Bug#1034617: unblock: libxml2/2.9.14+dfsg-1.2

Salvatore Bonaccorso Wed, 19 Apr 2023 13:06:21 -0700

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: libx...@packages.debian.org, car...@debian.org
Control: affects -1 + src:libxml2


Dear release team,

Please unblock package libxml2

[ Reason ]
libxml2 in bookworm is affected by two CVEs CVE-2023-28484 (#1034436)
and CVE-2023-29469 (#1034437).

[ Impact ]
Issues remain open until a future update to cover those CVEs as well.
Though for bullseye an update has been prepared, and technically would
imply a regression from bullseye.

[ Tests ]
I explicity manually tested the testcase for CVE-2023-28484 (and a
related issue without CVE, which is as well included in this update).
No explicit test for CVE-2023-29469 done.

Additionally the autopkgtest did run, and there are no new failures.

[ Risks ]
Patches directly taken from upstream without need of backports.
Isolated in changes.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
DSA should go out in not too distant future. If unblocking please
consider as well aging for faster testing migration.

unblock libxml2/2.9.14+dfsg-1.2

Regards,
Salvatore

diff -Nru libxml2-2.9.14+dfsg/debian/changelog 
libxml2-2.9.14+dfsg/debian/changelog
--- libxml2-2.9.14+dfsg/debian/changelog        2022-10-30 11:18:06.000000000 
+0100
+++ libxml2-2.9.14+dfsg/debian/changelog        2023-04-15 16:25:06.000000000 
+0200
@@ -1,3 +1,14 @@
+libxml2 (2.9.14+dfsg-1.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK
+  * Fix null deref in xmlSchemaFixupComplexType (CVE-2023-28484)
+    (Closes: #1034436)
+  * Hashing of empty dict strings isn't deterministic (CVE-2023-29469)
+    (Closes: #1034437)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Sat, 15 Apr 2023 16:25:06 +0200
+
 libxml2 (2.9.14+dfsg-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru 
libxml2-2.9.14+dfsg/debian/patches/CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch
 
libxml2-2.9.14+dfsg/debian/patches/CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch
--- 
libxml2-2.9.14+dfsg/debian/patches/CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch
       1970-01-01 01:00:00.000000000 +0100
+++ 
libxml2-2.9.14+dfsg/debian/patches/CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch
       2023-04-15 16:25:06.000000000 +0200
@@ -0,0 +1,76 @@
+From: Nick Wellnhofer <wellnho...@aevum.de>
+Date: Fri, 7 Apr 2023 11:46:35 +0200
+Subject: [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
+Origin: 
https://gitlab.gnome.org/GNOME/libxml2/-/commit/647e072ea0a2f12687fa05c172f4c4713fdb0c4f
+Bug-Debian: https://bugs.debian.org/1034436
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-28484
+
+Fix a null pointer dereference when parsing (invalid) XML schemas.
+
+Thanks to Robby Simpson for the report!
+
+Fixes #491.
+---
+ result/schemas/issue491_0_0.err |  1 +
+ test/schemas/issue491_0.xml     |  1 +
+ test/schemas/issue491_0.xsd     | 18 ++++++++++++++++++
+ xmlschemas.c                    |  2 +-
+ 4 files changed, 21 insertions(+), 1 deletion(-)
+ create mode 100644 result/schemas/issue491_0_0.err
+ create mode 100644 test/schemas/issue491_0.xml
+ create mode 100644 test/schemas/issue491_0.xsd
+
+diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err
+new file mode 100644
+index 000000000000..9b2bb9691f55
+--- /dev/null
++++ b/result/schemas/issue491_0_0.err
+@@ -0,0 +1 @@
++./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : 
complex type 'ChildType': The content type of both, the type and its base type, 
must either 'mixed' or 'element-only'.
+diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml
+new file mode 100644
+index 000000000000..e2b2fc2e359b
+--- /dev/null
++++ b/test/schemas/issue491_0.xml
+@@ -0,0 +1 @@
++<Child xmlns="http://www.test.com";>5</Child>
+diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd
+new file mode 100644
+index 000000000000..8170264987b7
+--- /dev/null
++++ b/test/schemas/issue491_0.xsd
+@@ -0,0 +1,18 @@
++<?xml version='1.0' encoding='UTF-8'?>
++<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"; 
xmlns="http://www.test.com"; targetNamespace="http://www.test.com"; 
elementFormDefault="qualified" attributeFormDefault="unqualified">
++  <xs:complexType name="BaseType">
++    <xs:simpleContent>
++      <xs:extension base="xs:int" />
++    </xs:simpleContent>
++  </xs:complexType>
++  <xs:complexType name="ChildType">
++    <xs:complexContent>
++      <xs:extension base="BaseType">
++        <xs:sequence>
++          <xs:element name="bad" type="xs:int" minOccurs="0" maxOccurs="1"/>
++        </xs:sequence>
++      </xs:extension>
++    </xs:complexContent>
++  </xs:complexType>
++  <xs:element name="Child" type="ChildType" />
++</xs:schema>
+diff --git a/xmlschemas.c b/xmlschemas.c
+index 152b7c3f521b..eec24a95fca9 100644
+--- a/xmlschemas.c
++++ b/xmlschemas.c
+@@ -18619,7 +18619,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt,
+                       "allowed to appear inside other model groups",
+                       NULL, NULL);
+ 
+-              } else if (! dummySequence) {
++              } else if ((!dummySequence) && (baseType->subtypes != NULL)) {
+                   xmlSchemaTreeItemPtr effectiveContent =
+                       (xmlSchemaTreeItemPtr) type->subtypes;
+                   /*
+-- 
+2.40.0
+
diff -Nru 
libxml2-2.9.14+dfsg/debian/patches/CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch
 
libxml2-2.9.14+dfsg/debian/patches/CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch
--- 
libxml2-2.9.14+dfsg/debian/patches/CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch
       1970-01-01 01:00:00.000000000 +0100
+++ 
libxml2-2.9.14+dfsg/debian/patches/CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch
       2023-04-15 16:25:06.000000000 +0200
@@ -0,0 +1,38 @@
+From: Nick Wellnhofer <wellnho...@aevum.de>
+Date: Fri, 7 Apr 2023 11:49:27 +0200
+Subject: [CVE-2023-29469] Hashing of empty dict strings isn't deterministic
+Origin: 
https://gitlab.gnome.org/GNOME/libxml2/-/commit/09a2dd453007f9c7205274623acdd73747c22d64
+Bug-Debian: https://bugs.debian.org/1034437
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-29469
+
+When hashing empty strings which aren't null-terminated,
+xmlDictComputeFastKey could produce inconsistent results. This could
+lead to various logic or memory errors, including double frees.
+
+For consistency the seed is also taken into account, but this shouldn't
+have an impact on security.
+
+Found by OSS-Fuzz.
+
+Fixes #510.
+---
+ dict.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/dict.c b/dict.c
+index c29d2af77a77..12ba94fd51b5 100644
+--- a/dict.c
++++ b/dict.c
+@@ -453,7 +453,8 @@ static unsigned long
+ xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
+     unsigned long value = seed;
+ 
+-    if (name == NULL) return(0);
++    if ((name == NULL) || (namelen <= 0))
++        return(value);
+     value += *name;
+     value <<= 5;
+     if (namelen > 10) {
+-- 
+2.40.0
+
diff -Nru 
libxml2-2.9.14+dfsg/debian/patches/schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch
 
libxml2-2.9.14+dfsg/debian/patches/schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch
--- 
libxml2-2.9.14+dfsg/debian/patches/schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch
       1970-01-01 01:00:00.000000000 +0100
+++ 
libxml2-2.9.14+dfsg/debian/patches/schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch
       2023-04-15 16:25:06.000000000 +0200
@@ -0,0 +1,70 @@
+From: Nick Wellnhofer <wellnho...@aevum.de>
+Date: Tue, 13 Sep 2022 16:40:31 +0200
+Subject: schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK
+Origin: 
https://gitlab.gnome.org/GNOME/libxml2/-/commit/4c6922f763ad958c48ff66f82823ae21f2e92ee6
+
+Found by OSS-Fuzz.
+---
+ result/schemas/oss-fuzz-51295_0_0.err |  2 ++
+ test/schemas/oss-fuzz-51295_0.xml     |  1 +
+ test/schemas/oss-fuzz-51295_0.xsd     |  4 ++++
+ xmlschemas.c                          | 15 +++++++++++++--
+ 4 files changed, 20 insertions(+), 2 deletions(-)
+ create mode 100644 result/schemas/oss-fuzz-51295_0_0.err
+ create mode 100644 test/schemas/oss-fuzz-51295_0.xml
+ create mode 100644 test/schemas/oss-fuzz-51295_0.xsd
+
+diff --git a/result/schemas/oss-fuzz-51295_0_0.err 
b/result/schemas/oss-fuzz-51295_0_0.err
+new file mode 100644
+index 000000000000..1e89524f63ea
+--- /dev/null
++++ b/result/schemas/oss-fuzz-51295_0_0.err
+@@ -0,0 +1,2 @@
++./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error 
: element decl. 'e': The element declaration 'e' defines a circular 
substitution group to element declaration 'e'.
++./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error 
: element decl. 'e': The element declaration 'e' defines a circular 
substitution group to element declaration 'e'.
+diff --git a/test/schemas/oss-fuzz-51295_0.xml 
b/test/schemas/oss-fuzz-51295_0.xml
+new file mode 100644
+index 000000000000..10a7e703b2b1
+--- /dev/null
++++ b/test/schemas/oss-fuzz-51295_0.xml
+@@ -0,0 +1 @@
++<e/>
+diff --git a/test/schemas/oss-fuzz-51295_0.xsd 
b/test/schemas/oss-fuzz-51295_0.xsd
+new file mode 100644
+index 000000000000..fde96af5c60b
+--- /dev/null
++++ b/test/schemas/oss-fuzz-51295_0.xsd
+@@ -0,0 +1,4 @@
++<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema";>
++    <xs:element name="e" substitutionGroup="e"/>
++    <xs:element name="t" substitutionGroup="e" type='xs:decimal'/>
++</xs:schema>
+diff --git a/xmlschemas.c b/xmlschemas.c
+index f31d3d1f618f..152b7c3f521b 100644
+--- a/xmlschemas.c
++++ b/xmlschemas.c
+@@ -13345,8 +13345,19 @@ xmlSchemaResolveElementReferences(xmlSchemaElementPtr 
elemDecl,
+           * declaration `resolved` to by the `actual value`
+           * of the substitutionGroup [attribute], if present"
+           */
+-          if (elemDecl->subtypes == NULL)
+-              elemDecl->subtypes = substHead->subtypes;
++          if (elemDecl->subtypes == NULL) {
++                if (substHead->subtypes == NULL) {
++                    /*
++                     * This can happen with self-referencing substitution
++                     * groups. The cycle will be detected later, but we have
++                     * to set subtypes to avoid null-pointer dereferences.
++                     */
++                  elemDecl->subtypes = xmlSchemaGetBuiltInType(
++                            XML_SCHEMAS_ANYTYPE);
++                } else {
++                  elemDecl->subtypes = substHead->subtypes;
++                }
++            }
+       }
+     }
+     /*
+-- 
+2.40.0
+
diff -Nru libxml2-2.9.14+dfsg/debian/patches/series 
libxml2-2.9.14+dfsg/debian/patches/series
--- libxml2-2.9.14+dfsg/debian/patches/series   2022-10-30 11:18:06.000000000 
+0100
+++ libxml2-2.9.14+dfsg/debian/patches/series   2023-04-15 16:25:06.000000000 
+0200
@@ -3,3 +3,6 @@
 python3-unicode-errors.patch
 CVE-2022-40303-Fix-integer-overflows-with-XML_PARSE_.patch
 CVE-2022-40304-Fix-dict-corruption-caused-by-entity-.patch
+schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch
+CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch
+CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch

Bug#1034617: unblock: libxml2/2.9.14+dfsg-1.2

Reply via email to