--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package libxml2/2.9.4+dfsg1-7+deb10u1
- From: Moritz Muehlenhoff <jmm@debian.org>
- Date: Fri, 13 Nov 2020 22:33:38 +0100
- Message-id: <160530321889.36886.15476556669756995148.reportbug@hullmann.westfalen.local>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: mattiadebian.org
This fixes a few low severity security fixes affecting libxml2,
I've tested the package on a buster system with a few rdeps.
Cheers,
Moritz
diff -Nru libxml2-2.9.4+dfsg1/debian/changelog libxml2-2.9.4+dfsg1/debian/changelog
--- libxml2-2.9.4+dfsg1/debian/changelog 2018-05-26 12:03:44.000000000 +0200
+++ libxml2-2.9.4+dfsg1/debian/changelog 2020-11-06 18:13:19.000000000 +0100
@@ -1,3 +1,14 @@
+libxml2 (2.9.4+dfsg1-7+deb10u1) buster; urgency=medium
+
+ * CVE-2017-18258 (Closes: #895245)
+ * CVE-2018-14404 (Closes: #901817)
+ * CVE-2018-14567
+ * CVE-2019-19956
+ * CVE-2019-20388 (Closes: #949583)
+ * CVE-2020-7595 (Closes: #949582)
+
+ -- Moritz Mühlenhoff <moritz@debian.org> Fri, 06 Nov 2020 18:35:40 +0100
+
libxml2 (2.9.4+dfsg1-7) unstable; urgency=medium
* Team upload.
diff -Nru libxml2-2.9.4+dfsg1/debian/patches/0020-CVE-2017-18258.patch libxml2-2.9.4+dfsg1/debian/patches/0020-CVE-2017-18258.patch
--- libxml2-2.9.4+dfsg1/debian/patches/0020-CVE-2017-18258.patch 1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.4+dfsg1/debian/patches/0020-CVE-2017-18258.patch 2018-08-10 20:29:49.000000000 +0200
@@ -0,0 +1,25 @@
+From e2a9122b8dde53d320750451e9907a7dcb2ca8bb Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 7 Sep 2017 18:36:01 +0200
+Subject: [PATCH] Set memory limit for LZMA decompression
+
+Otherwise malicious LZMA compressed files could consume large amounts
+of memory when decompressed.
+
+According to the xz man page, files compressed with `xz -9` currently
+require 65 MB to decompress, so set the limit to 100 MB.
+
+Should fix bug 786696.
+diff --git a/xzlib.c b/xzlib.c
+index 782957f..f43632b 100644
+--- a/xzlib.c
++++ b/xzlib.c
+@@ -408,7 +408,7 @@ xz_head(xz_statep state)
+ state->strm = init;
+ state->strm.avail_in = 0;
+ state->strm.next_in = NULL;
+- if (lzma_auto_decoder(&state->strm, UINT64_MAX, 0) != LZMA_OK) {
++ if (lzma_auto_decoder(&state->strm, 100000000, 0) != LZMA_OK) {
+ xmlFree(state->out);
+ xmlFree(state->in);
+ state->size = 0;
diff -Nru libxml2-2.9.4+dfsg1/debian/patches/0021-CVE-2018-14404.patch libxml2-2.9.4+dfsg1/debian/patches/0021-CVE-2018-14404.patch
--- libxml2-2.9.4+dfsg1/debian/patches/0021-CVE-2018-14404.patch 1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.4+dfsg1/debian/patches/0021-CVE-2018-14404.patch 2018-08-10 20:30:01.000000000 +0200
@@ -0,0 +1,47 @@
+From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 30 Jul 2018 12:54:38 +0200
+Subject: [PATCH] Fix nullptr deref with XPath logic ops
+
+If the XPath stack is corrupted, for example by a misbehaving extension
+function, the "and" and "or" XPath operators could dereference NULL
+pointers. Check that the XPath stack isn't empty and optimize the
+logic operators slightly.
+
+Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5
+
+Also see
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
+https://bugzilla.redhat.com/show_bug.cgi?id=1595985
+
+This is CVE-2018-14404.
+
+Thanks to Guy Inbar for the report.
+diff --git a/xpath.c b/xpath.c
+index 1787be1..13e0812 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -13320,9 +13320,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+ return(0);
+ }
+ xmlXPathBooleanFunction(ctxt, 1);
+- arg1 = valuePop(ctxt);
+- arg1->boolval &= arg2->boolval;
+- valuePush(ctxt, arg1);
++ if (ctxt->value != NULL)
++ ctxt->value->boolval &= arg2->boolval;
+ xmlXPathReleaseObject(ctxt->context, arg2);
+ return (total);
+ case XPATH_OP_OR:
+@@ -13346,9 +13345,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+ return(0);
+ }
+ xmlXPathBooleanFunction(ctxt, 1);
+- arg1 = valuePop(ctxt);
+- arg1->boolval |= arg2->boolval;
+- valuePush(ctxt, arg1);
++ if (ctxt->value != NULL)
++ ctxt->value->boolval |= arg2->boolval;
+ xmlXPathReleaseObject(ctxt->context, arg2);
+ return (total);
+ case XPATH_OP_EQUAL:
diff -Nru libxml2-2.9.4+dfsg1/debian/patches/0022-CVE-2018-14567.patch libxml2-2.9.4+dfsg1/debian/patches/0022-CVE-2018-14567.patch
--- libxml2-2.9.4+dfsg1/debian/patches/0022-CVE-2018-14567.patch 1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.4+dfsg1/debian/patches/0022-CVE-2018-14567.patch 2018-08-10 20:30:14.000000000 +0200
@@ -0,0 +1,43 @@
+From 2240fbf5912054af025fb6e01e26375100275e74 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 30 Jul 2018 13:14:11 +0200
+Subject: [PATCH] Fix infinite loop in LZMA decompression
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Check the liblzma error code more thoroughly to avoid infinite loops.
+
+Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13
+Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914
+
+This is CVE-2018-9251 and CVE-2018-14567.
+
+Thanks to Dongliang Mu and Simon Wörner for the reports.
+diff --git a/xzlib.c b/xzlib.c
+index f43632b..5df477e 100644
+--- a/xzlib.c
++++ b/xzlib.c
+@@ -562,6 +562,10 @@ xz_decomp(xz_statep state)
+ "internal error: inflate stream corrupt");
+ return -1;
+ }
++ /*
++ * FIXME: Remapping a couple of error codes and falling through
++ * to the LZMA error handling looks fragile.
++ */
+ if (ret == Z_MEM_ERROR)
+ ret = LZMA_MEM_ERROR;
+ if (ret == Z_DATA_ERROR)
+@@ -587,6 +591,11 @@ xz_decomp(xz_statep state)
+ xz_error(state, LZMA_PROG_ERROR, "compression error");
+ return -1;
+ }
++ if ((state->how != GZIP) &&
++ (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) {
++ xz_error(state, ret, "lzma error");
++ return -1;
++ }
+ } while (strm->avail_out && ret != LZMA_STREAM_END);
+
+ /* update available output and crc check value */
diff -Nru libxml2-2.9.4+dfsg1/debian/patches/0023-CVE-2019-19956.patch libxml2-2.9.4+dfsg1/debian/patches/0023-CVE-2019-19956.patch
--- libxml2-2.9.4+dfsg1/debian/patches/0023-CVE-2019-19956.patch 1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.4+dfsg1/debian/patches/0023-CVE-2019-19956.patch 2020-02-05 18:08:11.000000000 +0100
@@ -0,0 +1,30 @@
+From 5a02583c7e683896d84878bd90641d8d9b0d0549 Mon Sep 17 00:00:00 2001
+From: Zhipeng Xie <xiezhipeng1@huawei.com>
+Date: Wed, 7 Aug 2019 17:39:17 +0800
+Subject: [PATCH] Fix memory leak in xmlParseBalancedChunkMemoryRecover
+
+When doc is NULL, namespace created in xmlTreeEnsureXMLDecl
+is bind to newDoc->oldNs, in this case, set newDoc->oldNs to
+NULL and free newDoc will cause a memory leak.
+
+Found with libFuzzer.
+
+Closes #82.
+---
+ parser.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: libxml2-2.9.4+dfsg1/parser.c
+===================================================================
+--- libxml2-2.9.4+dfsg1.orig/parser.c
++++ libxml2-2.9.4+dfsg1/parser.c
+@@ -14168,7 +14168,8 @@ xmlParseBalancedChunkMemoryRecover(xmlDo
+ xmlFreeParserCtxt(ctxt);
+ newDoc->intSubset = NULL;
+ newDoc->extSubset = NULL;
+- newDoc->oldNs = NULL;
++ if(doc != NULL)
++ newDoc->oldNs = NULL;
+ xmlFreeDoc(newDoc);
+
+ return(ret);
diff -Nru libxml2-2.9.4+dfsg1/debian/patches/0024-CVE-2019-20388.patch libxml2-2.9.4+dfsg1/debian/patches/0024-CVE-2019-20388.patch
--- libxml2-2.9.4+dfsg1/debian/patches/0024-CVE-2019-20388.patch 1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.4+dfsg1/debian/patches/0024-CVE-2019-20388.patch 2020-11-06 14:37:09.000000000 +0100
@@ -0,0 +1,33 @@
+From 7ffcd44d7e6c46704f8af0321d9314cd26e0e18a Mon Sep 17 00:00:00 2001
+From: Zhipeng Xie <xiezhipeng1@huawei.com>
+Date: Tue, 20 Aug 2019 16:33:06 +0800
+Subject: [PATCH] Fix memory leak in xmlSchemaValidateStream
+
+When ctxt->schema is NULL, xmlSchemaSAXPlug->xmlSchemaPreRun
+alloc a new schema for ctxt->schema and set vctxt->xsiAssemble
+to 1. Then xmlSchemaVStart->xmlSchemaPreRun initialize
+vctxt->xsiAssemble to 0 again which cause the alloced schema
+can not be freed anymore.
+
+Found with libFuzzer.
+
+Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
+---
+ xmlschemas.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/xmlschemas.c b/xmlschemas.c
+index 301c84499..39d92182f 100644
+--- a/xmlschemas.c
++++ b/xmlschemas.c
+@@ -28090,7 +28090,6 @@ xmlSchemaPreRun(xmlSchemaValidCtxtPtr vctxt) {
+ vctxt->nberrors = 0;
+ vctxt->depth = -1;
+ vctxt->skipDepth = -1;
+- vctxt->xsiAssemble = 0;
+ vctxt->hasKeyrefs = 0;
+ #ifdef ENABLE_IDC_NODE_TABLES_TEST
+ vctxt->createIDCNodeTables = 1;
+--
+GitLab
+
diff -Nru libxml2-2.9.4+dfsg1/debian/patches/0025-CVE-2020-7595.patch libxml2-2.9.4+dfsg1/debian/patches/0025-CVE-2020-7595.patch
--- libxml2-2.9.4+dfsg1/debian/patches/0025-CVE-2020-7595.patch 1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.4+dfsg1/debian/patches/0025-CVE-2020-7595.patch 2020-02-05 18:08:27.000000000 +0100
@@ -0,0 +1,29 @@
+From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001
+From: Zhipeng Xie <xiezhipeng1@huawei.com>
+Date: Thu, 12 Dec 2019 17:30:55 +0800
+Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities
+
+When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef
+return NULL which cause a infinite loop in xmlStringLenDecodeEntities
+
+Found with libFuzzer.
+
+Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
+---
+ parser.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: libxml2-2.9.4+dfsg1/parser.c
+===================================================================
+--- libxml2-2.9.4+dfsg1.orig/parser.c
++++ libxml2-2.9.4+dfsg1/parser.c
+@@ -2791,7 +2791,8 @@ xmlStringLenDecodeEntities(xmlParserCtxt
+ else
+ c = 0;
+ while ((c != 0) && (c != end) && /* non input consuming loop */
+- (c != end2) && (c != end3)) {
++ (c != end2) && (c != end3) &&
++ (ctxt->instate != XML_PARSER_EOF)) {
+
+ if (c == 0) break;
+ if ((c == '&') && (str[1] == '#')) {
diff -Nru libxml2-2.9.4+dfsg1/debian/patches/series libxml2-2.9.4+dfsg1/debian/patches/series
--- libxml2-2.9.4+dfsg1/debian/patches/series 2018-01-02 08:59:03.000000000 +0100
+++ libxml2-2.9.4+dfsg1/debian/patches/series 2020-11-06 15:35:20.000000000 +0100
@@ -17,3 +17,9 @@
0017-python-remove-single-use-of-_PyVerify_fd.patch
0018-Fix-XPath-stack-frame-logic.patch
0019-CVE-2017-8872.patch
+0020-CVE-2017-18258.patch
+0021-CVE-2018-14404.patch
+0022-CVE-2018-14567.patch
+0023-CVE-2019-19956.patch
+0024-CVE-2019-20388.patch
+0025-CVE-2020-7595.patch
--- End Message ---