--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: carnil@debian.org
Dear release team
This is a pre-approval request to please unblock package libxml2 (not
yet uploaded to unstable, but to experimental so far as
2.9.10+dfsg-6.4).
Please unblock package libxml2
[ Reason ]
The update would fix three CVEs recently reported, CVE-2021-3516
(#987739), CVE-2021-3517 (#987738) and CVE-2021-3518 (#987737).
Which are not very severe but we still wanted to try to get fixes into
bullseye.
[ Impact ]
Package still affected by those CVEs.
[ Tests ]
For those three CVEs pocs are available, which I had tested before and
with the fix, except CVE-2021-3516, which I could not trigger the
issue, but the change is simple.
Furthermore given I uploaded to experimental there was additional
exposure by the autopkgtests. From those as you can see from
https://release.debian.org/britney/pseudo-excuses-experimental.html
three marked regressions, but both balsa and kopanocore were already
before failing. For libreoffice the tests somehow are flapping where
they fail, I do not see a relation to the libxml2 here. libreoffice
failed there in the last run for uicheck-sc test (triggered by
python3.9), but in the libxml2 case it failed for the uicheck-sw test
and for the prvious failure it was again one other test.
[ Risks ]
Changes do apply almost cleanly.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
I think nothing more needs to be mentioned.
unblock libxml2/2.9.10+dfsg-6.5
Regards,
Salvatore
diff -Nru libxml2-2.9.10+dfsg/debian/changelog libxml2-2.9.10+dfsg/debian/changelog
--- libxml2-2.9.10+dfsg/debian/changelog 2020-11-29 11:58:00.000000000 +0100
+++ libxml2-2.9.10+dfsg/debian/changelog 2021-05-04 20:48:42.000000000 +0200
@@ -1,3 +1,21 @@
+libxml2 (2.9.10+dfsg-6.5) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Upload to unstable.
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Tue, 04 May 2021 20:48:42 +0200
+
+libxml2 (2.9.10+dfsg-6.4) experimental; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix use-after-free with `xmllint --html --push` (CVE-2021-3516)
+ (Closes: #987739)
+ * Validate UTF8 in xmlEncodeEntities (CVE-2021-3517) (Closes: #987738)
+ * Fix user-after-free with `xmllint --xinclude --dropdtd` (CVE-2021-3518)
+ (Closes: #987737)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Sun, 02 May 2021 16:23:29 +0200
+
libxml2 (2.9.10+dfsg-6.3) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru libxml2-2.9.10+dfsg/debian/patches/Fix-use-after-free-with-xmllint-html-push.patch libxml2-2.9.10+dfsg/debian/patches/Fix-use-after-free-with-xmllint-html-push.patch
--- libxml2-2.9.10+dfsg/debian/patches/Fix-use-after-free-with-xmllint-html-push.patch 1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.10+dfsg/debian/patches/Fix-use-after-free-with-xmllint-html-push.patch 2021-05-04 20:48:42.000000000 +0200
@@ -0,0 +1,34 @@
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 21 Apr 2021 13:23:27 +0200
+Subject: Fix use-after-free with `xmllint --html --push`
+Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539
+Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/230
+Bug-Debian: https://bugs.debian.org/987739
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3516
+
+Call htmlCtxtUseOptions to make sure that names aren't stored in
+dictionaries.
+
+Note that this issue only affects xmllint using the HTML push parser.
+
+Fixes #230.
+---
+ xmllint.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xmllint.c b/xmllint.c
+index 6ca1bf54dc27..dbef273a8f8d 100644
+--- a/xmllint.c
++++ b/xmllint.c
+@@ -2213,7 +2213,7 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) {
+ if (res > 0) {
+ ctxt = htmlCreatePushParserCtxt(NULL, NULL,
+ chars, res, filename, XML_CHAR_ENCODING_NONE);
+- xmlCtxtUseOptions(ctxt, options);
++ htmlCtxtUseOptions(ctxt, options);
+ while ((res = fread(chars, 1, pushsize, f)) > 0) {
+ htmlParseChunk(ctxt, chars, res, 0);
+ }
+--
+2.31.1
+
diff -Nru libxml2-2.9.10+dfsg/debian/patches/Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch libxml2-2.9.10+dfsg/debian/patches/Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch
--- libxml2-2.9.10+dfsg/debian/patches/Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch 1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.10+dfsg/debian/patches/Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch 2021-05-04 20:48:42.000000000 +0200
@@ -0,0 +1,36 @@
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 22 Apr 2021 19:26:28 +0200
+Subject: Fix user-after-free with `xmllint --xinclude --dropdtd`
+Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7
+Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/237
+Bug-Debian: https://bugs.debian.org/987737
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3518
+
+The --dropdtd option can leave dangling pointers in entity reference
+nodes. Make sure to skip these nodes when processing XIncludes.
+
+This also avoids scanning entity declarations and even modifying
+them inadvertently during XInclude processing.
+
+Move from a block list to an allow list approach to avoid descending
+into other node types that can't contain elements.
+
+Fixes #237.
+---
+ xinclude.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/xinclude.c
++++ b/xinclude.c
+@@ -2397,9 +2397,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr
+ while ((cur != NULL) && (cur != tree->parent)) {
+ /* TODO: need to work on entities -> stack */
+ if ((cur->children != NULL) &&
+- (cur->children->type != XML_ENTITY_DECL) &&
+- (cur->children->type != XML_XINCLUDE_START) &&
+- (cur->children->type != XML_XINCLUDE_END)) {
++ ((cur->type == XML_DOCUMENT_NODE) ||
++ (cur->type == XML_ELEMENT_NODE))) {
+ cur = cur->children;
+ if (xmlXIncludeTestNode(ctxt, cur))
+ xmlXIncludePreProcessNode(ctxt, cur);
diff -Nru libxml2-2.9.10+dfsg/debian/patches/Validate-UTF8-in-xmlEncodeEntities.patch libxml2-2.9.10+dfsg/debian/patches/Validate-UTF8-in-xmlEncodeEntities.patch
--- libxml2-2.9.10+dfsg/debian/patches/Validate-UTF8-in-xmlEncodeEntities.patch 1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.10+dfsg/debian/patches/Validate-UTF8-in-xmlEncodeEntities.patch 2021-05-04 20:48:42.000000000 +0200
@@ -0,0 +1,52 @@
+From: Joel Hockey <joel.hockey@gmail.com>
+Date: Sun, 16 Aug 2020 17:19:35 -0700
+Subject: Validate UTF8 in xmlEncodeEntities
+Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2
+Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/235
+Bug-Debian: https://bugs.debian.org/987738
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3517
+
+Code is currently assuming UTF-8 without validating. Truncated UTF-8
+input can cause out-of-bounds array access.
+
+Adds further checks to partial fix in 50f06b3e.
+
+Fixes #178
+---
+ entities.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/entities.c b/entities.c
+index 37b99a56121f..1a8f86f0dc26 100644
+--- a/entities.c
++++ b/entities.c
+@@ -704,11 +704,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) {
+ } else {
+ /*
+ * We assume we have UTF-8 input.
++ * It must match either:
++ * 110xxxxx 10xxxxxx
++ * 1110xxxx 10xxxxxx 10xxxxxx
++ * 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
++ * That is:
++ * cur[0] is 11xxxxxx
++ * cur[1] is 10xxxxxx
++ * cur[2] is 10xxxxxx if cur[0] is 111xxxxx
++ * cur[3] is 10xxxxxx if cur[0] is 1111xxxx
++ * cur[0] is not 11111xxx
+ */
+ char buf[11], *ptr;
+ int val = 0, l = 1;
+
+- if (*cur < 0xC0) {
++ if (((cur[0] & 0xC0) != 0xC0) ||
++ ((cur[1] & 0xC0) != 0x80) ||
++ (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) ||
++ (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) ||
++ (((cur[0] & 0xF8) == 0xF8))) {
+ xmlEntitiesErr(XML_CHECK_NOT_UTF8,
+ "xmlEncodeEntities: input not UTF-8");
+ if (doc != NULL)
+--
+2.31.1
+
diff -Nru libxml2-2.9.10+dfsg/debian/patches/series libxml2-2.9.10+dfsg/debian/patches/series
--- libxml2-2.9.10+dfsg/debian/patches/series 2020-10-25 13:56:23.000000000 +0100
+++ libxml2-2.9.10+dfsg/debian/patches/series 2021-05-04 20:48:42.000000000 +0200
@@ -5,3 +5,6 @@
python3-unicode-errors.patch
parenthesize-type-checks.patch
Fix-out-of-bounds-read-with-xmllint-htmlout.patch
+Fix-use-after-free-with-xmllint-html-push.patch
+Validate-UTF8-in-xmlEncodeEntities.patch
+Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch
--- End Message ---