[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#989003: marked as done (unblock: libxml2/2.9.10+dfsg-6.7)

Your message dated Tue, 25 May 2021 07:15:48 +0000
with message-id <E1llRI4-0004aF-UC@respighi.debian.org>
and subject line unblock libxml2
has caused the Debian Bug report #989003,
regarding unblock: libxml2/2.9.10+dfsg-6.7
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
989003: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989003
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: carnil@debian.org

Hi Release team,

Please unblock package libxml2

[ Reason ]
Update to adress CVE-2021-3541 (cf. #988603) which is called
"Parameter Laughts.
(Explain what the reason for the unblock request is.)

[ Impact ]
Possible denail of service attacks against applications using the
libxml2 library.

[ Tests ]
Autopkgtests triggered shows no regression, additionally tested for
the CVE-2021-3541 issue.

[ Risks ]
Should be low. The autopkgtests show now regression, and covers enough
reverse dependencies of the library.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
Nothing I can think of which needs to be added.

unblock libxml2/2.9.10+dfsg-6.7

Regards,
Salvatore

diff -Nru libxml2-2.9.10+dfsg/debian/changelog libxml2-2.9.10+dfsg/debian/changelog
--- libxml2-2.9.10+dfsg/debian/changelog	2021-05-06 10:48:16.000000000 +0200
+++ libxml2-2.9.10+dfsg/debian/changelog	2021-05-22 08:21:29.000000000 +0200
@@ -1,3 +1,10 @@
+libxml2 (2.9.10+dfsg-6.7) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Patch for security issue CVE-2021-3541 (Closes: #988603)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 22 May 2021 08:21:29 +0200
+
 libxml2 (2.9.10+dfsg-6.6) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru libxml2-2.9.10+dfsg/debian/patches/Patch-for-security-issue-CVE-2021-3541.patch libxml2-2.9.10+dfsg/debian/patches/Patch-for-security-issue-CVE-2021-3541.patch
--- libxml2-2.9.10+dfsg/debian/patches/Patch-for-security-issue-CVE-2021-3541.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.10+dfsg/debian/patches/Patch-for-security-issue-CVE-2021-3541.patch	2021-05-22 08:21:29.000000000 +0200
@@ -0,0 +1,70 @@
+From: Daniel Veillard <veillard@redhat.com>
+Date: Thu, 13 May 2021 14:55:12 +0200
+Subject: Patch for security issue CVE-2021-3541
+Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e
+Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/228
+Bug-Debian: https://bugs.debian.org/988603
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3541
+
+This is relapted to parameter entities expansion and following
+the line of the billion laugh attack. Somehow in that path the
+counting of parameters was missed and the normal algorithm based
+on entities "density" was useless.
+---
+ parser.c | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index f5e5e169c0e0..c9312fa48d9c 100644
+--- a/parser.c
++++ b/parser.c
+@@ -140,6 +140,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+                      xmlEntityPtr ent, size_t replacement)
+ {
+     size_t consumed = 0;
++    int i;
+ 
+     if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE))
+         return (0);
+@@ -177,6 +178,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+ 	    rep = NULL;
+ 	}
+     }
++
++    /*
++     * Prevent entity exponential check, not just replacement while
++     * parsing the DTD
++     * The check is potentially costly so do that only once in a thousand
++     */
++    if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) &&
++        (ctxt->nbentities % 1024 == 0)) {
++	for (i = 0;i < ctxt->inputNr;i++) {
++	    consumed += ctxt->inputTab[i]->consumed +
++	               (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base);
++	}
++	if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) {
++	    xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
++	    ctxt->instate = XML_PARSER_EOF;
++	    return (1);
++	}
++	consumed = 0;
++    }
++
++
++
+     if (replacement != 0) {
+ 	if (replacement < XML_MAX_TEXT_LENGTH)
+ 	    return(0);
+@@ -7963,6 +7986,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
+             xmlChar start[4];
+             xmlCharEncoding enc;
+ 
++	    if (xmlParserEntityCheck(ctxt, 0, entity, 0))
++	        return;
++
+ 	    if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
+ 	        ((ctxt->options & XML_PARSE_NOENT) == 0) &&
+ 		((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
+-- 
+2.31.1
+
diff -Nru libxml2-2.9.10+dfsg/debian/patches/series libxml2-2.9.10+dfsg/debian/patches/series
--- libxml2-2.9.10+dfsg/debian/patches/series	2021-05-06 10:48:16.000000000 +0200
+++ libxml2-2.9.10+dfsg/debian/patches/series	2021-05-22 08:21:29.000000000 +0200
@@ -9,3 +9,4 @@
 Validate-UTF8-in-xmlEncodeEntities.patch
 Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch
 Propagate-error-in-xmlParseElementChildrenContentDec.patch
+Patch-for-security-issue-CVE-2021-3541.patch

--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---
Reply to: