[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1034617: marked as done (unblock: libxml2/2.9.14+dfsg-1.2)

Your message dated Thu, 20 Apr 2023 10:24:16 +0200
with message-id <3c0a24ab-034e-ab78-ecd5-3769a62281ae@debian.org>
and subject line Re: Bug#1034617: unblock: libxml2/2.9.14+dfsg-1.2
has caused the Debian Bug report #1034617,
regarding unblock: libxml2/2.9.14+dfsg-1.2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1034617: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034617
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: libxml2@packages.debian.org, carnil@debian.org
Control: affects -1 + src:libxml2

Dear release team,

Please unblock package libxml2

[ Reason ]
libxml2 in bookworm is affected by two CVEs CVE-2023-28484 (#1034436)
and CVE-2023-29469 (#1034437).

[ Impact ]
Issues remain open until a future update to cover those CVEs as well.
Though for bullseye an update has been prepared, and technically would
imply a regression from bullseye.

[ Tests ]
I explicity manually tested the testcase for CVE-2023-28484 (and a
related issue without CVE, which is as well included in this update).
No explicit test for CVE-2023-29469 done.

Additionally the autopkgtest did run, and there are no new failures.

[ Risks ]
Patches directly taken from upstream without need of backports.
Isolated in changes.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
DSA should go out in not too distant future. If unblocking please
consider as well aging for faster testing migration.

unblock libxml2/2.9.14+dfsg-1.2

Regards,
Salvatore

diff -Nru libxml2-2.9.14+dfsg/debian/changelog libxml2-2.9.14+dfsg/debian/changelog
--- libxml2-2.9.14+dfsg/debian/changelog	2022-10-30 11:18:06.000000000 +0100
+++ libxml2-2.9.14+dfsg/debian/changelog	2023-04-15 16:25:06.000000000 +0200
@@ -1,3 +1,14 @@
+libxml2 (2.9.14+dfsg-1.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK
+  * Fix null deref in xmlSchemaFixupComplexType (CVE-2023-28484)
+    (Closes: #1034436)
+  * Hashing of empty dict strings isn't deterministic (CVE-2023-29469)
+    (Closes: #1034437)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 15 Apr 2023 16:25:06 +0200
+
 libxml2 (2.9.14+dfsg-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru libxml2-2.9.14+dfsg/debian/patches/CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch libxml2-2.9.14+dfsg/debian/patches/CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch
--- libxml2-2.9.14+dfsg/debian/patches/CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.14+dfsg/debian/patches/CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch	2023-04-15 16:25:06.000000000 +0200
@@ -0,0 +1,76 @@
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 7 Apr 2023 11:46:35 +0200
+Subject: [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
+Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/647e072ea0a2f12687fa05c172f4c4713fdb0c4f
+Bug-Debian: https://bugs.debian.org/1034436
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-28484
+
+Fix a null pointer dereference when parsing (invalid) XML schemas.
+
+Thanks to Robby Simpson for the report!
+
+Fixes #491.
+---
+ result/schemas/issue491_0_0.err |  1 +
+ test/schemas/issue491_0.xml     |  1 +
+ test/schemas/issue491_0.xsd     | 18 ++++++++++++++++++
+ xmlschemas.c                    |  2 +-
+ 4 files changed, 21 insertions(+), 1 deletion(-)
+ create mode 100644 result/schemas/issue491_0_0.err
+ create mode 100644 test/schemas/issue491_0.xml
+ create mode 100644 test/schemas/issue491_0.xsd
+
+diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err
+new file mode 100644
+index 000000000000..9b2bb9691f55
+--- /dev/null
++++ b/result/schemas/issue491_0_0.err
+@@ -0,0 +1 @@
++./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'.
+diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml
+new file mode 100644
+index 000000000000..e2b2fc2e359b
+--- /dev/null
++++ b/test/schemas/issue491_0.xml
+@@ -0,0 +1 @@
++<Child xmlns="http://www.test.com";>5</Child>
+diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd
+new file mode 100644
+index 000000000000..8170264987b7
+--- /dev/null
++++ b/test/schemas/issue491_0.xsd
+@@ -0,0 +1,18 @@
++<?xml version='1.0' encoding='UTF-8'?>
++<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns="http://www.test.com"; targetNamespace="http://www.test.com"; elementFormDefault="qualified" attributeFormDefault="unqualified">
++  <xs:complexType name="BaseType">
++    <xs:simpleContent>
++      <xs:extension base="xs:int" />
++    </xs:simpleContent>
++  </xs:complexType>
++  <xs:complexType name="ChildType">
++    <xs:complexContent>
++      <xs:extension base="BaseType">
++        <xs:sequence>
++          <xs:element name="bad" type="xs:int" minOccurs="0" maxOccurs="1"/>
++        </xs:sequence>
++      </xs:extension>
++    </xs:complexContent>
++  </xs:complexType>
++  <xs:element name="Child" type="ChildType" />
++</xs:schema>
+diff --git a/xmlschemas.c b/xmlschemas.c
+index 152b7c3f521b..eec24a95fca9 100644
+--- a/xmlschemas.c
++++ b/xmlschemas.c
+@@ -18619,7 +18619,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt,
+ 			"allowed to appear inside other model groups",
+ 			NULL, NULL);
+ 
+-		} else if (! dummySequence) {
++		} else if ((!dummySequence) && (baseType->subtypes != NULL)) {
+ 		    xmlSchemaTreeItemPtr effectiveContent =
+ 			(xmlSchemaTreeItemPtr) type->subtypes;
+ 		    /*
+-- 
+2.40.0
+
diff -Nru libxml2-2.9.14+dfsg/debian/patches/CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch libxml2-2.9.14+dfsg/debian/patches/CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch
--- libxml2-2.9.14+dfsg/debian/patches/CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.14+dfsg/debian/patches/CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch	2023-04-15 16:25:06.000000000 +0200
@@ -0,0 +1,38 @@
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 7 Apr 2023 11:49:27 +0200
+Subject: [CVE-2023-29469] Hashing of empty dict strings isn't deterministic
+Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/09a2dd453007f9c7205274623acdd73747c22d64
+Bug-Debian: https://bugs.debian.org/1034437
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-29469
+
+When hashing empty strings which aren't null-terminated,
+xmlDictComputeFastKey could produce inconsistent results. This could
+lead to various logic or memory errors, including double frees.
+
+For consistency the seed is also taken into account, but this shouldn't
+have an impact on security.
+
+Found by OSS-Fuzz.
+
+Fixes #510.
+---
+ dict.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/dict.c b/dict.c
+index c29d2af77a77..12ba94fd51b5 100644
+--- a/dict.c
++++ b/dict.c
+@@ -453,7 +453,8 @@ static unsigned long
+ xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
+     unsigned long value = seed;
+ 
+-    if (name == NULL) return(0);
++    if ((name == NULL) || (namelen <= 0))
++        return(value);
+     value += *name;
+     value <<= 5;
+     if (namelen > 10) {
+-- 
+2.40.0
+
diff -Nru libxml2-2.9.14+dfsg/debian/patches/schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch libxml2-2.9.14+dfsg/debian/patches/schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch
--- libxml2-2.9.14+dfsg/debian/patches/schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.14+dfsg/debian/patches/schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch	2023-04-15 16:25:06.000000000 +0200
@@ -0,0 +1,70 @@
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 13 Sep 2022 16:40:31 +0200
+Subject: schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK
+Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/4c6922f763ad958c48ff66f82823ae21f2e92ee6
+
+Found by OSS-Fuzz.
+---
+ result/schemas/oss-fuzz-51295_0_0.err |  2 ++
+ test/schemas/oss-fuzz-51295_0.xml     |  1 +
+ test/schemas/oss-fuzz-51295_0.xsd     |  4 ++++
+ xmlschemas.c                          | 15 +++++++++++++--
+ 4 files changed, 20 insertions(+), 2 deletions(-)
+ create mode 100644 result/schemas/oss-fuzz-51295_0_0.err
+ create mode 100644 test/schemas/oss-fuzz-51295_0.xml
+ create mode 100644 test/schemas/oss-fuzz-51295_0.xsd
+
+diff --git a/result/schemas/oss-fuzz-51295_0_0.err b/result/schemas/oss-fuzz-51295_0_0.err
+new file mode 100644
+index 000000000000..1e89524f63ea
+--- /dev/null
++++ b/result/schemas/oss-fuzz-51295_0_0.err
+@@ -0,0 +1,2 @@
++./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'.
++./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'.
+diff --git a/test/schemas/oss-fuzz-51295_0.xml b/test/schemas/oss-fuzz-51295_0.xml
+new file mode 100644
+index 000000000000..10a7e703b2b1
+--- /dev/null
++++ b/test/schemas/oss-fuzz-51295_0.xml
+@@ -0,0 +1 @@
++<e/>
+diff --git a/test/schemas/oss-fuzz-51295_0.xsd b/test/schemas/oss-fuzz-51295_0.xsd
+new file mode 100644
+index 000000000000..fde96af5c60b
+--- /dev/null
++++ b/test/schemas/oss-fuzz-51295_0.xsd
+@@ -0,0 +1,4 @@
++<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema";>
++    <xs:element name="e" substitutionGroup="e"/>
++    <xs:element name="t" substitutionGroup="e" type='xs:decimal'/>
++</xs:schema>
+diff --git a/xmlschemas.c b/xmlschemas.c
+index f31d3d1f618f..152b7c3f521b 100644
+--- a/xmlschemas.c
++++ b/xmlschemas.c
+@@ -13345,8 +13345,19 @@ xmlSchemaResolveElementReferences(xmlSchemaElementPtr elemDecl,
+ 	    * declaration `resolved` to by the `actual value`
+ 	    * of the substitutionGroup [attribute], if present"
+ 	    */
+-	    if (elemDecl->subtypes == NULL)
+-		elemDecl->subtypes = substHead->subtypes;
++	    if (elemDecl->subtypes == NULL) {
++                if (substHead->subtypes == NULL) {
++                    /*
++                     * This can happen with self-referencing substitution
++                     * groups. The cycle will be detected later, but we have
++                     * to set subtypes to avoid null-pointer dereferences.
++                     */
++	            elemDecl->subtypes = xmlSchemaGetBuiltInType(
++                            XML_SCHEMAS_ANYTYPE);
++                } else {
++		    elemDecl->subtypes = substHead->subtypes;
++                }
++            }
+ 	}
+     }
+     /*
+-- 
+2.40.0
+
diff -Nru libxml2-2.9.14+dfsg/debian/patches/series libxml2-2.9.14+dfsg/debian/patches/series
--- libxml2-2.9.14+dfsg/debian/patches/series	2022-10-30 11:18:06.000000000 +0100
+++ libxml2-2.9.14+dfsg/debian/patches/series	2023-04-15 16:25:06.000000000 +0200
@@ -3,3 +3,6 @@
 python3-unicode-errors.patch
 CVE-2022-40303-Fix-integer-overflows-with-XML_PARSE_.patch
 CVE-2022-40304-Fix-dict-corruption-caused-by-entity-.patch
+schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch
+CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch
+CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch

--- End Message ---
--- Begin Message --- 
Done.

Paul

Attachment: OpenPGP_signature
Description: OpenPGP digital signature


--- End Message ---
Reply to: