Bug#974695: buster-pu: package libxml2/2.9.4+dfsg1-7+deb10u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#974695: buster-pu: package libxml2/2.9.4+dfsg1-7+deb10u1
From: Moritz Muehlenhoff <jmm@debian.org>
Date: Fri, 13 Nov 2020 22:33:38 +0100
Message-id: <[🔎] 160530321889.36886.15476556669756995148.reportbug@hullmann.westfalen.local>
Reply-to: Moritz Muehlenhoff <jmm@debian.org>, 974695@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: mattiadebian.org

This fixes a few low severity security fixes affecting libxml2,
I've tested the package on a buster system with a few rdeps.

Cheers,
        Moritz

diff -Nru libxml2-2.9.4+dfsg1/debian/changelog libxml2-2.9.4+dfsg1/debian/changelog
--- libxml2-2.9.4+dfsg1/debian/changelog	2018-05-26 12:03:44.000000000 +0200
+++ libxml2-2.9.4+dfsg1/debian/changelog	2020-11-06 18:13:19.000000000 +0100
@@ -1,3 +1,14 @@
+libxml2 (2.9.4+dfsg1-7+deb10u1) buster; urgency=medium
+
+  * CVE-2017-18258 (Closes: #895245)
+  * CVE-2018-14404 (Closes: #901817)
+  * CVE-2018-14567
+  * CVE-2019-19956
+  * CVE-2019-20388 (Closes: #949583)
+  * CVE-2020-7595  (Closes: #949582)
+
+ -- Moritz Mühlenhoff <moritz@debian.org>  Fri, 06 Nov 2020 18:35:40 +0100
+
 libxml2 (2.9.4+dfsg1-7) unstable; urgency=medium
 
   * Team upload.
diff -Nru libxml2-2.9.4+dfsg1/debian/patches/0020-CVE-2017-18258.patch libxml2-2.9.4+dfsg1/debian/patches/0020-CVE-2017-18258.patch
--- libxml2-2.9.4+dfsg1/debian/patches/0020-CVE-2017-18258.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.4+dfsg1/debian/patches/0020-CVE-2017-18258.patch	2018-08-10 20:29:49.000000000 +0200
@@ -0,0 +1,25 @@
+From e2a9122b8dde53d320750451e9907a7dcb2ca8bb Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 7 Sep 2017 18:36:01 +0200
+Subject: [PATCH] Set memory limit for LZMA decompression
+
+Otherwise malicious LZMA compressed files could consume large amounts
+of memory when decompressed.
+
+According to the xz man page, files compressed with `xz -9` currently
+require 65 MB to decompress, so set the limit to 100 MB.
+
+Should fix bug 786696.
+diff --git a/xzlib.c b/xzlib.c
+index 782957f..f43632b 100644
+--- a/xzlib.c
++++ b/xzlib.c
+@@ -408,7 +408,7 @@ xz_head(xz_statep state)
+         state->strm = init;
+         state->strm.avail_in = 0;
+         state->strm.next_in = NULL;
+-        if (lzma_auto_decoder(&state->strm, UINT64_MAX, 0) != LZMA_OK) {
++        if (lzma_auto_decoder(&state->strm, 100000000, 0) != LZMA_OK) {
+             xmlFree(state->out);
+             xmlFree(state->in);
+             state->size = 0;
diff -Nru libxml2-2.9.4+dfsg1/debian/patches/0021-CVE-2018-14404.patch libxml2-2.9.4+dfsg1/debian/patches/0021-CVE-2018-14404.patch
--- libxml2-2.9.4+dfsg1/debian/patches/0021-CVE-2018-14404.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.4+dfsg1/debian/patches/0021-CVE-2018-14404.patch	2018-08-10 20:30:01.000000000 +0200
@@ -0,0 +1,47 @@
+From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 30 Jul 2018 12:54:38 +0200
+Subject: [PATCH] Fix nullptr deref with XPath logic ops
+
+If the XPath stack is corrupted, for example by a misbehaving extension
+function, the "and" and "or" XPath operators could dereference NULL
+pointers. Check that the XPath stack isn't empty and optimize the
+logic operators slightly.
+
+Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5
+
+Also see
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
+https://bugzilla.redhat.com/show_bug.cgi?id=1595985
+
+This is CVE-2018-14404.
+
+Thanks to Guy Inbar for the report.
+diff --git a/xpath.c b/xpath.c
+index 1787be1..13e0812 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -13320,9 +13320,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+ 		return(0);
+ 	    }
+             xmlXPathBooleanFunction(ctxt, 1);
+-            arg1 = valuePop(ctxt);
+-            arg1->boolval &= arg2->boolval;
+-            valuePush(ctxt, arg1);
++            if (ctxt->value != NULL)
++                ctxt->value->boolval &= arg2->boolval;
+ 	    xmlXPathReleaseObject(ctxt->context, arg2);
+             return (total);
+         case XPATH_OP_OR:
+@@ -13346,9 +13345,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+ 		return(0);
+ 	    }
+             xmlXPathBooleanFunction(ctxt, 1);
+-            arg1 = valuePop(ctxt);
+-            arg1->boolval |= arg2->boolval;
+-            valuePush(ctxt, arg1);
++            if (ctxt->value != NULL)
++                ctxt->value->boolval |= arg2->boolval;
+ 	    xmlXPathReleaseObject(ctxt->context, arg2);
+             return (total);
+         case XPATH_OP_EQUAL:
diff -Nru libxml2-2.9.4+dfsg1/debian/patches/0022-CVE-2018-14567.patch libxml2-2.9.4+dfsg1/debian/patches/0022-CVE-2018-14567.patch
--- libxml2-2.9.4+dfsg1/debian/patches/0022-CVE-2018-14567.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.4+dfsg1/debian/patches/0022-CVE-2018-14567.patch	2018-08-10 20:30:14.000000000 +0200
@@ -0,0 +1,43 @@
+From 2240fbf5912054af025fb6e01e26375100275e74 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 30 Jul 2018 13:14:11 +0200
+Subject: [PATCH] Fix infinite loop in LZMA decompression
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Check the liblzma error code more thoroughly to avoid infinite loops.
+
+Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13
+Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914
+
+This is CVE-2018-9251 and CVE-2018-14567.
+
+Thanks to Dongliang Mu and Simon Wörner for the reports.
+diff --git a/xzlib.c b/xzlib.c
+index f43632b..5df477e 100644
+--- a/xzlib.c
++++ b/xzlib.c
+@@ -562,6 +562,10 @@ xz_decomp(xz_statep state)
+                          "internal error: inflate stream corrupt");
+                 return -1;
+             }
++            /*
++             * FIXME: Remapping a couple of error codes and falling through
++             * to the LZMA error handling looks fragile.
++             */
+             if (ret == Z_MEM_ERROR)
+                 ret = LZMA_MEM_ERROR;
+             if (ret == Z_DATA_ERROR)
+@@ -587,6 +591,11 @@ xz_decomp(xz_statep state)
+             xz_error(state, LZMA_PROG_ERROR, "compression error");
+             return -1;
+         }
++        if ((state->how != GZIP) &&
++            (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) {
++            xz_error(state, ret, "lzma error");
++            return -1;
++        }
+     } while (strm->avail_out && ret != LZMA_STREAM_END);
+ 
+     /* update available output and crc check value */
diff -Nru libxml2-2.9.4+dfsg1/debian/patches/0023-CVE-2019-19956.patch libxml2-2.9.4+dfsg1/debian/patches/0023-CVE-2019-19956.patch
--- libxml2-2.9.4+dfsg1/debian/patches/0023-CVE-2019-19956.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.4+dfsg1/debian/patches/0023-CVE-2019-19956.patch	2020-02-05 18:08:11.000000000 +0100
@@ -0,0 +1,30 @@
+From 5a02583c7e683896d84878bd90641d8d9b0d0549 Mon Sep 17 00:00:00 2001
+From: Zhipeng Xie <xiezhipeng1@huawei.com>
+Date: Wed, 7 Aug 2019 17:39:17 +0800
+Subject: [PATCH] Fix memory leak in xmlParseBalancedChunkMemoryRecover
+
+When doc is NULL, namespace created in xmlTreeEnsureXMLDecl
+is bind to newDoc->oldNs, in this case, set newDoc->oldNs to
+NULL and free newDoc will cause a memory leak.
+
+Found with libFuzzer.
+
+Closes #82.
+---
+ parser.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: libxml2-2.9.4+dfsg1/parser.c
+===================================================================
+--- libxml2-2.9.4+dfsg1.orig/parser.c
++++ libxml2-2.9.4+dfsg1/parser.c
+@@ -14168,7 +14168,8 @@ xmlParseBalancedChunkMemoryRecover(xmlDo
+     xmlFreeParserCtxt(ctxt);
+     newDoc->intSubset = NULL;
+     newDoc->extSubset = NULL;
+-    newDoc->oldNs = NULL;
++    if(doc != NULL)
++	newDoc->oldNs = NULL;
+     xmlFreeDoc(newDoc);
+ 
+     return(ret);
diff -Nru libxml2-2.9.4+dfsg1/debian/patches/0024-CVE-2019-20388.patch libxml2-2.9.4+dfsg1/debian/patches/0024-CVE-2019-20388.patch
--- libxml2-2.9.4+dfsg1/debian/patches/0024-CVE-2019-20388.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.4+dfsg1/debian/patches/0024-CVE-2019-20388.patch	2020-11-06 14:37:09.000000000 +0100
@@ -0,0 +1,33 @@
+From 7ffcd44d7e6c46704f8af0321d9314cd26e0e18a Mon Sep 17 00:00:00 2001
+From: Zhipeng Xie <xiezhipeng1@huawei.com>
+Date: Tue, 20 Aug 2019 16:33:06 +0800
+Subject: [PATCH] Fix memory leak in xmlSchemaValidateStream
+
+When ctxt->schema is NULL, xmlSchemaSAXPlug->xmlSchemaPreRun
+alloc a new schema for ctxt->schema and set vctxt->xsiAssemble
+to 1. Then xmlSchemaVStart->xmlSchemaPreRun initialize
+vctxt->xsiAssemble to 0 again which cause the alloced schema
+can not be freed anymore.
+
+Found with libFuzzer.
+
+Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
+---
+ xmlschemas.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/xmlschemas.c b/xmlschemas.c
+index 301c84499..39d92182f 100644
+--- a/xmlschemas.c
++++ b/xmlschemas.c
+@@ -28090,7 +28090,6 @@ xmlSchemaPreRun(xmlSchemaValidCtxtPtr vctxt) {
+     vctxt->nberrors = 0;
+     vctxt->depth = -1;
+     vctxt->skipDepth = -1;
+-    vctxt->xsiAssemble = 0;
+     vctxt->hasKeyrefs = 0;
+ #ifdef ENABLE_IDC_NODE_TABLES_TEST
+     vctxt->createIDCNodeTables = 1;
+-- 
+GitLab
+
diff -Nru libxml2-2.9.4+dfsg1/debian/patches/0025-CVE-2020-7595.patch libxml2-2.9.4+dfsg1/debian/patches/0025-CVE-2020-7595.patch
--- libxml2-2.9.4+dfsg1/debian/patches/0025-CVE-2020-7595.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.4+dfsg1/debian/patches/0025-CVE-2020-7595.patch	2020-02-05 18:08:27.000000000 +0100
@@ -0,0 +1,29 @@
+From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001
+From: Zhipeng Xie <xiezhipeng1@huawei.com>
+Date: Thu, 12 Dec 2019 17:30:55 +0800
+Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities
+
+When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef
+return NULL which cause a infinite loop in xmlStringLenDecodeEntities
+
+Found with libFuzzer.
+
+Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
+---
+ parser.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: libxml2-2.9.4+dfsg1/parser.c
+===================================================================
+--- libxml2-2.9.4+dfsg1.orig/parser.c
++++ libxml2-2.9.4+dfsg1/parser.c
+@@ -2791,7 +2791,8 @@ xmlStringLenDecodeEntities(xmlParserCtxt
+     else
+         c = 0;
+     while ((c != 0) && (c != end) && /* non input consuming loop */
+-	   (c != end2) && (c != end3)) {
++           (c != end2) && (c != end3) &&
++           (ctxt->instate != XML_PARSER_EOF)) {
+ 
+ 	if (c == 0) break;
+         if ((c == '&') && (str[1] == '#')) {
diff -Nru libxml2-2.9.4+dfsg1/debian/patches/series libxml2-2.9.4+dfsg1/debian/patches/series
--- libxml2-2.9.4+dfsg1/debian/patches/series	2018-01-02 08:59:03.000000000 +0100
+++ libxml2-2.9.4+dfsg1/debian/patches/series	2020-11-06 15:35:20.000000000 +0100
@@ -17,3 +17,9 @@
 0017-python-remove-single-use-of-_PyVerify_fd.patch
 0018-Fix-XPath-stack-frame-logic.patch
 0019-CVE-2017-8872.patch
+0020-CVE-2017-18258.patch
+0021-CVE-2018-14404.patch
+0022-CVE-2018-14567.patch
+0023-CVE-2019-19956.patch
+0024-CVE-2019-20388.patch
+0025-CVE-2020-7595.patch

Reply to:

Follow-Ups:
- Processed: Re: Bug#974695: buster-pu: package libxml2/2.9.4+dfsg1-7+deb10u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#974695: buster-pu: package libxml2/2.9.4+dfsg1-7+deb10u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Bug#974695: libxml2 2.9.4+dfsg1-7+deb10u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: NEW changes in stable-new
Next by Date: Bug#974698: RM: freshplayerplugin -- RoQA; Obsolete, Unsupported by browsers, EOL upstream
Previous by thread: Processed: reopening 971807, tagging 971807, tagging 971808, tagging 971809
Next by thread: Processed: Re: Bug#974695: buster-pu: package libxml2/2.9.4+dfsg1-7+deb10u1
Index(es):
- Date
- Thread