[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#989768: marked as done (buster-pu: package libxml2/2.9.4+dfsg1-7+deb10u2)

Your message dated Sat, 19 Jun 2021 10:56:39 +0100
with message-id <5c65c3ad2ac9b1b1f78bf73b1cf073041e619b51.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 10.10 point release
has caused the Debian Bug report #989768,
regarding buster-pu: package libxml2/2.9.4+dfsg1-7+deb10u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
989768: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989768
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: carnil@debian.org,jmm@debian.org

Hi Stable release managers,

[ Reason ]
libxml2 is affected in buster by some vulnerabilities which were not
warranting a DSA, and which were not intrusive to not be backported.
They are fixes for CVE-2020-24977, CVE-2021-3516, CVE-2021-3517,
CVE-2021-3518, CVE-2021-3537 and CVE-2021-3541. Which all of those are
already fixed in unstable.

[ Impact ]
Status quo, the issues remain unfixed in buster.

[ Tests ]
For most of the CVE the POC triggered, which I was in turn able to
verify against the fixed version. Before accepting into the 10.10 or
later point release the autopkgtests runs could give some further
coverage.

[ Risks ]
The patches were exposed in unstable for a while, still risk of
regression cannot be completely ruled out.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Upstream fixes for the various CVEs, no other changes.

[ Other info ]
None I guess.

Regards,
Salvatore

diff -Nru libxml2-2.9.4+dfsg1/debian/changelog libxml2-2.9.4+dfsg1/debian/changelog
--- libxml2-2.9.4+dfsg1/debian/changelog	2020-11-06 18:13:19.000000000 +0100
+++ libxml2-2.9.4+dfsg1/debian/changelog	2021-06-11 18:57:11.000000000 +0200
@@ -1,3 +1,19 @@
+libxml2 (2.9.4+dfsg1-7+deb10u2) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix out-of-bounds read with 'xmllint --htmlout' (CVE-2020-24977)
+    (Closes: #969529)
+  * Fix use-after-free with `xmllint --html --push` (CVE-2021-3516)
+    (Closes: #987739)
+  * Validate UTF8 in xmlEncodeEntities (CVE-2021-3517) (Closes: #987738)
+  * Fix user-after-free with `xmllint --xinclude --dropdtd` (CVE-2021-3518)
+    (Closes: #987737)
+  * Propagate error in xmlParseElementChildrenContentDeclPriv (CVE-2021-3537)
+    (Closes: #988123)
+  * Patch for security issue CVE-2021-3541 (Closes: #988603)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 11 Jun 2021 18:57:11 +0200
+
 libxml2 (2.9.4+dfsg1-7+deb10u1) buster; urgency=medium
 
   * CVE-2017-18258 (Closes: #895245)
diff -Nru libxml2-2.9.4+dfsg1/debian/patches/Fix-out-of-bounds-read-with-xmllint-htmlout.patch libxml2-2.9.4+dfsg1/debian/patches/Fix-out-of-bounds-read-with-xmllint-htmlout.patch
--- libxml2-2.9.4+dfsg1/debian/patches/Fix-out-of-bounds-read-with-xmllint-htmlout.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.4+dfsg1/debian/patches/Fix-out-of-bounds-read-with-xmllint-htmlout.patch	2021-06-11 18:57:11.000000000 +0200
@@ -0,0 +1,39 @@
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 7 Aug 2020 21:54:27 +0200
+Subject: Fix out-of-bounds read with 'xmllint --htmlout'
+Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2
+Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/178
+Bug-Debian: https://bugs.debian.org/969529
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-24977
+
+Make sure that truncated UTF-8 sequences don't cause an out-of-bounds
+array access.
+
+Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for
+the report.
+
+Fixes #178.
+---
+ xmllint.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/xmllint.c b/xmllint.c
+index f6a8e463639a..c647486f39b4 100644
+--- a/xmllint.c
++++ b/xmllint.c
+@@ -528,6 +528,12 @@ static void
+ xmlHTMLEncodeSend(void) {
+     char *result;
+ 
++    /*
++     * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might
++     * end with a truncated UTF-8 sequence. This is a hack to at least avoid
++     * an out-of-bounds read.
++     */
++    memset(&buffer[sizeof(buffer)-4], 0, 4);
+     result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer);
+     if (result) {
+ 	xmlGenericError(xmlGenericErrorContext, "%s", result);
+-- 
+2.28.0
+
diff -Nru libxml2-2.9.4+dfsg1/debian/patches/Fix-use-after-free-with-xmllint-html-push.patch libxml2-2.9.4+dfsg1/debian/patches/Fix-use-after-free-with-xmllint-html-push.patch
--- libxml2-2.9.4+dfsg1/debian/patches/Fix-use-after-free-with-xmllint-html-push.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.4+dfsg1/debian/patches/Fix-use-after-free-with-xmllint-html-push.patch	2021-06-11 18:57:11.000000000 +0200
@@ -0,0 +1,34 @@
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 21 Apr 2021 13:23:27 +0200
+Subject: Fix use-after-free with `xmllint --html --push`
+Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539
+Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/230
+Bug-Debian: https://bugs.debian.org/987739
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3516
+
+Call htmlCtxtUseOptions to make sure that names aren't stored in
+dictionaries.
+
+Note that this issue only affects xmllint using the HTML push parser.
+
+Fixes #230.
+---
+ xmllint.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xmllint.c b/xmllint.c
+index 6ca1bf54dc27..dbef273a8f8d 100644
+--- a/xmllint.c
++++ b/xmllint.c
+@@ -2213,7 +2213,7 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) {
+             if (res > 0) {
+                 ctxt = htmlCreatePushParserCtxt(NULL, NULL,
+                             chars, res, filename, XML_CHAR_ENCODING_NONE);
+-                xmlCtxtUseOptions(ctxt, options);
++                htmlCtxtUseOptions(ctxt, options);
+                 while ((res = fread(chars, 1, pushsize, f)) > 0) {
+                     htmlParseChunk(ctxt, chars, res, 0);
+                 }
+-- 
+2.31.1
+
diff -Nru libxml2-2.9.4+dfsg1/debian/patches/Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch libxml2-2.9.4+dfsg1/debian/patches/Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch
--- libxml2-2.9.4+dfsg1/debian/patches/Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.4+dfsg1/debian/patches/Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch	2021-06-11 18:57:11.000000000 +0200
@@ -0,0 +1,36 @@
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 22 Apr 2021 19:26:28 +0200
+Subject: Fix user-after-free with `xmllint --xinclude --dropdtd`
+Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7
+Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/237
+Bug-Debian: https://bugs.debian.org/987737
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3518
+
+The --dropdtd option can leave dangling pointers in entity reference
+nodes. Make sure to skip these nodes when processing XIncludes.
+
+This also avoids scanning entity declarations and even modifying
+them inadvertently during XInclude processing.
+
+Move from a block list to an allow list approach to avoid descending
+into other node types that can't contain elements.
+
+Fixes #237.
+---
+ xinclude.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/xinclude.c
++++ b/xinclude.c
+@@ -2397,9 +2397,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr
+     while ((cur != NULL) && (cur != tree->parent)) {
+ 	/* TODO: need to work on entities -> stack */
+ 	if ((cur->children != NULL) &&
+-	    (cur->children->type != XML_ENTITY_DECL) &&
+-	    (cur->children->type != XML_XINCLUDE_START) &&
+-	    (cur->children->type != XML_XINCLUDE_END)) {
++	    ((cur->type == XML_DOCUMENT_NODE) ||
++	     (cur->type == XML_ELEMENT_NODE))) {
+ 	    cur = cur->children;
+ 	    if (xmlXIncludeTestNode(ctxt, cur))
+ 		xmlXIncludePreProcessNode(ctxt, cur);
diff -Nru libxml2-2.9.4+dfsg1/debian/patches/Patch-for-security-issue-CVE-2021-3541.patch libxml2-2.9.4+dfsg1/debian/patches/Patch-for-security-issue-CVE-2021-3541.patch
--- libxml2-2.9.4+dfsg1/debian/patches/Patch-for-security-issue-CVE-2021-3541.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.4+dfsg1/debian/patches/Patch-for-security-issue-CVE-2021-3541.patch	2021-06-11 18:57:11.000000000 +0200
@@ -0,0 +1,65 @@
+From: Daniel Veillard <veillard@redhat.com>
+Date: Thu, 13 May 2021 14:55:12 +0200
+Subject: Patch for security issue CVE-2021-3541
+Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e
+Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/228
+Bug-Debian: https://bugs.debian.org/988603
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3541
+
+This is relapted to parameter entities expansion and following
+the line of the billion laugh attack. Somehow in that path the
+counting of parameters was missed and the normal algorithm based
+on entities "density" was useless.
+---
+ parser.c | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+--- a/parser.c
++++ b/parser.c
+@@ -127,6 +127,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ct
+                      xmlEntityPtr ent, size_t replacement)
+ {
+     size_t consumed = 0;
++    int i;
+ 
+     if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE))
+         return (0);
+@@ -161,6 +162,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ct
+ 	    rep = NULL;
+ 	}
+     }
++
++    /*
++     * Prevent entity exponential check, not just replacement while
++     * parsing the DTD
++     * The check is potentially costly so do that only once in a thousand
++     */
++    if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) &&
++        (ctxt->nbentities % 1024 == 0)) {
++	for (i = 0;i < ctxt->inputNr;i++) {
++	    consumed += ctxt->inputTab[i]->consumed +
++	               (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base);
++	}
++	if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) {
++	    xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
++	    ctxt->instate = XML_PARSER_EOF;
++	    return (1);
++	}
++	consumed = 0;
++    }
++
++
++
+     if (replacement != 0) {
+ 	if (replacement < XML_MAX_TEXT_LENGTH)
+ 	    return(0);
+@@ -8133,6 +8156,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctx
+ 	    if (xmlPushInput(ctxt, input) < 0)
+ 		return;
+ 	} else {
++	    if (xmlParserEntityCheck(ctxt, 0, entity, 0))
++	        return;
++
+ 	    if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
+ 	        ((ctxt->options & XML_PARSE_NOENT) == 0) &&
+ 		((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
diff -Nru libxml2-2.9.4+dfsg1/debian/patches/Propagate-error-in-xmlParseElementChildrenContentDec.patch libxml2-2.9.4+dfsg1/debian/patches/Propagate-error-in-xmlParseElementChildrenContentDec.patch
--- libxml2-2.9.4+dfsg1/debian/patches/Propagate-error-in-xmlParseElementChildrenContentDec.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.4+dfsg1/debian/patches/Propagate-error-in-xmlParseElementChildrenContentDec.patch	2021-06-11 18:57:11.000000000 +0200
@@ -0,0 +1,47 @@
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 1 May 2021 16:53:33 +0200
+Subject: Propagate error in xmlParseElementChildrenContentDeclPriv
+Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/babe75030c7f64a37826bb3342317134568bef61
+Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/243
+Bug-Debian: https://bugs.debian.org/988123
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3537
+
+Check return value of recursive calls to
+xmlParseElementChildrenContentDeclPriv and return immediately in case
+of errors. Otherwise, struct xmlElementContent could contain unexpected
+null pointers, leading to a null deref when post-validating documents
+which aren't well-formed and parsed in recovery mode.
+
+Fixes #243.
+---
+ parser.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index b42e60433ef4..73c27edda696 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6208,6 +6208,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
+ 	SKIP_BLANKS;
+         cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
+                                                            depth + 1);
++        if (cur == NULL)
++            return(NULL);
+ 	SKIP_BLANKS;
+ 	GROW;
+     } else {
+@@ -6341,6 +6343,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
+ 	    SKIP_BLANKS;
+ 	    last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
+                                                           depth + 1);
++            if (last == NULL) {
++		if (ret != NULL)
++		    xmlFreeDocElementContent(ctxt->myDoc, ret);
++		return(NULL);
++            }
+ 	    SKIP_BLANKS;
+ 	} else {
+ 	    elem = xmlParseName(ctxt);
+-- 
+2.31.1
+
diff -Nru libxml2-2.9.4+dfsg1/debian/patches/Validate-UTF8-in-xmlEncodeEntities.patch libxml2-2.9.4+dfsg1/debian/patches/Validate-UTF8-in-xmlEncodeEntities.patch
--- libxml2-2.9.4+dfsg1/debian/patches/Validate-UTF8-in-xmlEncodeEntities.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.4+dfsg1/debian/patches/Validate-UTF8-in-xmlEncodeEntities.patch	2021-06-11 18:57:11.000000000 +0200
@@ -0,0 +1,52 @@
+From: Joel Hockey <joel.hockey@gmail.com>
+Date: Sun, 16 Aug 2020 17:19:35 -0700
+Subject: Validate UTF8 in xmlEncodeEntities
+Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2
+Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/235
+Bug-Debian: https://bugs.debian.org/987738
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3517
+
+Code is currently assuming UTF-8 without validating. Truncated UTF-8
+input can cause out-of-bounds array access.
+
+Adds further checks to partial fix in 50f06b3e.
+
+Fixes #178
+---
+ entities.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/entities.c b/entities.c
+index 37b99a56121f..1a8f86f0dc26 100644
+--- a/entities.c
++++ b/entities.c
+@@ -704,11 +704,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) {
+ 	    } else {
+ 		/*
+ 		 * We assume we have UTF-8 input.
++		 * It must match either:
++		 *   110xxxxx 10xxxxxx
++		 *   1110xxxx 10xxxxxx 10xxxxxx
++		 *   11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
++		 * That is:
++		 *   cur[0] is 11xxxxxx
++		 *   cur[1] is 10xxxxxx
++		 *   cur[2] is 10xxxxxx if cur[0] is 111xxxxx
++		 *   cur[3] is 10xxxxxx if cur[0] is 1111xxxx
++		 *   cur[0] is not 11111xxx
+ 		 */
+ 		char buf[11], *ptr;
+ 		int val = 0, l = 1;
+ 
+-		if (*cur < 0xC0) {
++		if (((cur[0] & 0xC0) != 0xC0) ||
++		    ((cur[1] & 0xC0) != 0x80) ||
++		    (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) ||
++		    (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) ||
++		    (((cur[0] & 0xF8) == 0xF8))) {
+ 		    xmlEntitiesErr(XML_CHECK_NOT_UTF8,
+ 			    "xmlEncodeEntities: input not UTF-8");
+ 		    if (doc != NULL)
+-- 
+2.31.1
+
diff -Nru libxml2-2.9.4+dfsg1/debian/patches/series libxml2-2.9.4+dfsg1/debian/patches/series
--- libxml2-2.9.4+dfsg1/debian/patches/series	2020-11-06 15:35:20.000000000 +0100
+++ libxml2-2.9.4+dfsg1/debian/patches/series	2021-06-11 18:57:11.000000000 +0200
@@ -23,3 +23,9 @@
 0023-CVE-2019-19956.patch
 0024-CVE-2019-20388.patch
 0025-CVE-2020-7595.patch
+Fix-out-of-bounds-read-with-xmllint-htmlout.patch
+Fix-use-after-free-with-xmllint-html-push.patch
+Validate-UTF8-in-xmlEncodeEntities.patch
+Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch
+Propagate-error-in-xmlParseElementChildrenContentDec.patch
+Patch-for-security-issue-CVE-2021-3541.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.10

Hi,

Each of the updates referenced in these bugs was included in the 10.10
point release today.

Regards,

Adam

--- End Message ---
Reply to: