Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: car...@debian.org,j...@debian.org
Hi Stable release managers,
[ Reason ]
libxml2 is affected in buster by some vulnerabilities which were not
warranting a DSA, and which were not intrusive to not be backported.
They are fixes for CVE-2020-24977, CVE-2021-3516, CVE-2021-3517,
CVE-2021-3518, CVE-2021-3537 and CVE-2021-3541. Which all of those are
already fixed in unstable.
[ Impact ]
Status quo, the issues remain unfixed in buster.
[ Tests ]
For most of the CVE the POC triggered, which I was in turn able to
verify against the fixed version. Before accepting into the 10.10 or
later point release the autopkgtests runs could give some further
coverage.
[ Risks ]
The patches were exposed in unstable for a while, still risk of
regression cannot be completely ruled out.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Upstream fixes for the various CVEs, no other changes.
[ Other info ]
None I guess.
Regards,
Salvatore
diff -Nru libxml2-2.9.4+dfsg1/debian/changelog
libxml2-2.9.4+dfsg1/debian/changelog
--- libxml2-2.9.4+dfsg1/debian/changelog 2020-11-06 18:13:19.000000000
+0100
+++ libxml2-2.9.4+dfsg1/debian/changelog 2021-06-11 18:57:11.000000000
+0200
@@ -1,3 +1,19 @@
+libxml2 (2.9.4+dfsg1-7+deb10u2) buster; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix out-of-bounds read with 'xmllint --htmlout' (CVE-2020-24977)
+ (Closes: #969529)
+ * Fix use-after-free with `xmllint --html --push` (CVE-2021-3516)
+ (Closes: #987739)
+ * Validate UTF8 in xmlEncodeEntities (CVE-2021-3517) (Closes: #987738)
+ * Fix user-after-free with `xmllint --xinclude --dropdtd` (CVE-2021-3518)
+ (Closes: #987737)
+ * Propagate error in xmlParseElementChildrenContentDeclPriv (CVE-2021-3537)
+ (Closes: #988123)
+ * Patch for security issue CVE-2021-3541 (Closes: #988603)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Fri, 11 Jun 2021 18:57:11 +0200
+
libxml2 (2.9.4+dfsg1-7+deb10u1) buster; urgency=medium
* CVE-2017-18258 (Closes: #895245)
diff -Nru
libxml2-2.9.4+dfsg1/debian/patches/Fix-out-of-bounds-read-with-xmllint-htmlout.patch
libxml2-2.9.4+dfsg1/debian/patches/Fix-out-of-bounds-read-with-xmllint-htmlout.patch
---
libxml2-2.9.4+dfsg1/debian/patches/Fix-out-of-bounds-read-with-xmllint-htmlout.patch
1970-01-01 01:00:00.000000000 +0100
+++
libxml2-2.9.4+dfsg1/debian/patches/Fix-out-of-bounds-read-with-xmllint-htmlout.patch
2021-06-11 18:57:11.000000000 +0200
@@ -0,0 +1,39 @@
+From: Nick Wellnhofer <wellnho...@aevum.de>
+Date: Fri, 7 Aug 2020 21:54:27 +0200
+Subject: Fix out-of-bounds read with 'xmllint --htmlout'
+Origin:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2
+Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/178
+Bug-Debian: https://bugs.debian.org/969529
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-24977
+
+Make sure that truncated UTF-8 sequences don't cause an out-of-bounds
+array access.
+
+Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for
+the report.
+
+Fixes #178.
+---
+ xmllint.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/xmllint.c b/xmllint.c
+index f6a8e463639a..c647486f39b4 100644
+--- a/xmllint.c
++++ b/xmllint.c
+@@ -528,6 +528,12 @@ static void
+ xmlHTMLEncodeSend(void) {
+ char *result;
+
++ /*
++ * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might
++ * end with a truncated UTF-8 sequence. This is a hack to at least avoid
++ * an out-of-bounds read.
++ */
++ memset(&buffer[sizeof(buffer)-4], 0, 4);
+ result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer);
+ if (result) {
+ xmlGenericError(xmlGenericErrorContext, "%s", result);
+--
+2.28.0
+
diff -Nru
libxml2-2.9.4+dfsg1/debian/patches/Fix-use-after-free-with-xmllint-html-push.patch
libxml2-2.9.4+dfsg1/debian/patches/Fix-use-after-free-with-xmllint-html-push.patch
---
libxml2-2.9.4+dfsg1/debian/patches/Fix-use-after-free-with-xmllint-html-push.patch
1970-01-01 01:00:00.000000000 +0100
+++
libxml2-2.9.4+dfsg1/debian/patches/Fix-use-after-free-with-xmllint-html-push.patch
2021-06-11 18:57:11.000000000 +0200
@@ -0,0 +1,34 @@
+From: Nick Wellnhofer <wellnho...@aevum.de>
+Date: Wed, 21 Apr 2021 13:23:27 +0200
+Subject: Fix use-after-free with `xmllint --html --push`
+Origin:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539
+Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/230
+Bug-Debian: https://bugs.debian.org/987739
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3516
+
+Call htmlCtxtUseOptions to make sure that names aren't stored in
+dictionaries.
+
+Note that this issue only affects xmllint using the HTML push parser.
+
+Fixes #230.
+---
+ xmllint.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xmllint.c b/xmllint.c
+index 6ca1bf54dc27..dbef273a8f8d 100644
+--- a/xmllint.c
++++ b/xmllint.c
+@@ -2213,7 +2213,7 @@ static void parseAndPrintFile(char *filename,
xmlParserCtxtPtr rectxt) {
+ if (res > 0) {
+ ctxt = htmlCreatePushParserCtxt(NULL, NULL,
+ chars, res, filename, XML_CHAR_ENCODING_NONE);
+- xmlCtxtUseOptions(ctxt, options);
++ htmlCtxtUseOptions(ctxt, options);
+ while ((res = fread(chars, 1, pushsize, f)) > 0) {
+ htmlParseChunk(ctxt, chars, res, 0);
+ }
+--
+2.31.1
+
diff -Nru
libxml2-2.9.4+dfsg1/debian/patches/Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch
libxml2-2.9.4+dfsg1/debian/patches/Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch
---
libxml2-2.9.4+dfsg1/debian/patches/Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch
1970-01-01 01:00:00.000000000 +0100
+++
libxml2-2.9.4+dfsg1/debian/patches/Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch
2021-06-11 18:57:11.000000000 +0200
@@ -0,0 +1,36 @@
+From: Nick Wellnhofer <wellnho...@aevum.de>
+Date: Thu, 22 Apr 2021 19:26:28 +0200
+Subject: Fix user-after-free with `xmllint --xinclude --dropdtd`
+Origin:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7
+Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/237
+Bug-Debian: https://bugs.debian.org/987737
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3518
+
+The --dropdtd option can leave dangling pointers in entity reference
+nodes. Make sure to skip these nodes when processing XIncludes.
+
+This also avoids scanning entity declarations and even modifying
+them inadvertently during XInclude processing.
+
+Move from a block list to an allow list approach to avoid descending
+into other node types that can't contain elements.
+
+Fixes #237.
+---
+ xinclude.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/xinclude.c
++++ b/xinclude.c
+@@ -2397,9 +2397,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr
+ while ((cur != NULL) && (cur != tree->parent)) {
+ /* TODO: need to work on entities -> stack */
+ if ((cur->children != NULL) &&
+- (cur->children->type != XML_ENTITY_DECL) &&
+- (cur->children->type != XML_XINCLUDE_START) &&
+- (cur->children->type != XML_XINCLUDE_END)) {
++ ((cur->type == XML_DOCUMENT_NODE) ||
++ (cur->type == XML_ELEMENT_NODE))) {
+ cur = cur->children;
+ if (xmlXIncludeTestNode(ctxt, cur))
+ xmlXIncludePreProcessNode(ctxt, cur);
diff -Nru
libxml2-2.9.4+dfsg1/debian/patches/Patch-for-security-issue-CVE-2021-3541.patch
libxml2-2.9.4+dfsg1/debian/patches/Patch-for-security-issue-CVE-2021-3541.patch
---
libxml2-2.9.4+dfsg1/debian/patches/Patch-for-security-issue-CVE-2021-3541.patch
1970-01-01 01:00:00.000000000 +0100
+++
libxml2-2.9.4+dfsg1/debian/patches/Patch-for-security-issue-CVE-2021-3541.patch
2021-06-11 18:57:11.000000000 +0200
@@ -0,0 +1,65 @@
+From: Daniel Veillard <veill...@redhat.com>
+Date: Thu, 13 May 2021 14:55:12 +0200
+Subject: Patch for security issue CVE-2021-3541
+Origin:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e
+Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/228
+Bug-Debian: https://bugs.debian.org/988603
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3541
+
+This is relapted to parameter entities expansion and following
+the line of the billion laugh attack. Somehow in that path the
+counting of parameters was missed and the normal algorithm based
+on entities "density" was useless.
+---
+ parser.c | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+--- a/parser.c
++++ b/parser.c
+@@ -127,6 +127,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ct
+ xmlEntityPtr ent, size_t replacement)
+ {
+ size_t consumed = 0;
++ int i;
+
+ if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE))
+ return (0);
+@@ -161,6 +162,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ct
+ rep = NULL;
+ }
+ }
++
++ /*
++ * Prevent entity exponential check, not just replacement while
++ * parsing the DTD
++ * The check is potentially costly so do that only once in a thousand
++ */
++ if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) &&
++ (ctxt->nbentities % 1024 == 0)) {
++ for (i = 0;i < ctxt->inputNr;i++) {
++ consumed += ctxt->inputTab[i]->consumed +
++ (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base);
++ }
++ if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) {
++ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
++ ctxt->instate = XML_PARSER_EOF;
++ return (1);
++ }
++ consumed = 0;
++ }
++
++
++
+ if (replacement != 0) {
+ if (replacement < XML_MAX_TEXT_LENGTH)
+ return(0);
+@@ -8133,6 +8156,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctx
+ if (xmlPushInput(ctxt, input) < 0)
+ return;
+ } else {
++ if (xmlParserEntityCheck(ctxt, 0, entity, 0))
++ return;
++
+ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
+ ((ctxt->options & XML_PARSE_NOENT) == 0) &&
+ ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
diff -Nru
libxml2-2.9.4+dfsg1/debian/patches/Propagate-error-in-xmlParseElementChildrenContentDec.patch
libxml2-2.9.4+dfsg1/debian/patches/Propagate-error-in-xmlParseElementChildrenContentDec.patch
---
libxml2-2.9.4+dfsg1/debian/patches/Propagate-error-in-xmlParseElementChildrenContentDec.patch
1970-01-01 01:00:00.000000000 +0100
+++
libxml2-2.9.4+dfsg1/debian/patches/Propagate-error-in-xmlParseElementChildrenContentDec.patch
2021-06-11 18:57:11.000000000 +0200
@@ -0,0 +1,47 @@
+From: Nick Wellnhofer <wellnho...@aevum.de>
+Date: Sat, 1 May 2021 16:53:33 +0200
+Subject: Propagate error in xmlParseElementChildrenContentDeclPriv
+Origin:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/babe75030c7f64a37826bb3342317134568bef61
+Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/243
+Bug-Debian: https://bugs.debian.org/988123
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3537
+
+Check return value of recursive calls to
+xmlParseElementChildrenContentDeclPriv and return immediately in case
+of errors. Otherwise, struct xmlElementContent could contain unexpected
+null pointers, leading to a null deref when post-validating documents
+which aren't well-formed and parsed in recovery mode.
+
+Fixes #243.
+---
+ parser.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index b42e60433ef4..73c27edda696 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6208,6 +6208,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr
ctxt, int inputchk,
+ SKIP_BLANKS;
+ cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
+ depth + 1);
++ if (cur == NULL)
++ return(NULL);
+ SKIP_BLANKS;
+ GROW;
+ } else {
+@@ -6341,6 +6343,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr
ctxt, int inputchk,
+ SKIP_BLANKS;
+ last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
+ depth + 1);
++ if (last == NULL) {
++ if (ret != NULL)
++ xmlFreeDocElementContent(ctxt->myDoc, ret);
++ return(NULL);
++ }
+ SKIP_BLANKS;
+ } else {
+ elem = xmlParseName(ctxt);
+--
+2.31.1
+
diff -Nru
libxml2-2.9.4+dfsg1/debian/patches/Validate-UTF8-in-xmlEncodeEntities.patch
libxml2-2.9.4+dfsg1/debian/patches/Validate-UTF8-in-xmlEncodeEntities.patch
--- libxml2-2.9.4+dfsg1/debian/patches/Validate-UTF8-in-xmlEncodeEntities.patch
1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.4+dfsg1/debian/patches/Validate-UTF8-in-xmlEncodeEntities.patch
2021-06-11 18:57:11.000000000 +0200
@@ -0,0 +1,52 @@
+From: Joel Hockey <joel.hoc...@gmail.com>
+Date: Sun, 16 Aug 2020 17:19:35 -0700
+Subject: Validate UTF8 in xmlEncodeEntities
+Origin:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2
+Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/235
+Bug-Debian: https://bugs.debian.org/987738
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3517
+
+Code is currently assuming UTF-8 without validating. Truncated UTF-8
+input can cause out-of-bounds array access.
+
+Adds further checks to partial fix in 50f06b3e.
+
+Fixes #178
+---
+ entities.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/entities.c b/entities.c
+index 37b99a56121f..1a8f86f0dc26 100644
+--- a/entities.c
++++ b/entities.c
+@@ -704,11 +704,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar
*input, int attr) {
+ } else {
+ /*
+ * We assume we have UTF-8 input.
++ * It must match either:
++ * 110xxxxx 10xxxxxx
++ * 1110xxxx 10xxxxxx 10xxxxxx
++ * 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
++ * That is:
++ * cur[0] is 11xxxxxx
++ * cur[1] is 10xxxxxx
++ * cur[2] is 10xxxxxx if cur[0] is 111xxxxx
++ * cur[3] is 10xxxxxx if cur[0] is 1111xxxx
++ * cur[0] is not 11111xxx
+ */
+ char buf[11], *ptr;
+ int val = 0, l = 1;
+
+- if (*cur < 0xC0) {
++ if (((cur[0] & 0xC0) != 0xC0) ||
++ ((cur[1] & 0xC0) != 0x80) ||
++ (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) ||
++ (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) ||
++ (((cur[0] & 0xF8) == 0xF8))) {
+ xmlEntitiesErr(XML_CHECK_NOT_UTF8,
+ "xmlEncodeEntities: input not UTF-8");
+ if (doc != NULL)
+--
+2.31.1
+
diff -Nru libxml2-2.9.4+dfsg1/debian/patches/series
libxml2-2.9.4+dfsg1/debian/patches/series
--- libxml2-2.9.4+dfsg1/debian/patches/series 2020-11-06 15:35:20.000000000
+0100
+++ libxml2-2.9.4+dfsg1/debian/patches/series 2021-06-11 18:57:11.000000000
+0200
@@ -23,3 +23,9 @@
0023-CVE-2019-19956.patch
0024-CVE-2019-20388.patch
0025-CVE-2020-7595.patch
+Fix-out-of-bounds-read-with-xmllint-htmlout.patch
+Fix-use-after-free-with-xmllint-html-push.patch
+Validate-UTF8-in-xmlEncodeEntities.patch
+Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch
+Propagate-error-in-xmlParseElementChildrenContentDec.patch
+Patch-for-security-issue-CVE-2021-3541.patch
