Bug#994765: xmlParseEntityDecl: entity xhtml-qname-extra.mod not terminated

Mon, 20 Sep 2021 10:42:14 -0700 

Control: forwarded -1 https://gitlab.gnome.org/GNOME/libxml2/-/issues/306
Control: tag -1 confirmed upstream

On Mon, Sep 20, 2021 at 04:08:15PM +0000, Torrance, Douglas wrote:
> A bit more information is given by running xmllint on one of the affected 
> files:
> 
> $  xmllint --noout --loaddtd
> /usr/share/doc/Macaulay2/Macaulay2Doc/html/_ideal.html 
> file:///usr/share/xml/w3c-sgml-lib/schema/dtd/WD-XHTMLplusMathMLplusSVG-20020809/xhtml-math-svg.dtd:338:
> parser error : xmlParseEntityDecl: entity xhtml-qname-extra.mod not
> terminated
>   %xhtml-qname-extra.decl;
>                           ^
> Entity: line 2:
> "http://www.w3.org/Math/DTD/mathml2/mathml2-qname-1.mod";
>                                                                   ^
> The problem appears to be that the latest release of libxml2 is more strict
> when parsing DTD files, xhtml-math-svg.dtd in this particular case.
> 
> See also [3], which involves a similar error related to the file
> xhtml1-strict.dtd.

As others pointed out, #993638 is a completely different matter.


Anyway, after another round of bisecting libxml2:

mattia@warren ..TEAM/xml-sgml/libxml2/upstream/libxml2 
(git)-[CVE-2021-3541~189|bisect] % git bisect good
a28f7d8789e63f5e2ac63b42083754cba58f1a0e is the first bad commit
commit a28f7d8789e63f5e2ac63b42083754cba58f1a0e
Author: Nick Wellnhofer <wellnho...@aevum.de>
Date:   Wed Jun 10 13:41:13 2020 +0200

    Never expand parameter entities in text declaration

    When parsing the text declaration of external DTDs or entities, make
    sure that parameter entities are not expanded. This also fixes a memory
    leak in certain error cases.

    The change to xmlSkipBlankChars assumes that the parser state is
    maintained correctly when parsing external DTDs or parameter entities,
    and might expose bugs in the code that were hidden previously.

    Found by OSS-Fuzz.

 parser.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)


https://gitlab.gnome.org/GNOME/libxml2/-/commit/a28f7d8789e63f5e2ac63b42083754cba58f1a0e


Not sure what to do about it for now, so I've reported it upstream.

-- 
regards,
                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540      .''`.
More about me:  https://mapreri.org                             : :'  :
Launchpad user: https://launchpad.net/~mapreri                  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-

Attachment: signature.asc
Description: PGP signature

Reply via email to