Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: car...@debian.org
Dear release team This is a pre-approval request to please unblock package libxml2 (not yet uploaded to unstable, but to experimental so far as 2.9.10+dfsg-6.4). Please unblock package libxml2 [ Reason ] The update would fix three CVEs recently reported, CVE-2021-3516 (#987739), CVE-2021-3517 (#987738) and CVE-2021-3518 (#987737). Which are not very severe but we still wanted to try to get fixes into bullseye. [ Impact ] Package still affected by those CVEs. [ Tests ] For those three CVEs pocs are available, which I had tested before and with the fix, except CVE-2021-3516, which I could not trigger the issue, but the change is simple. Furthermore given I uploaded to experimental there was additional exposure by the autopkgtests. From those as you can see from https://release.debian.org/britney/pseudo-excuses-experimental.html three marked regressions, but both balsa and kopanocore were already before failing. For libreoffice the tests somehow are flapping where they fail, I do not see a relation to the libxml2 here. libreoffice failed there in the last run for uicheck-sc test (triggered by python3.9), but in the libxml2 case it failed for the uicheck-sw test and for the prvious failure it was again one other test. [ Risks ] Changes do apply almost cleanly. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] I think nothing more needs to be mentioned. unblock libxml2/2.9.10+dfsg-6.5 Regards, Salvatore
diff -Nru libxml2-2.9.10+dfsg/debian/changelog libxml2-2.9.10+dfsg/debian/changelog --- libxml2-2.9.10+dfsg/debian/changelog 2020-11-29 11:58:00.000000000 +0100 +++ libxml2-2.9.10+dfsg/debian/changelog 2021-05-04 20:48:42.000000000 +0200 @@ -1,3 +1,21 @@ +libxml2 (2.9.10+dfsg-6.5) unstable; urgency=medium + + * Non-maintainer upload. + * Upload to unstable. + + -- Salvatore Bonaccorso <car...@debian.org> Tue, 04 May 2021 20:48:42 +0200 + +libxml2 (2.9.10+dfsg-6.4) experimental; urgency=medium + + * Non-maintainer upload. + * Fix use-after-free with `xmllint --html --push` (CVE-2021-3516) + (Closes: #987739) + * Validate UTF8 in xmlEncodeEntities (CVE-2021-3517) (Closes: #987738) + * Fix user-after-free with `xmllint --xinclude --dropdtd` (CVE-2021-3518) + (Closes: #987737) + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 02 May 2021 16:23:29 +0200 + libxml2 (2.9.10+dfsg-6.3) unstable; urgency=medium * Non-maintainer upload. diff -Nru libxml2-2.9.10+dfsg/debian/patches/Fix-use-after-free-with-xmllint-html-push.patch libxml2-2.9.10+dfsg/debian/patches/Fix-use-after-free-with-xmllint-html-push.patch --- libxml2-2.9.10+dfsg/debian/patches/Fix-use-after-free-with-xmllint-html-push.patch 1970-01-01 01:00:00.000000000 +0100 +++ libxml2-2.9.10+dfsg/debian/patches/Fix-use-after-free-with-xmllint-html-push.patch 2021-05-04 20:48:42.000000000 +0200 @@ -0,0 +1,34 @@ +From: Nick Wellnhofer <wellnho...@aevum.de> +Date: Wed, 21 Apr 2021 13:23:27 +0200 +Subject: Fix use-after-free with `xmllint --html --push` +Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539 +Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/230 +Bug-Debian: https://bugs.debian.org/987739 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3516 + +Call htmlCtxtUseOptions to make sure that names aren't stored in +dictionaries. + +Note that this issue only affects xmllint using the HTML push parser. + +Fixes #230. +--- + xmllint.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xmllint.c b/xmllint.c +index 6ca1bf54dc27..dbef273a8f8d 100644 +--- a/xmllint.c ++++ b/xmllint.c +@@ -2213,7 +2213,7 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) { + if (res > 0) { + ctxt = htmlCreatePushParserCtxt(NULL, NULL, + chars, res, filename, XML_CHAR_ENCODING_NONE); +- xmlCtxtUseOptions(ctxt, options); ++ htmlCtxtUseOptions(ctxt, options); + while ((res = fread(chars, 1, pushsize, f)) > 0) { + htmlParseChunk(ctxt, chars, res, 0); + } +-- +2.31.1 + diff -Nru libxml2-2.9.10+dfsg/debian/patches/Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch libxml2-2.9.10+dfsg/debian/patches/Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch --- libxml2-2.9.10+dfsg/debian/patches/Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch 1970-01-01 01:00:00.000000000 +0100 +++ libxml2-2.9.10+dfsg/debian/patches/Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch 2021-05-04 20:48:42.000000000 +0200 @@ -0,0 +1,36 @@ +From: Nick Wellnhofer <wellnho...@aevum.de> +Date: Thu, 22 Apr 2021 19:26:28 +0200 +Subject: Fix user-after-free with `xmllint --xinclude --dropdtd` +Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7 +Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/237 +Bug-Debian: https://bugs.debian.org/987737 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3518 + +The --dropdtd option can leave dangling pointers in entity reference +nodes. Make sure to skip these nodes when processing XIncludes. + +This also avoids scanning entity declarations and even modifying +them inadvertently during XInclude processing. + +Move from a block list to an allow list approach to avoid descending +into other node types that can't contain elements. + +Fixes #237. +--- + xinclude.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/xinclude.c ++++ b/xinclude.c +@@ -2397,9 +2397,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr + while ((cur != NULL) && (cur != tree->parent)) { + /* TODO: need to work on entities -> stack */ + if ((cur->children != NULL) && +- (cur->children->type != XML_ENTITY_DECL) && +- (cur->children->type != XML_XINCLUDE_START) && +- (cur->children->type != XML_XINCLUDE_END)) { ++ ((cur->type == XML_DOCUMENT_NODE) || ++ (cur->type == XML_ELEMENT_NODE))) { + cur = cur->children; + if (xmlXIncludeTestNode(ctxt, cur)) + xmlXIncludePreProcessNode(ctxt, cur); diff -Nru libxml2-2.9.10+dfsg/debian/patches/Validate-UTF8-in-xmlEncodeEntities.patch libxml2-2.9.10+dfsg/debian/patches/Validate-UTF8-in-xmlEncodeEntities.patch --- libxml2-2.9.10+dfsg/debian/patches/Validate-UTF8-in-xmlEncodeEntities.patch 1970-01-01 01:00:00.000000000 +0100 +++ libxml2-2.9.10+dfsg/debian/patches/Validate-UTF8-in-xmlEncodeEntities.patch 2021-05-04 20:48:42.000000000 +0200 @@ -0,0 +1,52 @@ +From: Joel Hockey <joel.hoc...@gmail.com> +Date: Sun, 16 Aug 2020 17:19:35 -0700 +Subject: Validate UTF8 in xmlEncodeEntities +Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2 +Bug: https://gitlab.gnome.org/GNOME/libxml2/-/issues/235 +Bug-Debian: https://bugs.debian.org/987738 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3517 + +Code is currently assuming UTF-8 without validating. Truncated UTF-8 +input can cause out-of-bounds array access. + +Adds further checks to partial fix in 50f06b3e. + +Fixes #178 +--- + entities.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/entities.c b/entities.c +index 37b99a56121f..1a8f86f0dc26 100644 +--- a/entities.c ++++ b/entities.c +@@ -704,11 +704,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) { + } else { + /* + * We assume we have UTF-8 input. ++ * It must match either: ++ * 110xxxxx 10xxxxxx ++ * 1110xxxx 10xxxxxx 10xxxxxx ++ * 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx ++ * That is: ++ * cur[0] is 11xxxxxx ++ * cur[1] is 10xxxxxx ++ * cur[2] is 10xxxxxx if cur[0] is 111xxxxx ++ * cur[3] is 10xxxxxx if cur[0] is 1111xxxx ++ * cur[0] is not 11111xxx + */ + char buf[11], *ptr; + int val = 0, l = 1; + +- if (*cur < 0xC0) { ++ if (((cur[0] & 0xC0) != 0xC0) || ++ ((cur[1] & 0xC0) != 0x80) || ++ (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) || ++ (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) || ++ (((cur[0] & 0xF8) == 0xF8))) { + xmlEntitiesErr(XML_CHECK_NOT_UTF8, + "xmlEncodeEntities: input not UTF-8"); + if (doc != NULL) +-- +2.31.1 + diff -Nru libxml2-2.9.10+dfsg/debian/patches/series libxml2-2.9.10+dfsg/debian/patches/series --- libxml2-2.9.10+dfsg/debian/patches/series 2020-10-25 13:56:23.000000000 +0100 +++ libxml2-2.9.10+dfsg/debian/patches/series 2021-05-04 20:48:42.000000000 +0200 @@ -5,3 +5,6 @@ python3-unicode-errors.patch parenthesize-type-checks.patch Fix-out-of-bounds-read-with-xmllint-htmlout.patch +Fix-use-after-free-with-xmllint-html-push.patch +Validate-UTF8-in-xmlEncodeEntities.patch +Fix-user-after-free-with-xmllint-xinclude-dropdtd.patch