[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#988070: marked as done (unblock: libxml2/2.9.10+dfsg-6.6 (pre-approval))

Your message dated Thu, 06 May 2021 11:49:37 +0000
with message-id <E1lecVd-00047v-TY@respighi.debian.org>
and subject line unblock libxml2
has caused the Debian Bug report #988070,
regarding unblock: libxml2/2.9.10+dfsg-6.6 (pre-approval)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
988070: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988070
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: carnil@debian.org

Dear release team

This is a pre-approval request to please unblock package libxml2 (not
yet uploaded to unstable, but to experimental so far as
2.9.10+dfsg-6.4).

Please unblock package libxml2

[ Reason ]

The update would fix three CVEs recently reported, CVE-2021-3516
(#987739), CVE-2021-3517 (#987738) and CVE-2021-3518 (#987737).
Which are not very severe but we still wanted to try to get fixes into
bullseye.

[ Impact ]

Package still affected by those CVEs.

[ Tests ]

For those three CVEs pocs are available, which I had tested before and
with the fix, except CVE-2021-3516, which I could not trigger the
issue, but the change is simple.

Furthermore given I uploaded to experimental there was additional
exposure by the autopkgtests. From those as you can see from
https://release.debian.org/britney/pseudo-excuses-experimental.html
three marked regressions, but both balsa and kopanocore were already
before failing.  For libreoffice the tests somehow are flapping where
they fail, I do not see a relation to the libxml2 here. libreoffice
failed there in the last run for uicheck-sc test (triggered by
python3.9), but in the libxml2 case it failed for the uicheck-sw  test
and for the prvious failure it was again one other test.

[ Risks ]

Changes do apply almost cleanly.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]

I think nothing more needs to be mentioned.

unblock libxml2/2.9.10+dfsg-6.5

Regards,
Salvatore

diff -Nru libxml2-2.9.10+dfsg/debian/changelog libxml2-2.9.10+dfsg/debian/changelog
--- libxml2-2.9.10+dfsg/debian/changelog	2020-11-29 11:58:00.000000000 +0100
+++ libxml2-2.9.10+dfsg/debian/changelog	2021-05-04 20:48:42.000000000 +0200
@@ -1,3 +1,21 @@
+libxml2 (2.9.10+dfsg-6.5) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Upload to unstable.
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Tue, 04 May 2021 20:48:42 +0200
+
+libxml2 (2.9.10+dfsg-6.4) experimental; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix use-after-free with `xmllint --html --push` (CVE-2021-3516)
+    (Closes: #987739)
+  * Validate UTF8 in xmlEncodeEntities (CVE-2021-3517) (Closes: #987738)
+  * Fix user-after-free with `xmllint --xinclude --dropdtd` (CVE-2021-3518)
+    (Closes: #987737)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sun, 02 May 2021 16:23:29 +0200
+
 libxml2 (2.9.10+dfsg-6.3) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru libxml2-2.9.10+dfsg/debian/patches/Fix-use-after-free-with-xmllint-html-push.patch libxml2-2.9.10+dfsg/debian/patches/Fix-use-after-free-with-xmllint-html-push.patch
--- libxml2-2.9.10+dfsg/debian/patches/Fix-use-after-free-with-xmllint-html-push.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.10+dfsg/debian/patches/Fix-use-after-free-with-xmllint-html-push.patch	2021-05-04 20:48:42.000000000 +0200
@@ -0,0 +1,34 @@
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 21 Apr 2021 13:23:27 +0200
+Subject: Fix use-after-free with `xmllint --html --push`
+Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539
+Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/230
+Bug-Debian: https://bugs.debian.org/987739
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3516
+
+Call htmlCtxtUseOptions to make sure that names aren't stored in
+dictionaries.
+
+Note that this issue only affects xmllint using the HTML push parser.
+
+Fixes #230.
+---
+ xmllint.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xmllint.c b/xmllint.c
+index 6ca1bf54dc27..dbef273a8f8d 100644
+--- a/xmllint.c
++++ b/xmllint.c
+@@ -2213,7 +2213,7 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) {
+             if (res > 0) {
+                 ctxt = htmlCreatePushParserCtxt(NULL, NULL,
+                             chars, res, filename, XML_CHAR_ENCODING_NONE);
+-                xmlCtxtUseOptions(ctxt, options);
++                htmlCtxtUseOptions(ctxt, options);
+                 while ((res = fread(chars, 1, pushsize, f)) > 0) {
+                     htmlParseChunk(ctxt, chars, res, 0);
+                 }
+-- 
+2.31.1
+
diff -Nru libxml2-2.9.10+dfsg/debian/patches/Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch libxml2-2.9.10+dfsg/debian/patches/Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch
--- libxml2-2.9.10+dfsg/debian/patches/Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.10+dfsg/debian/patches/Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch	2021-05-04 20:48:42.000000000 +0200
@@ -0,0 +1,36 @@
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 22 Apr 2021 19:26:28 +0200
+Subject: Fix user-after-free with `xmllint --xinclude --dropdtd`
+Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7
+Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/237
+Bug-Debian: https://bugs.debian.org/987737
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3518
+
+The --dropdtd option can leave dangling pointers in entity reference
+nodes. Make sure to skip these nodes when processing XIncludes.
+
+This also avoids scanning entity declarations and even modifying
+them inadvertently during XInclude processing.
+
+Move from a block list to an allow list approach to avoid descending
+into other node types that can't contain elements.
+
+Fixes #237.
+---
+ xinclude.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/xinclude.c
++++ b/xinclude.c
+@@ -2397,9 +2397,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr
+     while ((cur != NULL) && (cur != tree->parent)) {
+ 	/* TODO: need to work on entities -> stack */
+ 	if ((cur->children != NULL) &&
+-	    (cur->children->type != XML_ENTITY_DECL) &&
+-	    (cur->children->type != XML_XINCLUDE_START) &&
+-	    (cur->children->type != XML_XINCLUDE_END)) {
++	    ((cur->type == XML_DOCUMENT_NODE) ||
++	     (cur->type == XML_ELEMENT_NODE))) {
+ 	    cur = cur->children;
+ 	    if (xmlXIncludeTestNode(ctxt, cur))
+ 		xmlXIncludePreProcessNode(ctxt, cur);
diff -Nru libxml2-2.9.10+dfsg/debian/patches/Validate-UTF8-in-xmlEncodeEntities.patch libxml2-2.9.10+dfsg/debian/patches/Validate-UTF8-in-xmlEncodeEntities.patch
--- libxml2-2.9.10+dfsg/debian/patches/Validate-UTF8-in-xmlEncodeEntities.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.10+dfsg/debian/patches/Validate-UTF8-in-xmlEncodeEntities.patch	2021-05-04 20:48:42.000000000 +0200
@@ -0,0 +1,52 @@
+From: Joel Hockey <joel.hockey@gmail.com>
+Date: Sun, 16 Aug 2020 17:19:35 -0700
+Subject: Validate UTF8 in xmlEncodeEntities
+Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2
+Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/235
+Bug-Debian: https://bugs.debian.org/987738
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3517
+
+Code is currently assuming UTF-8 without validating. Truncated UTF-8
+input can cause out-of-bounds array access.
+
+Adds further checks to partial fix in 50f06b3e.
+
+Fixes #178
+---
+ entities.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/entities.c b/entities.c
+index 37b99a56121f..1a8f86f0dc26 100644
+--- a/entities.c
++++ b/entities.c
+@@ -704,11 +704,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) {
+ 	    } else {
+ 		/*
+ 		 * We assume we have UTF-8 input.
++		 * It must match either:
++		 *   110xxxxx 10xxxxxx
++		 *   1110xxxx 10xxxxxx 10xxxxxx
++		 *   11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
++		 * That is:
++		 *   cur[0] is 11xxxxxx
++		 *   cur[1] is 10xxxxxx
++		 *   cur[2] is 10xxxxxx if cur[0] is 111xxxxx
++		 *   cur[3] is 10xxxxxx if cur[0] is 1111xxxx
++		 *   cur[0] is not 11111xxx
+ 		 */
+ 		char buf[11], *ptr;
+ 		int val = 0, l = 1;
+ 
+-		if (*cur < 0xC0) {
++		if (((cur[0] & 0xC0) != 0xC0) ||
++		    ((cur[1] & 0xC0) != 0x80) ||
++		    (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) ||
++		    (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) ||
++		    (((cur[0] & 0xF8) == 0xF8))) {
+ 		    xmlEntitiesErr(XML_CHECK_NOT_UTF8,
+ 			    "xmlEncodeEntities: input not UTF-8");
+ 		    if (doc != NULL)
+-- 
+2.31.1
+
diff -Nru libxml2-2.9.10+dfsg/debian/patches/series libxml2-2.9.10+dfsg/debian/patches/series
--- libxml2-2.9.10+dfsg/debian/patches/series	2020-10-25 13:56:23.000000000 +0100
+++ libxml2-2.9.10+dfsg/debian/patches/series	2021-05-04 20:48:42.000000000 +0200
@@ -5,3 +5,6 @@
 python3-unicode-errors.patch
 parenthesize-type-checks.patch
 Fix-out-of-bounds-read-with-xmllint-htmlout.patch
+Fix-use-after-free-with-xmllint-html-push.patch
+Validate-UTF8-in-xmlEncodeEntities.patch
+Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch

--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---
Reply to: