[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#974695: marked as done (buster-pu: package libxml2/2.9.4+dfsg1-7+deb10u1)

Your message dated Sat, 05 Dec 2020 11:02:00 +0000
with message-id <b70f86aac27195271a9b5212c7acc936da6ff100.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates in 10.7 point release
has caused the Debian Bug report #974695,
regarding buster-pu: package libxml2/2.9.4+dfsg1-7+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
974695: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=974695
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: mattiadebian.org

This fixes a few low severity security fixes affecting libxml2,
I've tested the package on a buster system with a few rdeps.

Cheers,
        Moritz

diff -Nru libxml2-2.9.4+dfsg1/debian/changelog libxml2-2.9.4+dfsg1/debian/changelog
--- libxml2-2.9.4+dfsg1/debian/changelog	2018-05-26 12:03:44.000000000 +0200
+++ libxml2-2.9.4+dfsg1/debian/changelog	2020-11-06 18:13:19.000000000 +0100
@@ -1,3 +1,14 @@
+libxml2 (2.9.4+dfsg1-7+deb10u1) buster; urgency=medium
+
+  * CVE-2017-18258 (Closes: #895245)
+  * CVE-2018-14404 (Closes: #901817)
+  * CVE-2018-14567
+  * CVE-2019-19956
+  * CVE-2019-20388 (Closes: #949583)
+  * CVE-2020-7595  (Closes: #949582)
+
+ -- Moritz Mühlenhoff <moritz@debian.org>  Fri, 06 Nov 2020 18:35:40 +0100
+
 libxml2 (2.9.4+dfsg1-7) unstable; urgency=medium
 
   * Team upload.
diff -Nru libxml2-2.9.4+dfsg1/debian/patches/0020-CVE-2017-18258.patch libxml2-2.9.4+dfsg1/debian/patches/0020-CVE-2017-18258.patch
--- libxml2-2.9.4+dfsg1/debian/patches/0020-CVE-2017-18258.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.4+dfsg1/debian/patches/0020-CVE-2017-18258.patch	2018-08-10 20:29:49.000000000 +0200
@@ -0,0 +1,25 @@
+From e2a9122b8dde53d320750451e9907a7dcb2ca8bb Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 7 Sep 2017 18:36:01 +0200
+Subject: [PATCH] Set memory limit for LZMA decompression
+
+Otherwise malicious LZMA compressed files could consume large amounts
+of memory when decompressed.
+
+According to the xz man page, files compressed with `xz -9` currently
+require 65 MB to decompress, so set the limit to 100 MB.
+
+Should fix bug 786696.
+diff --git a/xzlib.c b/xzlib.c
+index 782957f..f43632b 100644
+--- a/xzlib.c
++++ b/xzlib.c
+@@ -408,7 +408,7 @@ xz_head(xz_statep state)
+         state->strm = init;
+         state->strm.avail_in = 0;
+         state->strm.next_in = NULL;
+-        if (lzma_auto_decoder(&state->strm, UINT64_MAX, 0) != LZMA_OK) {
++        if (lzma_auto_decoder(&state->strm, 100000000, 0) != LZMA_OK) {
+             xmlFree(state->out);
+             xmlFree(state->in);
+             state->size = 0;
diff -Nru libxml2-2.9.4+dfsg1/debian/patches/0021-CVE-2018-14404.patch libxml2-2.9.4+dfsg1/debian/patches/0021-CVE-2018-14404.patch
--- libxml2-2.9.4+dfsg1/debian/patches/0021-CVE-2018-14404.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.4+dfsg1/debian/patches/0021-CVE-2018-14404.patch	2018-08-10 20:30:01.000000000 +0200
@@ -0,0 +1,47 @@
+From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 30 Jul 2018 12:54:38 +0200
+Subject: [PATCH] Fix nullptr deref with XPath logic ops
+
+If the XPath stack is corrupted, for example by a misbehaving extension
+function, the "and" and "or" XPath operators could dereference NULL
+pointers. Check that the XPath stack isn't empty and optimize the
+logic operators slightly.
+
+Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5
+
+Also see
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
+https://bugzilla.redhat.com/show_bug.cgi?id=1595985
+
+This is CVE-2018-14404.
+
+Thanks to Guy Inbar for the report.
+diff --git a/xpath.c b/xpath.c
+index 1787be1..13e0812 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -13320,9 +13320,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+ 		return(0);
+ 	    }
+             xmlXPathBooleanFunction(ctxt, 1);
+-            arg1 = valuePop(ctxt);
+-            arg1->boolval &= arg2->boolval;
+-            valuePush(ctxt, arg1);
++            if (ctxt->value != NULL)
++                ctxt->value->boolval &= arg2->boolval;
+ 	    xmlXPathReleaseObject(ctxt->context, arg2);
+             return (total);
+         case XPATH_OP_OR:
+@@ -13346,9 +13345,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+ 		return(0);
+ 	    }
+             xmlXPathBooleanFunction(ctxt, 1);
+-            arg1 = valuePop(ctxt);
+-            arg1->boolval |= arg2->boolval;
+-            valuePush(ctxt, arg1);
++            if (ctxt->value != NULL)
++                ctxt->value->boolval |= arg2->boolval;
+ 	    xmlXPathReleaseObject(ctxt->context, arg2);
+             return (total);
+         case XPATH_OP_EQUAL:
diff -Nru libxml2-2.9.4+dfsg1/debian/patches/0022-CVE-2018-14567.patch libxml2-2.9.4+dfsg1/debian/patches/0022-CVE-2018-14567.patch
--- libxml2-2.9.4+dfsg1/debian/patches/0022-CVE-2018-14567.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.4+dfsg1/debian/patches/0022-CVE-2018-14567.patch	2018-08-10 20:30:14.000000000 +0200
@@ -0,0 +1,43 @@
+From 2240fbf5912054af025fb6e01e26375100275e74 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 30 Jul 2018 13:14:11 +0200
+Subject: [PATCH] Fix infinite loop in LZMA decompression
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Check the liblzma error code more thoroughly to avoid infinite loops.
+
+Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13
+Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914
+
+This is CVE-2018-9251 and CVE-2018-14567.
+
+Thanks to Dongliang Mu and Simon Wörner for the reports.
+diff --git a/xzlib.c b/xzlib.c
+index f43632b..5df477e 100644
+--- a/xzlib.c
++++ b/xzlib.c
+@@ -562,6 +562,10 @@ xz_decomp(xz_statep state)
+                          "internal error: inflate stream corrupt");
+                 return -1;
+             }
++            /*
++             * FIXME: Remapping a couple of error codes and falling through
++             * to the LZMA error handling looks fragile.
++             */
+             if (ret == Z_MEM_ERROR)
+                 ret = LZMA_MEM_ERROR;
+             if (ret == Z_DATA_ERROR)
+@@ -587,6 +591,11 @@ xz_decomp(xz_statep state)
+             xz_error(state, LZMA_PROG_ERROR, "compression error");
+             return -1;
+         }
++        if ((state->how != GZIP) &&
++            (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) {
++            xz_error(state, ret, "lzma error");
++            return -1;
++        }
+     } while (strm->avail_out && ret != LZMA_STREAM_END);
+ 
+     /* update available output and crc check value */
diff -Nru libxml2-2.9.4+dfsg1/debian/patches/0023-CVE-2019-19956.patch libxml2-2.9.4+dfsg1/debian/patches/0023-CVE-2019-19956.patch
--- libxml2-2.9.4+dfsg1/debian/patches/0023-CVE-2019-19956.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.4+dfsg1/debian/patches/0023-CVE-2019-19956.patch	2020-02-05 18:08:11.000000000 +0100
@@ -0,0 +1,30 @@
+From 5a02583c7e683896d84878bd90641d8d9b0d0549 Mon Sep 17 00:00:00 2001
+From: Zhipeng Xie <xiezhipeng1@huawei.com>
+Date: Wed, 7 Aug 2019 17:39:17 +0800
+Subject: [PATCH] Fix memory leak in xmlParseBalancedChunkMemoryRecover
+
+When doc is NULL, namespace created in xmlTreeEnsureXMLDecl
+is bind to newDoc->oldNs, in this case, set newDoc->oldNs to
+NULL and free newDoc will cause a memory leak.
+
+Found with libFuzzer.
+
+Closes #82.
+---
+ parser.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: libxml2-2.9.4+dfsg1/parser.c
+===================================================================
+--- libxml2-2.9.4+dfsg1.orig/parser.c
++++ libxml2-2.9.4+dfsg1/parser.c
+@@ -14168,7 +14168,8 @@ xmlParseBalancedChunkMemoryRecover(xmlDo
+     xmlFreeParserCtxt(ctxt);
+     newDoc->intSubset = NULL;
+     newDoc->extSubset = NULL;
+-    newDoc->oldNs = NULL;
++    if(doc != NULL)
++	newDoc->oldNs = NULL;
+     xmlFreeDoc(newDoc);
+ 
+     return(ret);
diff -Nru libxml2-2.9.4+dfsg1/debian/patches/0024-CVE-2019-20388.patch libxml2-2.9.4+dfsg1/debian/patches/0024-CVE-2019-20388.patch
--- libxml2-2.9.4+dfsg1/debian/patches/0024-CVE-2019-20388.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.4+dfsg1/debian/patches/0024-CVE-2019-20388.patch	2020-11-06 14:37:09.000000000 +0100
@@ -0,0 +1,33 @@
+From 7ffcd44d7e6c46704f8af0321d9314cd26e0e18a Mon Sep 17 00:00:00 2001
+From: Zhipeng Xie <xiezhipeng1@huawei.com>
+Date: Tue, 20 Aug 2019 16:33:06 +0800
+Subject: [PATCH] Fix memory leak in xmlSchemaValidateStream
+
+When ctxt->schema is NULL, xmlSchemaSAXPlug->xmlSchemaPreRun
+alloc a new schema for ctxt->schema and set vctxt->xsiAssemble
+to 1. Then xmlSchemaVStart->xmlSchemaPreRun initialize
+vctxt->xsiAssemble to 0 again which cause the alloced schema
+can not be freed anymore.
+
+Found with libFuzzer.
+
+Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
+---
+ xmlschemas.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/xmlschemas.c b/xmlschemas.c
+index 301c84499..39d92182f 100644
+--- a/xmlschemas.c
++++ b/xmlschemas.c
+@@ -28090,7 +28090,6 @@ xmlSchemaPreRun(xmlSchemaValidCtxtPtr vctxt) {
+     vctxt->nberrors = 0;
+     vctxt->depth = -1;
+     vctxt->skipDepth = -1;
+-    vctxt->xsiAssemble = 0;
+     vctxt->hasKeyrefs = 0;
+ #ifdef ENABLE_IDC_NODE_TABLES_TEST
+     vctxt->createIDCNodeTables = 1;
+-- 
+GitLab
+
diff -Nru libxml2-2.9.4+dfsg1/debian/patches/0025-CVE-2020-7595.patch libxml2-2.9.4+dfsg1/debian/patches/0025-CVE-2020-7595.patch
--- libxml2-2.9.4+dfsg1/debian/patches/0025-CVE-2020-7595.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.4+dfsg1/debian/patches/0025-CVE-2020-7595.patch	2020-02-05 18:08:27.000000000 +0100
@@ -0,0 +1,29 @@
+From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001
+From: Zhipeng Xie <xiezhipeng1@huawei.com>
+Date: Thu, 12 Dec 2019 17:30:55 +0800
+Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities
+
+When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef
+return NULL which cause a infinite loop in xmlStringLenDecodeEntities
+
+Found with libFuzzer.
+
+Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
+---
+ parser.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: libxml2-2.9.4+dfsg1/parser.c
+===================================================================
+--- libxml2-2.9.4+dfsg1.orig/parser.c
++++ libxml2-2.9.4+dfsg1/parser.c
+@@ -2791,7 +2791,8 @@ xmlStringLenDecodeEntities(xmlParserCtxt
+     else
+         c = 0;
+     while ((c != 0) && (c != end) && /* non input consuming loop */
+-	   (c != end2) && (c != end3)) {
++           (c != end2) && (c != end3) &&
++           (ctxt->instate != XML_PARSER_EOF)) {
+ 
+ 	if (c == 0) break;
+         if ((c == '&') && (str[1] == '#')) {
diff -Nru libxml2-2.9.4+dfsg1/debian/patches/series libxml2-2.9.4+dfsg1/debian/patches/series
--- libxml2-2.9.4+dfsg1/debian/patches/series	2018-01-02 08:59:03.000000000 +0100
+++ libxml2-2.9.4+dfsg1/debian/patches/series	2020-11-06 15:35:20.000000000 +0100
@@ -17,3 +17,9 @@
 0017-python-remove-single-use-of-_PyVerify_fd.patch
 0018-Fix-XPath-stack-frame-logic.patch
 0019-CVE-2017-8872.patch
+0020-CVE-2017-18258.patch
+0021-CVE-2018-14404.patch
+0022-CVE-2018-14567.patch
+0023-CVE-2019-19956.patch
+0024-CVE-2019-20388.patch
+0025-CVE-2020-7595.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.7

Hi,

Each of the updates referenced by these bugs was included in this
morning's buster 10.7 point release.

Regards,

Adam

--- End Message ---
Reply to: