Bug#989003: unblock: libxml2/2.9.10+dfsg-6.7
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: carnil@debian.org
Hi Release team,
Please unblock package libxml2
[ Reason ]
Update to adress CVE-2021-3541 (cf. #988603) which is called
"Parameter Laughts.
(Explain what the reason for the unblock request is.)
[ Impact ]
Possible denail of service attacks against applications using the
libxml2 library.
[ Tests ]
Autopkgtests triggered shows no regression, additionally tested for
the CVE-2021-3541 issue.
[ Risks ]
Should be low. The autopkgtests show now regression, and covers enough
reverse dependencies of the library.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
Nothing I can think of which needs to be added.
unblock libxml2/2.9.10+dfsg-6.7
Regards,
Salvatore
diff -Nru libxml2-2.9.10+dfsg/debian/changelog libxml2-2.9.10+dfsg/debian/changelog
--- libxml2-2.9.10+dfsg/debian/changelog 2021-05-06 10:48:16.000000000 +0200
+++ libxml2-2.9.10+dfsg/debian/changelog 2021-05-22 08:21:29.000000000 +0200
@@ -1,3 +1,10 @@
+libxml2 (2.9.10+dfsg-6.7) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Patch for security issue CVE-2021-3541 (Closes: #988603)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Sat, 22 May 2021 08:21:29 +0200
+
libxml2 (2.9.10+dfsg-6.6) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru libxml2-2.9.10+dfsg/debian/patches/Patch-for-security-issue-CVE-2021-3541.patch libxml2-2.9.10+dfsg/debian/patches/Patch-for-security-issue-CVE-2021-3541.patch
--- libxml2-2.9.10+dfsg/debian/patches/Patch-for-security-issue-CVE-2021-3541.patch 1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.10+dfsg/debian/patches/Patch-for-security-issue-CVE-2021-3541.patch 2021-05-22 08:21:29.000000000 +0200
@@ -0,0 +1,70 @@
+From: Daniel Veillard <veillard@redhat.com>
+Date: Thu, 13 May 2021 14:55:12 +0200
+Subject: Patch for security issue CVE-2021-3541
+Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e
+Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/228
+Bug-Debian: https://bugs.debian.org/988603
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3541
+
+This is relapted to parameter entities expansion and following
+the line of the billion laugh attack. Somehow in that path the
+counting of parameters was missed and the normal algorithm based
+on entities "density" was useless.
+---
+ parser.c | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index f5e5e169c0e0..c9312fa48d9c 100644
+--- a/parser.c
++++ b/parser.c
+@@ -140,6 +140,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+ xmlEntityPtr ent, size_t replacement)
+ {
+ size_t consumed = 0;
++ int i;
+
+ if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE))
+ return (0);
+@@ -177,6 +178,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+ rep = NULL;
+ }
+ }
++
++ /*
++ * Prevent entity exponential check, not just replacement while
++ * parsing the DTD
++ * The check is potentially costly so do that only once in a thousand
++ */
++ if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) &&
++ (ctxt->nbentities % 1024 == 0)) {
++ for (i = 0;i < ctxt->inputNr;i++) {
++ consumed += ctxt->inputTab[i]->consumed +
++ (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base);
++ }
++ if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) {
++ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
++ ctxt->instate = XML_PARSER_EOF;
++ return (1);
++ }
++ consumed = 0;
++ }
++
++
++
+ if (replacement != 0) {
+ if (replacement < XML_MAX_TEXT_LENGTH)
+ return(0);
+@@ -7963,6 +7986,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
+ xmlChar start[4];
+ xmlCharEncoding enc;
+
++ if (xmlParserEntityCheck(ctxt, 0, entity, 0))
++ return;
++
+ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
+ ((ctxt->options & XML_PARSE_NOENT) == 0) &&
+ ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
+--
+2.31.1
+
diff -Nru libxml2-2.9.10+dfsg/debian/patches/series libxml2-2.9.10+dfsg/debian/patches/series
--- libxml2-2.9.10+dfsg/debian/patches/series 2021-05-06 10:48:16.000000000 +0200
+++ libxml2-2.9.10+dfsg/debian/patches/series 2021-05-22 08:21:29.000000000 +0200
@@ -9,3 +9,4 @@
Validate-UTF8-in-xmlEncodeEntities.patch
Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch
Propagate-error-in-xmlParseElementChildrenContentDec.patch
+Patch-for-security-issue-CVE-2021-3541.patch
Reply to: