Control: retitle -1 unblock: libxml2/2.9.10+dfsg-6.6 (pre-approval) On Tue, May 04, 2021 at 11:04:52PM +0200, Salvatore Bonaccorso wrote: > Hi, > > On Tue, May 04, 2021 at 09:19:20PM +0200, Salvatore Bonaccorso wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian....@packages.debian.org > > Usertags: unblock > > X-Debbugs-Cc: car...@debian.org > > > > Dear release team > > > > This is a pre-approval request to please unblock package libxml2 (not > > yet uploaded to unstable, but to experimental so far as > > 2.9.10+dfsg-6.4). > > > > Please unblock package libxml2 > > > > [ Reason ] > > > > The update would fix three CVEs recently reported, CVE-2021-3516 > > (#987739), CVE-2021-3517 (#987738) and CVE-2021-3518 (#987737). > > Which are not very severe but we still wanted to try to get fixes into > > bullseye. > > > > [ Impact ] > > > > Package still affected by those CVEs. > > > > [ Tests ] > > > > For those three CVEs pocs are available, which I had tested before and > > with the fix, except CVE-2021-3516, which I could not trigger the > > issue, but the change is simple. > > > > Furthermore given I uploaded to experimental there was additional > > exposure by the autopkgtests. From those as you can see from > > https://release.debian.org/britney/pseudo-excuses-experimental.html > > three marked regressions, but both balsa and kopanocore were already > > before failing. For libreoffice the tests somehow are flapping where > > they fail, I do not see a relation to the libxml2 here. libreoffice > > failed there in the last run for uicheck-sc test (triggered by > > python3.9), but in the libxml2 case it failed for the uicheck-sw test > > and for the prvious failure it was again one other test. > > To confirm: And in fact just one other run did not fail: > https://ci.debian.net/data/autopkgtest/unstable/amd64/libr/libreoffice/12125523/log.gz
Another CVE popped up, which I have included in a new upload, thus retitling the bug and attaching the new debdiff. Regards, Salvatore
diff -Nru libxml2-2.9.10+dfsg/debian/changelog libxml2-2.9.10+dfsg/debian/changelog --- libxml2-2.9.10+dfsg/debian/changelog 2020-11-29 11:58:00.000000000 +0100 +++ libxml2-2.9.10+dfsg/debian/changelog 2021-05-06 10:48:16.000000000 +0200 @@ -1,3 +1,29 @@ +libxml2 (2.9.10+dfsg-6.6) unstable; urgency=medium + + * Non-maintainer upload. + * Upload to unstable. + + -- Salvatore Bonaccorso <car...@debian.org> Thu, 06 May 2021 10:48:16 +0200 + +libxml2 (2.9.10+dfsg-6.5) experimental; urgency=medium + + * Non-maintainer upload. + * Propagate error in xmlParseElementChildrenContentDeclPriv (CVE-2021-3537) + (Closes: #988123) + + -- Salvatore Bonaccorso <car...@debian.org> Thu, 06 May 2021 10:28:10 +0200 + +libxml2 (2.9.10+dfsg-6.4) experimental; urgency=medium + + * Non-maintainer upload. + * Fix use-after-free with `xmllint --html --push` (CVE-2021-3516) + (Closes: #987739) + * Validate UTF8 in xmlEncodeEntities (CVE-2021-3517) (Closes: #987738) + * Fix user-after-free with `xmllint --xinclude --dropdtd` (CVE-2021-3518) + (Closes: #987737) + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 02 May 2021 16:23:29 +0200 + libxml2 (2.9.10+dfsg-6.3) unstable; urgency=medium * Non-maintainer upload. diff -Nru libxml2-2.9.10+dfsg/debian/patches/Fix-use-after-free-with-xmllint-html-push.patch libxml2-2.9.10+dfsg/debian/patches/Fix-use-after-free-with-xmllint-html-push.patch --- libxml2-2.9.10+dfsg/debian/patches/Fix-use-after-free-with-xmllint-html-push.patch 1970-01-01 01:00:00.000000000 +0100 +++ libxml2-2.9.10+dfsg/debian/patches/Fix-use-after-free-with-xmllint-html-push.patch 2021-05-06 10:48:16.000000000 +0200 @@ -0,0 +1,34 @@ +From: Nick Wellnhofer <wellnho...@aevum.de> +Date: Wed, 21 Apr 2021 13:23:27 +0200 +Subject: Fix use-after-free with `xmllint --html --push` +Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539 +Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/230 +Bug-Debian: https://bugs.debian.org/987739 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3516 + +Call htmlCtxtUseOptions to make sure that names aren't stored in +dictionaries. + +Note that this issue only affects xmllint using the HTML push parser. + +Fixes #230. +--- + xmllint.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xmllint.c b/xmllint.c +index 6ca1bf54dc27..dbef273a8f8d 100644 +--- a/xmllint.c ++++ b/xmllint.c +@@ -2213,7 +2213,7 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) { + if (res > 0) { + ctxt = htmlCreatePushParserCtxt(NULL, NULL, + chars, res, filename, XML_CHAR_ENCODING_NONE); +- xmlCtxtUseOptions(ctxt, options); ++ htmlCtxtUseOptions(ctxt, options); + while ((res = fread(chars, 1, pushsize, f)) > 0) { + htmlParseChunk(ctxt, chars, res, 0); + } +-- +2.31.1 + diff -Nru libxml2-2.9.10+dfsg/debian/patches/Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch libxml2-2.9.10+dfsg/debian/patches/Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch --- libxml2-2.9.10+dfsg/debian/patches/Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch 1970-01-01 01:00:00.000000000 +0100 +++ libxml2-2.9.10+dfsg/debian/patches/Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch 2021-05-06 10:48:16.000000000 +0200 @@ -0,0 +1,36 @@ +From: Nick Wellnhofer <wellnho...@aevum.de> +Date: Thu, 22 Apr 2021 19:26:28 +0200 +Subject: Fix user-after-free with `xmllint --xinclude --dropdtd` +Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7 +Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/237 +Bug-Debian: https://bugs.debian.org/987737 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3518 + +The --dropdtd option can leave dangling pointers in entity reference +nodes. Make sure to skip these nodes when processing XIncludes. + +This also avoids scanning entity declarations and even modifying +them inadvertently during XInclude processing. + +Move from a block list to an allow list approach to avoid descending +into other node types that can't contain elements. + +Fixes #237. +--- + xinclude.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/xinclude.c ++++ b/xinclude.c +@@ -2397,9 +2397,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr + while ((cur != NULL) && (cur != tree->parent)) { + /* TODO: need to work on entities -> stack */ + if ((cur->children != NULL) && +- (cur->children->type != XML_ENTITY_DECL) && +- (cur->children->type != XML_XINCLUDE_START) && +- (cur->children->type != XML_XINCLUDE_END)) { ++ ((cur->type == XML_DOCUMENT_NODE) || ++ (cur->type == XML_ELEMENT_NODE))) { + cur = cur->children; + if (xmlXIncludeTestNode(ctxt, cur)) + xmlXIncludePreProcessNode(ctxt, cur); diff -Nru libxml2-2.9.10+dfsg/debian/patches/Propagate-error-in-xmlParseElementChildrenContentDec.patch libxml2-2.9.10+dfsg/debian/patches/Propagate-error-in-xmlParseElementChildrenContentDec.patch --- libxml2-2.9.10+dfsg/debian/patches/Propagate-error-in-xmlParseElementChildrenContentDec.patch 1970-01-01 01:00:00.000000000 +0100 +++ libxml2-2.9.10+dfsg/debian/patches/Propagate-error-in-xmlParseElementChildrenContentDec.patch 2021-05-06 10:48:16.000000000 +0200 @@ -0,0 +1,47 @@ +From: Nick Wellnhofer <wellnho...@aevum.de> +Date: Sat, 1 May 2021 16:53:33 +0200 +Subject: Propagate error in xmlParseElementChildrenContentDeclPriv +Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/babe75030c7f64a37826bb3342317134568bef61 +Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/243 +Bug-Debian: https://bugs.debian.org/988123 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3537 + +Check return value of recursive calls to +xmlParseElementChildrenContentDeclPriv and return immediately in case +of errors. Otherwise, struct xmlElementContent could contain unexpected +null pointers, leading to a null deref when post-validating documents +which aren't well-formed and parsed in recovery mode. + +Fixes #243. +--- + parser.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/parser.c b/parser.c +index b42e60433ef4..73c27edda696 100644 +--- a/parser.c ++++ b/parser.c +@@ -6208,6 +6208,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk, + SKIP_BLANKS; + cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, + depth + 1); ++ if (cur == NULL) ++ return(NULL); + SKIP_BLANKS; + GROW; + } else { +@@ -6341,6 +6343,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk, + SKIP_BLANKS; + last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, + depth + 1); ++ if (last == NULL) { ++ if (ret != NULL) ++ xmlFreeDocElementContent(ctxt->myDoc, ret); ++ return(NULL); ++ } + SKIP_BLANKS; + } else { + elem = xmlParseName(ctxt); +-- +2.31.1 + diff -Nru libxml2-2.9.10+dfsg/debian/patches/Validate-UTF8-in-xmlEncodeEntities.patch libxml2-2.9.10+dfsg/debian/patches/Validate-UTF8-in-xmlEncodeEntities.patch --- libxml2-2.9.10+dfsg/debian/patches/Validate-UTF8-in-xmlEncodeEntities.patch 1970-01-01 01:00:00.000000000 +0100 +++ libxml2-2.9.10+dfsg/debian/patches/Validate-UTF8-in-xmlEncodeEntities.patch 2021-05-06 10:48:16.000000000 +0200 @@ -0,0 +1,52 @@ +From: Joel Hockey <joel.hoc...@gmail.com> +Date: Sun, 16 Aug 2020 17:19:35 -0700 +Subject: Validate UTF8 in xmlEncodeEntities +Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2 +Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/235 +Bug-Debian: https://bugs.debian.org/987738 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3517 + +Code is currently assuming UTF-8 without validating. Truncated UTF-8 +input can cause out-of-bounds array access. + +Adds further checks to partial fix in 50f06b3e. + +Fixes #178 +--- + entities.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/entities.c b/entities.c +index 37b99a56121f..1a8f86f0dc26 100644 +--- a/entities.c ++++ b/entities.c +@@ -704,11 +704,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) { + } else { + /* + * We assume we have UTF-8 input. ++ * It must match either: ++ * 110xxxxx 10xxxxxx ++ * 1110xxxx 10xxxxxx 10xxxxxx ++ * 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx ++ * That is: ++ * cur[0] is 11xxxxxx ++ * cur[1] is 10xxxxxx ++ * cur[2] is 10xxxxxx if cur[0] is 111xxxxx ++ * cur[3] is 10xxxxxx if cur[0] is 1111xxxx ++ * cur[0] is not 11111xxx + */ + char buf[11], *ptr; + int val = 0, l = 1; + +- if (*cur < 0xC0) { ++ if (((cur[0] & 0xC0) != 0xC0) || ++ ((cur[1] & 0xC0) != 0x80) || ++ (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) || ++ (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) || ++ (((cur[0] & 0xF8) == 0xF8))) { + xmlEntitiesErr(XML_CHECK_NOT_UTF8, + "xmlEncodeEntities: input not UTF-8"); + if (doc != NULL) +-- +2.31.1 + diff -Nru libxml2-2.9.10+dfsg/debian/patches/series libxml2-2.9.10+dfsg/debian/patches/series --- libxml2-2.9.10+dfsg/debian/patches/series 2020-10-25 13:56:23.000000000 +0100 +++ libxml2-2.9.10+dfsg/debian/patches/series 2021-05-06 10:48:16.000000000 +0200 @@ -5,3 +5,7 @@ python3-unicode-errors.patch parenthesize-type-checks.patch Fix-out-of-bounds-read-with-xmllint-htmlout.patch +Fix-use-after-free-with-xmllint-html-push.patch +Validate-UTF8-in-xmlEncodeEntities.patch +Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch +Propagate-error-in-xmlParseElementChildrenContentDec.patch
