0
+
diff --git a/SOURCES/libxml2-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-memory.patch b/SOURCES/libxml2-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-memory.patch
new file mode 100644
index 0000000..704ff96
--- /dev/null
+++ b/SOURCES/libxml2-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-memory.patch
@@ -0,0 +1,179 @@
+From 5cec67e3f8d56e6e5fda2f90e102950cbb09e3d1 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 14 Apr 2015 17:41:48 +0800
+Subject: [PATCH] CVE-2015-1819 Enforce the reader to run in constant memory
+To: libvir-list@redhat.com
+
+One of the operation on the reader could resolve entities
+leading to the classic expansion issue. Make sure the
+buffer used for xmlreader operation is bounded.
+Introduce a new allocation type for the buffers for this effect.
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ buf.c                 | 43 ++++++++++++++++++++++++++++++++++++++++++-
+ include/libxml/tree.h |  3 ++-
+ xmlreader.c           | 20 +++++++++++++++++++-
+ 3 files changed, 63 insertions(+), 3 deletions(-)
+
+diff --git a/buf.c b/buf.c
+index d1756c4..b52e41d 100644
+--- a/buf.c
++++ b/buf.c
+@@ -27,6 +27,7 @@
+ #include <libxml/tree.h>
+ #include <libxml/globals.h>
+ #include <libxml/tree.h>
++#include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */
+ #include "buf.h"
+ 
+ #define WITH_BUFFER_COMPAT
+@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf,
+     if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) ||
+         (scheme == XML_BUFFER_ALLOC_EXACT) ||
+         (scheme == XML_BUFFER_ALLOC_HYBRID) ||
+-        (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) {
++        (scheme == XML_BUFFER_ALLOC_IMMUTABLE) ||
++	(scheme == XML_BUFFER_ALLOC_BOUNDED)) {
+ 	buf->alloc = scheme;
+         if (buf->buffer)
+             buf->buffer->alloc = scheme;
+@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) {
+     size = buf->use + len + 100;
+ #endif
+ 
++    if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++        /*
++	 * Used to provide parsing limits
++	 */
++        if ((buf->use + len >= XML_MAX_TEXT_LENGTH) ||
++	    (buf->size >= XML_MAX_TEXT_LENGTH)) {
++	    xmlBufMemoryError(buf, "buffer error: text too long\n");
++	    return(0);
++	}
++	if (size >= XML_MAX_TEXT_LENGTH)
++	    size = XML_MAX_TEXT_LENGTH;
++    }
+     if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {
+         size_t start_buf = buf->content - buf->contentIO;
+ 
+@@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size)
+     CHECK_COMPAT(buf)
+ 
+     if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
++    if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++        /*
++	 * Used to provide parsing limits
++	 */
++        if (size >= XML_MAX_TEXT_LENGTH) {
++	    xmlBufMemoryError(buf, "buffer error: text too long\n");
++	    return(0);
++	}
++    }
+ 
+     /* Don't resize if we don't have to */
+     if (size < buf->size)
+@@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {
+ 
+     needSize = buf->use + len + 2;
+     if (needSize > buf->size){
++	if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++	    /*
++	     * Used to provide parsing limits
++	     */
++	    if (needSize >= XML_MAX_TEXT_LENGTH) {
++		xmlBufMemoryError(buf, "buffer error: text too long\n");
++		return(-1);
++	    }
++	}
+         if (!xmlBufResize(buf, needSize)){
+ 	    xmlBufMemoryError(buf, "growing buffer");
+             return XML_ERR_NO_MEMORY;
+@@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) {
+     }
+     needSize = buf->use + len + 2;
+     if (needSize > buf->size){
++	if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++	    /*
++	     * Used to provide parsing limits
++	     */
++	    if (needSize >= XML_MAX_TEXT_LENGTH) {
++		xmlBufMemoryError(buf, "buffer error: text too long\n");
++		return(-1);
++	    }
++	}
+         if (!xmlBufResize(buf, needSize)){
+ 	    xmlBufMemoryError(buf, "growing buffer");
+             return XML_ERR_NO_MEMORY;
+diff --git a/include/libxml/tree.h b/include/libxml/tree.h
+index 7e06686..d904a44 100644
+--- a/include/libxml/tree.h
++++ b/include/libxml/tree.h
+@@ -76,7 +76,8 @@ typedef enum {
+     XML_BUFFER_ALLOC_EXACT,	/* grow only to the minimal size */
+     XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */
+     XML_BUFFER_ALLOC_IO,	/* special allocation scheme used for I/O */
+-    XML_BUFFER_ALLOC_HYBRID	/* exact up to a threshold, and doubleit thereafter */
++    XML_BUFFER_ALLOC_HYBRID,	/* exact up to a threshold, and doubleit thereafter */
++    XML_BUFFER_ALLOC_BOUNDED	/* limit the upper size of the buffer */
+ } xmlBufferAllocationScheme;
+ 
+ /**
+diff --git a/xmlreader.c b/xmlreader.c
+index 00083d0..4fabaa9 100644
+--- a/xmlreader.c
++++ b/xmlreader.c
+@@ -2077,6 +2077,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) {
+ 		"xmlNewTextReader : malloc failed\n");
+ 	return(NULL);
+     }
++    /* no operation on a reader should require a huge buffer */
++    xmlBufSetAllocationScheme(ret->buffer,
++			      XML_BUFFER_ALLOC_BOUNDED);
+     ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
+     if (ret->sax == NULL) {
+ 	xmlBufFree(ret->buffer);
+@@ -3602,6 +3605,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
+ 	    return(((xmlNsPtr) node)->href);
+         case XML_ATTRIBUTE_NODE:{
+ 	    xmlAttrPtr attr = (xmlAttrPtr) node;
++	    const xmlChar *ret;
+ 
+ 	    if ((attr->children != NULL) &&
+ 	        (attr->children->type == XML_TEXT_NODE) &&
+@@ -3615,10 +3619,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
+                                         "xmlTextReaderSetup : malloc failed\n");
+                         return (NULL);
+                     }
++		    xmlBufSetAllocationScheme(reader->buffer,
++		                              XML_BUFFER_ALLOC_BOUNDED);
+                 } else
+                     xmlBufEmpty(reader->buffer);
+ 	        xmlBufGetNodeContent(reader->buffer, node);
+-		return(xmlBufContent(reader->buffer));
++		ret = xmlBufContent(reader->buffer);
++		if (ret == NULL) {
++		    /* error on the buffer best to reallocate */
++		    xmlBufFree(reader->buffer);
++		    reader->buffer = xmlBufCreateSize(100);
++		    xmlBufSetAllocationScheme(reader->buffer,
++		                              XML_BUFFER_ALLOC_BOUNDED);
++		    ret = BAD_CAST "";
++		}
++		return(ret);
+ 	    }
+ 	    break;
+ 	}
+@@ -5117,6 +5132,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader,
+                         "xmlTextReaderSetup : malloc failed\n");
+         return (-1);
+     }
++    /* no operation on a reader should require a huge buffer */
++    xmlBufSetAllocationScheme(reader->buffer,
++			      XML_BUFFER_ALLOC_BOUNDED);
+     if (reader->sax == NULL)
+ 	reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
+     if (reader->sax == NULL) {
+-- 
+2.5.0
+
diff --git a/SOURCES/libxml2-CVE-2015-5312-Another-entity-expansion-issue.patch b/SOURCES/libxml2-CVE-2015-5312-Another-entity-expansion-issue.patch
new file mode 100644
index 0000000..2a56a4b
--- /dev/null
+++ b/SOURCES/libxml2-CVE-2015-5312-Another-entity-expansion-issue.patch
@@ -0,0 +1,35 @@
+From 4e1ea576167520bbc2bad50797119983e133af74 Mon Sep 17 00:00:00 2001
+From: David Drysdale <drysdale@google.com>
+Date: Fri, 20 Nov 2015 11:13:45 +0800
+Subject: [PATCH] CVE-2015-5312 Another entity expansion issue
+To: libvir-list@redhat.com
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756733
+It is one case where the code in place to detect entities expansions
+failed to exit when the situation was detected, leading to DoS
+Problem reported by Kostya Serebryany @ Google
+Patch provided by David Drysdale @ Google
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index a58dda3..e536e54 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2801,6 +2801,10 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+ 			                      0, 0, 0);
+ 		ctxt->depth--;
+ 
++		if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) ||
++		    (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR))
++		    goto int_error;
++
+ 		if (rep != NULL) {
+ 		    current = rep;
+ 		    while (*current != 0) { /* non input consuming loop */
+-- 
+2.5.0
+
diff --git a/SOURCES/libxml2-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDictComputeFastQKey.patch b/SOURCES/libxml2-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDictComputeFastQKey.patch
new file mode 100644
index 0000000..3739993
--- /dev/null
+++ b/SOURCES/libxml2-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDictComputeFastQKey.patch
@@ -0,0 +1,36 @@
+From 540a3b58c233db4f2d2becea9c2b79b3ce190055 Mon Sep 17 00:00:00 2001
+From: David Drysdale <drysdale@google.com>
+Date: Fri, 20 Nov 2015 10:47:12 +0800
+Subject: [PATCH] CVE-2015-7497 Avoid an heap buffer overflow in
+ xmlDictComputeFastQKey
+To: libvir-list@redhat.com
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756528
+It was possible to hit a negative offset in the name indexing
+used to randomize the dictionary key generation
+Reported and fix provided by David Drysdale @ Google
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ dict.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/dict.c b/dict.c
+index 5f71d55..8c8f931 100644
+--- a/dict.c
++++ b/dict.c
+@@ -486,7 +486,10 @@ xmlDictComputeFastQKey(const xmlChar *prefix, int plen,
+ 	value += 30 * (*prefix);
+ 
+     if (len > 10) {
+-        value += name[len - (plen + 1 + 1)];
++        int offset = len - (plen + 1 + 1);
++	if (offset < 0)
++	    offset = len - (10 + 1);
++	value += name[offset];
+         len = 10;
+ 	if (plen > 10)
+ 	    plen = 10;
+-- 
+2.5.0
+
diff --git a/SOURCES/libxml2-CVE-2015-7500-Fix-memory-access-error-due-to-incorrect-entities-boundaries.patch b/SOURCES/libxml2-CVE-2015-7500-Fix-memory-access-error-due-to-incorrect-entities-boundaries.patch
new file mode 100644
index 0000000..cf46f38
--- /dev/null
+++ b/SOURCES/libxml2-CVE-2015-7500-Fix-memory-access-error-due-to-incorrect-entities-boundaries.patch
@@ -0,0 +1,108 @@
+From d9825f106532a898bb6df46effa0bf099ec16a47 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 20 Nov 2015 16:06:59 +0800
+Subject: [PATCH] CVE-2015-7500 Fix memory access error due to incorrect
+ entities boundaries
+To: libvir-list@redhat.com
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756525
+handle properly the case where we popped out of the current entity
+while processing a start tag
+Reported by Kostya Serebryany @ Google
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c | 28 ++++++++++++++++++++++------
+ 1 file changed, 22 insertions(+), 6 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index cc45e17..f4fc310 100644
+--- a/parser.c
++++ b/parser.c
+@@ -9309,7 +9309,7 @@ xmlParseStartTag2(xmlParserCtxtPtr ctxt, const xmlChar **pref,
+     const xmlChar **atts = ctxt->atts;
+     int maxatts = ctxt->maxatts;
+     int nratts, nbatts, nbdef;
+-    int i, j, nbNs, attval, oldline, oldcol;
++    int i, j, nbNs, attval, oldline, oldcol, inputNr;
+     const xmlChar *base;
+     unsigned long cur;
+     int nsNr = ctxt->nsNr;
+@@ -9328,6 +9328,7 @@ reparse:
+     SHRINK;
+     base = ctxt->input->base;
+     cur = ctxt->input->cur - ctxt->input->base;
++    inputNr = ctxt->inputNr;
+     oldline = ctxt->input->line;
+     oldcol = ctxt->input->col;
+     nbatts = 0;
+@@ -9353,7 +9354,8 @@ reparse:
+      */
+     SKIP_BLANKS;
+     GROW;
+-    if (ctxt->input->base != base) goto base_changed;
++    if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
++        goto base_changed;
+ 
+     while (((RAW != '>') &&
+ 	   ((RAW != '/') || (NXT(1) != '>')) &&
+@@ -9364,7 +9366,7 @@ reparse:
+ 
+ 	attname = xmlParseAttribute2(ctxt, prefix, localname,
+ 	                             &aprefix, &attvalue, &len, &alloc);
+-	if (ctxt->input->base != base) {
++	if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) {
+ 	    if ((attvalue != NULL) && (alloc != 0))
+ 	        xmlFree(attvalue);
+ 	    attvalue = NULL;
+@@ -9493,7 +9495,8 @@ skip_default_ns:
+ skip_ns:
+ 		if (alloc != 0) xmlFree(attvalue);
+ 		SKIP_BLANKS;
+-		if (ctxt->input->base != base) goto base_changed;
++		if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
++		    goto base_changed;
+ 		continue;
+ 	    }
+ 
+@@ -9530,7 +9533,8 @@ failed:
+ 	GROW
+         if (ctxt->instate == XML_PARSER_EOF)
+             break;
+-	if (ctxt->input->base != base) goto base_changed;
++	if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
++	    goto base_changed;
+ 	if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
+ 	    break;
+ 	if (!IS_BLANK_CH(RAW)) {
+@@ -9546,7 +9550,8 @@ failed:
+ 	    break;
+ 	}
+         GROW;
+-	if (ctxt->input->base != base) goto base_changed;
++	if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
++	    goto base_changed;
+     }
+ 
+     /*
+@@ -9713,6 +9718,17 @@ base_changed:
+ 	    if ((ctxt->attallocs[j] != 0) && (atts[i] != NULL))
+ 	        xmlFree((xmlChar *) atts[i]);
+     }
++
++    /*
++     * We can't switch from one entity to another in the middle
++     * of a start tag
++     */
++    if (inputNr != ctxt->inputNr) {
++        xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
++		    "Start tag doesn't start and stop in the same entity\n");
++	return(NULL);
++    }
++
+     ctxt->input->cur = ctxt->input->base + cur;
+     ctxt->input->line = oldline;
+     ctxt->input->col = oldcol;
+-- 
+2.5.0
+
diff --git a/SOURCES/libxml2-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-push-mode.patch b/SOURCES/libxml2-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-push-mode.patch
new file mode 100644
index 0000000..41afdb0
--- /dev/null
+++ b/SOURCES/libxml2-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-push-mode.patch
@@ -0,0 +1,45 @@
+From ebf48b59943833b5f57e909e5d00f0d6e75e874e Mon Sep 17 00:00:00 2001
+From: Hugh Davenport <hugh@allthethings.co.nz>
+Date: Fri, 20 Nov 2015 17:16:06 +0800
+Subject: [PATCH] CVE-2015-8242 Buffer overead with HTML parser in push mode
+To: libvir-list@redhat.com
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756372
+Error in the code pointing to the codepoint in the stack for the
+current char value instead of the pointer in the input that the SAX
+callback expects
+Reported and fixed by Hugh Davenport
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ HTMLparser.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/HTMLparser.c b/HTMLparser.c
+index cab499a..4331d53 100644
+--- a/HTMLparser.c
++++ b/HTMLparser.c
+@@ -5708,17 +5708,17 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {
+ 				if (ctxt->keepBlanks) {
+ 				    if (ctxt->sax->characters != NULL)
+ 					ctxt->sax->characters(
+-						ctxt->userData, &cur, 1);
++						ctxt->userData, &in->cur[0], 1);
+ 				} else {
+ 				    if (ctxt->sax->ignorableWhitespace != NULL)
+ 					ctxt->sax->ignorableWhitespace(
+-						ctxt->userData, &cur, 1);
++						ctxt->userData, &in->cur[0], 1);
+ 				}
+ 			    } else {
+ 				htmlCheckParagraph(ctxt);
+ 				if (ctxt->sax->characters != NULL)
+ 				    ctxt->sax->characters(
+-					    ctxt->userData, &cur, 1);
++					    ctxt->userData, &in->cur[0], 1);
+ 			    }
+ 			}
+ 			ctxt->token = 0;
+-- 
+2.5.0
+
diff --git a/SOURCES/libxml2-Cleanup-conditional-section-error-handling.patch b/SOURCES/libxml2-Cleanup-conditional-section-error-handling.patch
new file mode 100644
index 0000000..834b0a8
--- /dev/null
+++ b/SOURCES/libxml2-Cleanup-conditional-section-error-handling.patch
@@ -0,0 +1,52 @@
+From 5b47a2c6666f0293a5164f094b9e8031914b1f8f Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 23 Feb 2015 11:29:20 +0800
+Subject: [PATCH] Cleanup conditional section error handling
+To: libvir-list@redhat.com
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=744980
+
+The error handling of Conditional Section also need to be
+straightened as the structure of the document can't be
+guessed on a failure there and it's better to stop parsing
+as further errors are likely to be irrelevant.
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index d790f8e..dc14e5c 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6761,6 +6761,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 	SKIP_BLANKS;
+ 	if (RAW != '[') {
+ 	    xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
++	    xmlStopParser(ctxt);
++	    return;
+ 	} else {
+ 	    if (ctxt->input->id != id) {
+ 		xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
+@@ -6821,6 +6823,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 	SKIP_BLANKS;
+ 	if (RAW != '[') {
+ 	    xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
++	    xmlStopParser(ctxt);
++	    return;
+ 	} else {
+ 	    if (ctxt->input->id != id) {
+ 		xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
+@@ -6876,6 +6880,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 
+     } else {
+ 	xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
++	xmlStopParser(ctxt);
++	return;
+     }
+ 
+     if (RAW == 0)
+-- 
+2.5.0
+
diff --git a/SOURCES/libxml2-Detect-incoherency-on-GROW.patch b/SOURCES/libxml2-Detect-incoherency-on-GROW.patch
new file mode 100644
index 0000000..088a961
--- /dev/null
+++ b/SOURCES/libxml2-Detect-incoherency-on-GROW.patch
@@ -0,0 +1,39 @@
+From dfc5aae623e97336323e59a94450f1a708eb7c0c Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 20 Nov 2015 15:04:09 +0800
+Subject: [PATCH] Detect incoherency on GROW
+To: libvir-list@redhat.com
+
+the current pointer to the input has to be between the base and end
+if not stop everything we have an internal state error.
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index 9aed98d..7602498 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2072,9 +2072,16 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
+          ((ctxt->input->buf) && (ctxt->input->buf->readcallback != (xmlInputReadCallback) xmlNop)) &&
+         ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+         xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup");
+-        ctxt->instate = XML_PARSER_EOF;
++        xmlHaltParser(ctxt);
++	return;
+     }
+     xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
++    if ((ctxt->input->cur > ctxt->input->end) ||
++        (ctxt->input->cur < ctxt->input->base)) {
++        xmlHaltParser(ctxt);
++        xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "cur index out of bound");
++	return;
++    }
+     if ((ctxt->input->cur != NULL) && (*ctxt->input->cur == 0) &&
+         (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0))
+ 	    xmlPopInput(ctxt);
+-- 
+2.5.0
+
diff --git a/SOURCES/libxml2-Do-not-print-error-context-when-there-is-none.patch b/SOURCES/libxml2-Do-not-print-error-context-when-there-is-none.patch
new file mode 100644
index 0000000..8318b4b
--- /dev/null
+++ b/SOURCES/libxml2-Do-not-print-error-context-when-there-is-none.patch
@@ -0,0 +1,31 @@
+From c5031779667ff362d670e34a42e9bc4f5a430793 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 20 Nov 2015 15:01:22 +0800
+Subject: [PATCH] Do not print error context when there is none
+To: libvir-list@redhat.com
+
+Which now happens more frequently du to xmlHaltParser use
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ error.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/error.c b/error.c
+index cbcf5c9..9c45040 100644
+--- a/error.c
++++ b/error.c
+@@ -177,7 +177,9 @@ xmlParserPrintFileContextInternal(xmlParserInputPtr input ,
+     xmlChar  content[81]; /* space for 80 chars + line terminator */
+     xmlChar *ctnt;
+ 
+-    if (input == NULL) return;
++    if ((input == NULL) || (input->cur == NULL) ||
++        (*input->cur == 0)) return;
++
+     cur = input->cur;
+     base = input->base;
+     /* skip backwards over any end-of-lines */
+-- 
+2.5.0
+
diff --git a/SOURCES/libxml2-Fail-parsing-early-on-if-encoding-conversion-failed.patch b/SOURCES/libxml2-Fail-parsing-early-on-if-encoding-conversion-failed.patch
new file mode 100644
index 0000000..983eae4
--- /dev/null
+++ b/SOURCES/libxml2-Fail-parsing-early-on-if-encoding-conversion-failed.patch
@@ -0,0 +1,38 @@
+From c171a25d614097e53ab84f64639de4dfbc197613 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 29 Jun 2015 16:10:26 +0800
+Subject: [PATCH] Fail parsing early on if encoding conversion failed
+To: libvir-list@redhat.com
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=751631
+
+If we fail conversing the current input stream while
+processing the encoding declaration of the XMLDecl
+then it's safer to just abort there and not try to
+report further errors.
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index dc14e5c..e2e0ad8 100644
+--- a/parser.c
++++ b/parser.c
+@@ -10415,7 +10415,11 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ctxt) {
+ 
+             handler = xmlFindCharEncodingHandler((const char *) encoding);
+ 	    if (handler != NULL) {
+-		xmlSwitchToEncoding(ctxt, handler);
++		if (xmlSwitchToEncoding(ctxt, handler) < 0) {
++		    /* failed to convert */
++		    ctxt->errNo = XML_ERR_UNSUPPORTED_ENCODING;
++		    return(NULL);
++		}
+ 	    } else {
+ 		xmlFatalErrMsgStr(ctxt, XML_ERR_UNSUPPORTED_ENCODING,
+ 			"Unsupported encoding %s\n", encoding);
+-- 
+2.5.0
+
diff --git a/SOURCES/libxml2-Fix-an-error-in-previous-Conditional-section-patch.patch b/SOURCES/libxml2-Fix-an-error-in-previous-Conditional-section-patch.patch
new file mode 100644
index 0000000..6a97263
--- /dev/null
+++ b/SOURCES/libxml2-Fix-an-error-in-previous-Conditional-section-patch.patch
@@ -0,0 +1,31 @@
+From 519455f1d543b1aa8f560dac03ec4127dfbab038 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 27 Oct 2015 10:53:44 +0800
+Subject: [PATCH] Fix an error in previous Conditional section patch
+To: libvir-list@redhat.com
+
+an off by one mistake in the change, led to error on correct
+document where the end of the included entity was exactly
+the end of the conditional section, leading to regtest failure
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index 4926ab0..b56d94c 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6896,7 +6896,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 				 NULL, NULL);
+ 	}
+ 	if ((ctxt-> instate != XML_PARSER_EOF) &&
+-	    ((ctxt->input->cur + 3) < ctxt->input->end))
++	    ((ctxt->input->cur + 3) <= ctxt->input->end))
+ 	    SKIP(3);
+     }
+ }
+-- 
+2.5.0
+
diff --git a/SOURCES/libxml2-Fix-parsing-short-unclosed-comment-uninitialized-access.patch b/SOURCES/libxml2-Fix-parsing-short-unclosed-comment-uninitialized-access.patch
new file mode 100644
index 0000000..47f8b3c
--- /dev/null
+++ b/SOURCES/libxml2-Fix-parsing-short-unclosed-comment-uninitialized-access.patch
@@ -0,0 +1,68 @@
+From 466ef17b8cf8d68393f3a56cda8e7a5504aacf98 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 30 Oct 2015 21:14:55 +0800
+Subject: [PATCH] Fix parsing short unclosed comment uninitialized access
+To: libvir-list@redhat.com
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=746048
+The HTML parser was too optimistic when processing comments and
+didn't check for the end of the stream on the first 2 characters
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ HTMLparser.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/HTMLparser.c b/HTMLparser.c
+index dd0c1ea..cab499a 100644
+--- a/HTMLparser.c
++++ b/HTMLparser.c
+@@ -3245,12 +3245,17 @@ htmlParseComment(htmlParserCtxtPtr ctxt) {
+ 	ctxt->instate = state;
+ 	return;
+     }
++    len = 0;
++    buf[len] = 0;
+     q = CUR_CHAR(ql);
++    if (!IS_CHAR(q))
++        goto unfinished;
+     NEXTL(ql);
+     r = CUR_CHAR(rl);
++    if (!IS_CHAR(r))
++        goto unfinished;
+     NEXTL(rl);
+     cur = CUR_CHAR(l);
+-    len = 0;
+     while (IS_CHAR(cur) &&
+            ((cur != '>') ||
+ 	    (r != '-') || (q != '-'))) {
+@@ -3281,18 +3286,20 @@ htmlParseComment(htmlParserCtxtPtr ctxt) {
+ 	}
+     }
+     buf[len] = 0;
+-    if (!IS_CHAR(cur)) {
+-	htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
+-	             "Comment not terminated \n<!--%.50s\n", buf, NULL);
+-	xmlFree(buf);
+-    } else {
++    if (IS_CHAR(cur)) {
+         NEXT;
+ 	if ((ctxt->sax != NULL) && (ctxt->sax->comment != NULL) &&
+ 	    (!ctxt->disableSAX))
+ 	    ctxt->sax->comment(ctxt->userData, buf);
+ 	xmlFree(buf);
++	ctxt->instate = state;
++	return;
+     }
+-    ctxt->instate = state;
++
++unfinished:
++    htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
++		 "Comment not terminated \n<!--%.50s\n", buf, NULL);
++    xmlFree(buf);
+ }
+ 
+ /**
+-- 
+2.5.0
+
diff --git a/SOURCES/libxml2-Fix-some-loop-issues-embedding-NEXT.patch b/SOURCES/libxml2-Fix-some-loop-issues-embedding-NEXT.patch
new file mode 100644
index 0000000..7c17de6
--- /dev/null
+++ b/SOURCES/libxml2-Fix-some-loop-issues-embedding-NEXT.patch
@@ -0,0 +1,41 @@
+From 6dfc7fd442351269c421a525d91506e43e18208e Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 20 Nov 2015 15:06:02 +0800
+Subject: [PATCH] Fix some loop issues embedding NEXT
+To: libvir-list@redhat.com
+
+Next can switch the parser back to XML_PARSER_EOF state, we
+need to consider those in loops consuming input
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index 7602498..cc45e17 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2155,7 +2155,8 @@ xmlSkipBlankChars(xmlParserCtxtPtr ctxt) {
+ 	int cur;
+ 	do {
+ 	    cur = CUR;
+-	    while (IS_BLANK_CH(cur)) { /* CHECKED tstblanks.xml */
++	    while ((IS_BLANK_CH(cur) && /* CHECKED tstblanks.xml */
++	           (ctxt->instate != XML_PARSER_EOF))) {
+ 		NEXT;
+ 		cur = CUR;
+ 		res++;
+@@ -2169,7 +2170,8 @@ xmlSkipBlankChars(xmlParserCtxtPtr ctxt) {
+ 	     * Need to handle support of entities branching here
+ 	     */
+ 	    if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt);
+-	} while (IS_BLANK(cur)); /* CHECKED tstblanks.xml */
++	} while ((IS_BLANK(cur)) && /* CHECKED tstblanks.xml */
++	         (ctxt->instate != XML_PARSER_EOF));
+     }
+     return(res);
+ }
+-- 
+2.5.0
+
diff --git a/SOURCES/libxml2-Reuse-xmlHaltParser-where-it-makes-sense.patch b/SOURCES/libxml2-Reuse-xmlHaltParser-where-it-makes-sense.patch
new file mode 100644
index 0000000..566ea04
--- /dev/null
+++ b/SOURCES/libxml2-Reuse-xmlHaltParser-where-it-makes-sense.patch
@@ -0,0 +1,178 @@
+From 586849318286965d6ede2932ccd31176b4f7fe81 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 20 Nov 2015 14:59:30 +0800
+Subject: [PATCH] Reuse xmlHaltParser() where it makes sense
+To: libvir-list@redhat.com
+
+Unify the various place where either xmlStopParser was called
+(which resets the error as a side effect) and places where we
+used ctxt->instate = XML_PARSER_EOF to stop further processing
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c | 37 +++++++++++++++++--------------------
+ 1 file changed, 17 insertions(+), 20 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index 5b4f719..9aed98d 100644
+--- a/parser.c
++++ b/parser.c
+@@ -1773,7 +1773,7 @@ nodePush(xmlParserCtxtPtr ctxt, xmlNodePtr value)
+ 	xmlFatalErrMsgInt(ctxt, XML_ERR_INTERNAL_ERROR,
+ 		 "Excessive depth in document: %d use XML_PARSE_HUGE option\n",
+ 			  xmlParserMaxDepth);
+-	ctxt->instate = XML_PARSER_EOF;
++	xmlHaltParser(ctxt);
+ 	return(-1);
+     }
+     ctxt->nodeTab[ctxt->nodeNr] = value;
+@@ -5655,7 +5655,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) {
+ 	if (RAW != '>') {
+ 	    xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
+ 	            "xmlParseEntityDecl: entity %s not terminated\n", name);
+-	    xmlStopParser(ctxt);
++	    xmlHaltParser(ctxt);
+ 	} else {
+ 	    if (input != ctxt->input) {
+ 		xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
+@@ -6767,8 +6767,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 	SKIP_BLANKS;
+ 	if (RAW != '[') {
+ 	    xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
+-	    xmlStopParser(ctxt);
+-	    ctxt->errNo = XML_ERR_CONDSEC_INVALID;
++	    xmlHaltParser(ctxt);
+ 	    return;
+ 	} else {
+ 	    if (ctxt->input->id != id) {
+@@ -6830,8 +6829,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 	SKIP_BLANKS;
+ 	if (RAW != '[') {
+ 	    xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
+-	    xmlStopParser(ctxt);
+-	    ctxt->errNo = XML_ERR_CONDSEC_INVALID;
++	    xmlHaltParser(ctxt);
+ 	    return;
+ 	} else {
+ 	    if (ctxt->input->id != id) {
+@@ -6888,8 +6886,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 
+     } else {
+ 	xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
+-	xmlStopParser(ctxt);
+-	ctxt->errNo = XML_ERR_CONDSEC_INVALID_KEYWORD;
++	xmlHaltParser(ctxt);
+ 	return;
+     }
+ 
+@@ -7100,7 +7097,7 @@ xmlParseExternalSubset(xmlParserCtxtPtr ctxt, const xmlChar *ExternalID,
+ 	    /*
+ 	     * The XML REC instructs us to stop parsing right here
+ 	     */
+-	    ctxt->instate = XML_PARSER_EOF;
++	    xmlHaltParser(ctxt);
+ 	    return;
+ 	}
+     }
+@@ -8087,7 +8084,7 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
+ 		     * The XML REC instructs us to stop parsing
+ 		     * right here
+ 		     */
+-		    ctxt->instate = XML_PARSER_EOF;
++		    xmlHaltParser(ctxt);
+ 		    return;
+ 		}
+ 	    }
+@@ -9986,7 +9983,7 @@ xmlParseContent(xmlParserCtxtPtr ctxt) {
+ 	if ((cons == ctxt->input->consumed) && (test == CUR_PTR)) {
+ 	    xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
+ 	                "detected an error in element content\n");
+-	    ctxt->instate = XML_PARSER_EOF;
++	    xmlHaltParser(ctxt);
+             break;
+ 	}
+     }
+@@ -10021,7 +10018,7 @@ xmlParseElement(xmlParserCtxtPtr ctxt) {
+ 	xmlFatalErrMsgInt(ctxt, XML_ERR_INTERNAL_ERROR,
+ 		 "Excessive depth in document: %d use XML_PARSE_HUGE option\n",
+ 			  xmlParserMaxDepth);
+-	ctxt->instate = XML_PARSER_EOF;
++	xmlHaltParser(ctxt);
+ 	return;
+     }
+ 
+@@ -11345,7 +11342,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
+ 			ctxt->sax->setDocumentLocator(ctxt->userData,
+ 						      &xmlDefaultSAXLocator);
+ 		    xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL);
+-		    ctxt->instate = XML_PARSER_EOF;
++		    xmlHaltParser(ctxt);
+ #ifdef DEBUG_PUSH
+ 		    xmlGenericError(xmlGenericErrorContext,
+ 			    "PP: entering EOF\n");
+@@ -11378,7 +11375,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
+ 			     * The XML REC instructs us to stop parsing right
+ 			     * here
+ 			     */
+-			    ctxt->instate = XML_PARSER_EOF;
++			    xmlHaltParser(ctxt);
+ 			    return(0);
+ 			}
+ 			ctxt->standalone = ctxt->input->standalone;
+@@ -11434,7 +11431,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
+ 		cur = ctxt->input->cur[0];
+ 	        if (cur != '<') {
+ 		    xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL);
+-		    ctxt->instate = XML_PARSER_EOF;
++		    xmlHaltParser(ctxt);
+ 		    if ((ctxt->sax) && (ctxt->sax->endDocument != NULL))
+ 			ctxt->sax->endDocument(ctxt->userData);
+ 		    goto done;
+@@ -11466,7 +11463,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
+ 		    goto done;
+ 		if (name == NULL) {
+ 		    spacePop(ctxt);
+-		    ctxt->instate = XML_PARSER_EOF;
++		    xmlHaltParser(ctxt);
+ 		    if ((ctxt->sax) && (ctxt->sax->endDocument != NULL))
+ 			ctxt->sax->endDocument(ctxt->userData);
+ 		    goto done;
+@@ -11633,7 +11630,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
+ 		if ((cons == ctxt->input->consumed) && (test == CUR_PTR)) {
+ 		    xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
+ 		                "detected an error in element content\n");
+-		    ctxt->instate = XML_PARSER_EOF;
++		    xmlHaltParser(ctxt);
+ 		    break;
+ 		}
+ 		break;
+@@ -11954,7 +11951,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
+ 		    goto done;
+ 		} else {
+ 		    xmlFatalErr(ctxt, XML_ERR_DOCUMENT_END, NULL);
+-		    ctxt->instate = XML_PARSER_EOF;
++		    xmlHaltParser(ctxt);
+ #ifdef DEBUG_PUSH
+ 		    xmlGenericError(xmlGenericErrorContext,
+ 			    "PP: entering EOF\n");
+@@ -12318,7 +12315,7 @@ xmldecl_done:
+ 	res = xmlParserInputBufferPush(ctxt->input->buf, size, chunk);
+ 	if (res < 0) {
+ 	    ctxt->errNo = XML_PARSER_EOF;
+-	    ctxt->disableSAX = 1;
++	    xmlHaltParser(ctxt);
+ 	    return (XML_PARSER_EOF);
+ 	}
+         xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input, base, cur);
+@@ -12372,7 +12369,7 @@ xmldecl_done:
+          ((ctxt->input->cur - ctxt->input->base) > XML_MAX_LOOKUP_LIMIT)) &&
+         ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+         xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup");
+-        ctxt->instate = XML_PARSER_EOF;
++        xmlHaltParser(ctxt);
+     }
+     if ((ctxt->errNo != XML_ERR_OK) && (ctxt->disableSAX == 1))
+         return(ctxt->errNo);
+-- 
+2.5.0
+
diff --git a/SOURCES/libxml2-Stop-parsing-on-entities-boundaries-errors.patch b/SOURCES/libxml2-Stop-parsing-on-entities-boundaries-errors.patch
new file mode 100644
index 0000000..e3cc538
--- /dev/null
+++ b/SOURCES/libxml2-Stop-parsing-on-entities-boundaries-errors.patch
@@ -0,0 +1,35 @@
+From f0dbfaebd1a4a647ed1902ca16839ecfcb89c422 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 23 Feb 2015 11:17:35 +0800
+Subject: [PATCH] Stop parsing on entities boundaries errors
+To: libvir-list@redhat.com
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=744980
+
+There are times, like on unterminated entities that it's preferable to
+stop parsing, even if that means less error reporting. Entities are
+feeding the parser on further processing, and if they are ill defined
+then it's possible to get the parser to bug. Also do the same on
+Conditional Sections if the input is broken, as the structure of
+the document can't be guessed.
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/parser.c b/parser.c
+index f70d2b5..d790f8e 100644
+--- a/parser.c
++++ b/parser.c
+@@ -5649,6 +5649,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) {
+ 	if (RAW != '>') {
+ 	    xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
+ 	            "xmlParseEntityDecl: entity %s not terminated\n", name);
++	    xmlStopParser(ctxt);
+ 	} else {
+ 	    if (input != ctxt->input) {
+ 		xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
+-- 
+2.5.0
+
diff --git a/SOURCES/libxml2-xmlStopParser-reset-errNo.patch b/SOURCES/libxml2-xmlStopParser-reset-errNo.patch
new file mode 100644
index 0000000..85f8edc
--- /dev/null
+++ b/SOURCES/libxml2-xmlStopParser-reset-errNo.patch
@@ -0,0 +1,44 @@
+From 5b3397ee81277ed70af58a247a0d731de9c7a6c7 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 9 Nov 2015 18:16:00 +0800
+Subject: [PATCH] xmlStopParser reset errNo
+To: libvir-list@redhat.com
+
+I had used it in contexts where that information ought to be preserved
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index 134ea7f..a58dda3 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6762,6 +6762,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 	if (RAW != '[') {
+ 	    xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
+ 	    xmlStopParser(ctxt);
++	    ctxt->errNo = XML_ERR_CONDSEC_INVALID;
+ 	    return;
+ 	} else {
+ 	    if (ctxt->input->id != id) {
+@@ -6824,6 +6825,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 	if (RAW != '[') {
+ 	    xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
+ 	    xmlStopParser(ctxt);
++	    ctxt->errNo = XML_ERR_CONDSEC_INVALID;
+ 	    return;
+ 	} else {
+ 	    if (ctxt->input->id != id) {
+@@ -6881,6 +6883,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+     } else {
+ 	xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
+ 	xmlStopParser(ctxt);
++	ctxt->errNo = XML_ERR_CONDSEC_INVALID_KEYWORD;
+ 	return;
+     }
+ 
+-- 
+2.5.0
+
diff --git a/SPECS/libxml2.spec b/SPECS/libxml2.spec
index 82d6207..1c28885 100644
--- a/SPECS/libxml2.spec
+++ b/SPECS/libxml2.spec
@@ -4,7 +4,7 @@
 Summary: Library providing XML and HTML support
 Name: libxml2
 Version: 2.9.1
-Release: 5%{?dist}%{?extra_release}.2
+Release: 6%{?dist}%{?extra_release}.2
 License: MIT
 Group: Development/Libraries
 Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
@@ -19,6 +19,26 @@ Patch101: CVE-2014-3660-rhel7.patch
 Patch102: libxml2-Fix-missing-entities-after-CVE-2014-3660-fix.patch
 Patch103: libxml2-Do-not-fetch-external-parameter-entities.patch
 Patch104: libxml2-Fix-regression-introduced-by-CVE-2014-0191.patch
+Patch105: libxml2-Stop-parsing-on-entities-boundaries-errors.patch
+Patch106: libxml2-Cleanup-conditional-section-error-handling.patch
+Patch107: libxml2-Fail-parsing-early-on-if-encoding-conversion-failed.patch
+Patch108: libxml2-Another-variation-of-overflow-in-Conditional-sections.patch
+Patch109: libxml2-Fix-an-error-in-previous-Conditional-section-patch.patch
+Patch110: libxml2-Fix-parsing-short-unclosed-comment-uninitialized-access.patch
+Patch111: libxml2-Avoid-extra-processing-of-MarkupDecl-when-EOF.patch
+Patch112: libxml2-Avoid-processing-entities-after-encoding-conversion-failures.patch
+Patch113: libxml2-xmlStopParser-reset-errNo.patch
+Patch114: libxml2-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDictComputeFastQKey.patch
+Patch115: libxml2-CVE-2015-5312-Another-entity-expansion-issue.patch
+Patch116: libxml2-Add-xmlHaltParser-to-stop-the-parser.patch
+Patch117: libxml2-Reuse-xmlHaltParser-where-it-makes-sense.patch
+Patch118: libxml2-Do-not-print-error-context-when-there-is-none.patch
+Patch119: libxml2-Detect-incoherency-on-GROW.patch
+Patch120: libxml2-Fix-some-loop-issues-embedding-NEXT.patch
+Patch121: libxml2-Bug-on-creating-new-stream-from-entity.patch
+Patch122: libxml2-CVE-2015-7500-Fix-memory-access-error-due-to-incorrect-entities-boundaries.patch
+Patch123: libxml2-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-push-mode.patch
+Patch124: libxml2-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-memory.patch
 
 %description
 This library allows to manipulate XML files. It includes support
@@ -86,6 +106,26 @@ at parse time or later once the document has been modified.
 %patch102 -p1
 %patch103 -p1
 %patch104 -p1
+%patch105 -p1
+%patch106 -p1
+%patch107 -p1
+%patch108 -p1
+%patch109 -p1
+%patch110 -p1
+%patch111 -p1
+%patch112 -p1
+%patch113 -p1
+%patch114 -p1
+%patch115 -p1
+%patch116 -p1
+%patch117 -p1
+%patch118 -p1
+%patch119 -p1
+%patch120 -p1
+%patch121 -p1
+%patch122 -p1
+%patch123 -p1
+%patch124 -p1
 
 %build
 %configure
@@ -168,9 +208,26 @@ rm -fr %{buildroot}
 %doc doc/python.html
 
 %changelog
-* Mon Mar 23 2015 Daniel Veillard <veillard@redhat.com> - 2.9.1-5.2
+* Mon Nov 30 2015 Daniel Veillard <veillard@redhat.com> - 2.9.1-6.2
+- Fix a series of CVEs (rhbz#1286496)
+- CVE-2015-7941 Stop parsing on entities boundaries errors
+- CVE-2015-7941 Cleanup conditional section error handling
+- CVE-2015-8317 Fail parsing early on if encoding conversion failed
+- CVE-2015-7942 Another variation of overflow in Conditional sections
+- CVE-2015-7942 Fix an error in previous Conditional section patch
+- Fix parsing short unclosed comment uninitialized access
+- CVE-2015-7498 Avoid processing entities after encoding conversion failures
+- CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey
+- CVE-2015-5312 Another entity expansion issue
+- CVE-2015-7499 Add xmlHaltParser() to stop the parser
+- CVE-2015-7499 Detect incoherency on GROW
+- CVE-2015-7500 Fix memory access error due to incorrect entities boundaries
+- CVE-2015-8242 Buffer overead with HTML parser in push mode
+- CVE-2015-1819 Enforce the reader to run in constant memory
+
+* Mon Mar 23 2015 Daniel Veillard <veillard@redhat.com> - 2.9.1-6
 - Fix missing entities after CVE-2014-3660 fix
-- CVE-2014-0191 Do not fetch external parameter entities (rhbz#1195649)
+- CVE-2014-0191 Do not fetch external parameter entities (rhbz#1195650)
 - Fix regressions introduced by CVE-2014-0191 patch
 
 * Sat Oct 11 2014 Daniel Veillard <veillard@redhat.com> - 2.9.1-5.1