Control: tags 988603 + patch Dear maintainer,
I've prepared an NMU for libxml2 (versioned as 2.9.10+dfsg-6.7). The diff is attached to this message. Merge Request is as well at https://salsa.debian.org/xml-sgml-team/libxml2/-/merge_requests/7 . Regards, Salvatore
diff -Nru libxml2-2.9.10+dfsg/debian/changelog libxml2-2.9.10+dfsg/debian/changelog --- libxml2-2.9.10+dfsg/debian/changelog 2021-05-06 10:48:16.000000000 +0200 +++ libxml2-2.9.10+dfsg/debian/changelog 2021-05-22 08:21:29.000000000 +0200 @@ -1,3 +1,10 @@ +libxml2 (2.9.10+dfsg-6.7) unstable; urgency=medium + + * Non-maintainer upload. + * Patch for security issue CVE-2021-3541 (Closes: #988603) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 22 May 2021 08:21:29 +0200 + libxml2 (2.9.10+dfsg-6.6) unstable; urgency=medium * Non-maintainer upload. diff -Nru libxml2-2.9.10+dfsg/debian/patches/Patch-for-security-issue-CVE-2021-3541.patch libxml2-2.9.10+dfsg/debian/patches/Patch-for-security-issue-CVE-2021-3541.patch --- libxml2-2.9.10+dfsg/debian/patches/Patch-for-security-issue-CVE-2021-3541.patch 1970-01-01 01:00:00.000000000 +0100 +++ libxml2-2.9.10+dfsg/debian/patches/Patch-for-security-issue-CVE-2021-3541.patch 2021-05-22 08:21:29.000000000 +0200 @@ -0,0 +1,70 @@ +From: Daniel Veillard <veill...@redhat.com> +Date: Thu, 13 May 2021 14:55:12 +0200 +Subject: Patch for security issue CVE-2021-3541 +Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e +Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/228 +Bug-Debian: https://bugs.debian.org/988603 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3541 + +This is relapted to parameter entities expansion and following +the line of the billion laugh attack. Somehow in that path the +counting of parameters was missed and the normal algorithm based +on entities "density" was useless. +--- + parser.c | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/parser.c b/parser.c +index f5e5e169c0e0..c9312fa48d9c 100644 +--- a/parser.c ++++ b/parser.c +@@ -140,6 +140,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + xmlEntityPtr ent, size_t replacement) + { + size_t consumed = 0; ++ int i; + + if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE)) + return (0); +@@ -177,6 +178,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + rep = NULL; + } + } ++ ++ /* ++ * Prevent entity exponential check, not just replacement while ++ * parsing the DTD ++ * The check is potentially costly so do that only once in a thousand ++ */ ++ if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) && ++ (ctxt->nbentities % 1024 == 0)) { ++ for (i = 0;i < ctxt->inputNr;i++) { ++ consumed += ctxt->inputTab[i]->consumed + ++ (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base); ++ } ++ if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) { ++ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); ++ ctxt->instate = XML_PARSER_EOF; ++ return (1); ++ } ++ consumed = 0; ++ } ++ ++ ++ + if (replacement != 0) { + if (replacement < XML_MAX_TEXT_LENGTH) + return(0); +@@ -7963,6 +7986,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) + xmlChar start[4]; + xmlCharEncoding enc; + ++ if (xmlParserEntityCheck(ctxt, 0, entity, 0)) ++ return; ++ + if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && + ((ctxt->options & XML_PARSE_NOENT) == 0) && + ((ctxt->options & XML_PARSE_DTDVALID) == 0) && +-- +2.31.1 + diff -Nru libxml2-2.9.10+dfsg/debian/patches/series libxml2-2.9.10+dfsg/debian/patches/series --- libxml2-2.9.10+dfsg/debian/patches/series 2021-05-06 10:48:16.000000000 +0200 +++ libxml2-2.9.10+dfsg/debian/patches/series 2021-05-22 08:21:29.000000000 +0200 @@ -9,3 +9,4 @@ Validate-UTF8-in-xmlEncodeEntities.patch Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch Propagate-error-in-xmlParseElementChildrenContentDec.patch +Patch-for-security-issue-CVE-2021-3541.patch
