Bug#989003: unblock: libxml2/2.9.10+dfsg-6.7

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#989003: unblock: libxml2/2.9.10+dfsg-6.7
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 23 May 2021 08:31:07 +0200
Message-id: <[🔎] 162175146761.255400.16352668571903959334.reportbug@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 989003@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: carnil@debian.org

Hi Release team,

Please unblock package libxml2

[ Reason ]
Update to adress CVE-2021-3541 (cf. #988603) which is called
"Parameter Laughts.
(Explain what the reason for the unblock request is.)

[ Impact ]
Possible denail of service attacks against applications using the
libxml2 library.

[ Tests ]
Autopkgtests triggered shows no regression, additionally tested for
the CVE-2021-3541 issue.

[ Risks ]
Should be low. The autopkgtests show now regression, and covers enough
reverse dependencies of the library.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
Nothing I can think of which needs to be added.

unblock libxml2/2.9.10+dfsg-6.7

Regards,
Salvatore

diff -Nru libxml2-2.9.10+dfsg/debian/changelog libxml2-2.9.10+dfsg/debian/changelog
--- libxml2-2.9.10+dfsg/debian/changelog	2021-05-06 10:48:16.000000000 +0200
+++ libxml2-2.9.10+dfsg/debian/changelog	2021-05-22 08:21:29.000000000 +0200
@@ -1,3 +1,10 @@
+libxml2 (2.9.10+dfsg-6.7) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Patch for security issue CVE-2021-3541 (Closes: #988603)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 22 May 2021 08:21:29 +0200
+
 libxml2 (2.9.10+dfsg-6.6) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru libxml2-2.9.10+dfsg/debian/patches/Patch-for-security-issue-CVE-2021-3541.patch libxml2-2.9.10+dfsg/debian/patches/Patch-for-security-issue-CVE-2021-3541.patch
--- libxml2-2.9.10+dfsg/debian/patches/Patch-for-security-issue-CVE-2021-3541.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.10+dfsg/debian/patches/Patch-for-security-issue-CVE-2021-3541.patch	2021-05-22 08:21:29.000000000 +0200
@@ -0,0 +1,70 @@
+From: Daniel Veillard <veillard@redhat.com>
+Date: Thu, 13 May 2021 14:55:12 +0200
+Subject: Patch for security issue CVE-2021-3541
+Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e
+Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/228
+Bug-Debian: https://bugs.debian.org/988603
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3541
+
+This is relapted to parameter entities expansion and following
+the line of the billion laugh attack. Somehow in that path the
+counting of parameters was missed and the normal algorithm based
+on entities "density" was useless.
+---
+ parser.c | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index f5e5e169c0e0..c9312fa48d9c 100644
+--- a/parser.c
++++ b/parser.c
+@@ -140,6 +140,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+                      xmlEntityPtr ent, size_t replacement)
+ {
+     size_t consumed = 0;
++    int i;
+ 
+     if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE))
+         return (0);
+@@ -177,6 +178,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+ 	    rep = NULL;
+ 	}
+     }
++
++    /*
++     * Prevent entity exponential check, not just replacement while
++     * parsing the DTD
++     * The check is potentially costly so do that only once in a thousand
++     */
++    if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) &&
++        (ctxt->nbentities % 1024 == 0)) {
++	for (i = 0;i < ctxt->inputNr;i++) {
++	    consumed += ctxt->inputTab[i]->consumed +
++	               (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base);
++	}
++	if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) {
++	    xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
++	    ctxt->instate = XML_PARSER_EOF;
++	    return (1);
++	}
++	consumed = 0;
++    }
++
++
++
+     if (replacement != 0) {
+ 	if (replacement < XML_MAX_TEXT_LENGTH)
+ 	    return(0);
+@@ -7963,6 +7986,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
+             xmlChar start[4];
+             xmlCharEncoding enc;
+ 
++	    if (xmlParserEntityCheck(ctxt, 0, entity, 0))
++	        return;
++
+ 	    if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
+ 	        ((ctxt->options & XML_PARSE_NOENT) == 0) &&
+ 		((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
+-- 
+2.31.1
+
diff -Nru libxml2-2.9.10+dfsg/debian/patches/series libxml2-2.9.10+dfsg/debian/patches/series
--- libxml2-2.9.10+dfsg/debian/patches/series	2021-05-06 10:48:16.000000000 +0200
+++ libxml2-2.9.10+dfsg/debian/patches/series	2021-05-22 08:21:29.000000000 +0200
@@ -9,3 +9,4 @@
 Validate-UTF8-in-xmlEncodeEntities.patch
 Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch
 Propagate-error-in-xmlParseElementChildrenContentDec.patch
+Patch-for-security-issue-CVE-2021-3541.patch

Reply to:

Follow-Ups:
- Bug#989003: marked as done (unblock: libxml2/2.9.10+dfsg-6.7)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Re: Bug#988217: u-boot: bootefi causes boot failure with boot.scr
Next by Date: Bug#989006: unblock: vtk-dicom/0.8.12-3
Previous by thread: Re: Bug#988217: u-boot: bootefi causes boot failure with boot.scr
Next by thread: Bug#989003: marked as done (unblock: libxml2/2.9.10+dfsg-6.7)
Index(es):
- Date
- Thread