Control: tags 1034436 + patch Control: tags 1034436 + pending Control: tags 1034437 + patch Control: tags 1034437 + pending
Dear maintainer, I've prepared an NMU for libxml2 (versioned as 2.9.14+dfsg-1.2) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer, but ideally at this point of the relese preparations for bookworm, would be good to not delay it. Regards, Salvatore
diff -Nru libxml2-2.9.14+dfsg/debian/changelog libxml2-2.9.14+dfsg/debian/changelog --- libxml2-2.9.14+dfsg/debian/changelog 2022-10-30 11:18:06.000000000 +0100 +++ libxml2-2.9.14+dfsg/debian/changelog 2023-04-15 16:25:06.000000000 +0200 @@ -1,3 +1,14 @@ +libxml2 (2.9.14+dfsg-1.2) unstable; urgency=medium + + * Non-maintainer upload. + * schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK + * Fix null deref in xmlSchemaFixupComplexType (CVE-2023-28484) + (Closes: #1034436) + * Hashing of empty dict strings isn't deterministic (CVE-2023-29469) + (Closes: #1034437) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 15 Apr 2023 16:25:06 +0200 + libxml2 (2.9.14+dfsg-1.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru libxml2-2.9.14+dfsg/debian/patches/CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch libxml2-2.9.14+dfsg/debian/patches/CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch --- libxml2-2.9.14+dfsg/debian/patches/CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch 1970-01-01 01:00:00.000000000 +0100 +++ libxml2-2.9.14+dfsg/debian/patches/CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch 2023-04-15 16:25:06.000000000 +0200 @@ -0,0 +1,76 @@ +From: Nick Wellnhofer <wellnho...@aevum.de> +Date: Fri, 7 Apr 2023 11:46:35 +0200 +Subject: [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType +Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/647e072ea0a2f12687fa05c172f4c4713fdb0c4f +Bug-Debian: https://bugs.debian.org/1034436 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-28484 + +Fix a null pointer dereference when parsing (invalid) XML schemas. + +Thanks to Robby Simpson for the report! + +Fixes #491. +--- + result/schemas/issue491_0_0.err | 1 + + test/schemas/issue491_0.xml | 1 + + test/schemas/issue491_0.xsd | 18 ++++++++++++++++++ + xmlschemas.c | 2 +- + 4 files changed, 21 insertions(+), 1 deletion(-) + create mode 100644 result/schemas/issue491_0_0.err + create mode 100644 test/schemas/issue491_0.xml + create mode 100644 test/schemas/issue491_0.xsd + +diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err +new file mode 100644 +index 000000000000..9b2bb9691f55 +--- /dev/null ++++ b/result/schemas/issue491_0_0.err +@@ -0,0 +1 @@ ++./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'. +diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml +new file mode 100644 +index 000000000000..e2b2fc2e359b +--- /dev/null ++++ b/test/schemas/issue491_0.xml +@@ -0,0 +1 @@ ++<Child xmlns="http://www.test.com";>5</Child> +diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd +new file mode 100644 +index 000000000000..8170264987b7 +--- /dev/null ++++ b/test/schemas/issue491_0.xsd +@@ -0,0 +1,18 @@ ++<?xml version='1.0' encoding='UTF-8'?> ++<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns="http://www.test.com"; targetNamespace="http://www.test.com"; elementFormDefault="qualified" attributeFormDefault="unqualified"> ++ <xs:complexType name="BaseType"> ++ <xs:simpleContent> ++ <xs:extension base="xs:int" /> ++ </xs:simpleContent> ++ </xs:complexType> ++ <xs:complexType name="ChildType"> ++ <xs:complexContent> ++ <xs:extension base="BaseType"> ++ <xs:sequence> ++ <xs:element name="bad" type="xs:int" minOccurs="0" maxOccurs="1"/> ++ </xs:sequence> ++ </xs:extension> ++ </xs:complexContent> ++ </xs:complexType> ++ <xs:element name="Child" type="ChildType" /> ++</xs:schema> +diff --git a/xmlschemas.c b/xmlschemas.c +index 152b7c3f521b..eec24a95fca9 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -18619,7 +18619,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt, + "allowed to appear inside other model groups", + NULL, NULL); + +- } else if (! dummySequence) { ++ } else if ((!dummySequence) && (baseType->subtypes != NULL)) { + xmlSchemaTreeItemPtr effectiveContent = + (xmlSchemaTreeItemPtr) type->subtypes; + /* +-- +2.40.0 + diff -Nru libxml2-2.9.14+dfsg/debian/patches/CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch libxml2-2.9.14+dfsg/debian/patches/CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch --- libxml2-2.9.14+dfsg/debian/patches/CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch 1970-01-01 01:00:00.000000000 +0100 +++ libxml2-2.9.14+dfsg/debian/patches/CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch 2023-04-15 16:25:06.000000000 +0200 @@ -0,0 +1,38 @@ +From: Nick Wellnhofer <wellnho...@aevum.de> +Date: Fri, 7 Apr 2023 11:49:27 +0200 +Subject: [CVE-2023-29469] Hashing of empty dict strings isn't deterministic +Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/09a2dd453007f9c7205274623acdd73747c22d64 +Bug-Debian: https://bugs.debian.org/1034437 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-29469 + +When hashing empty strings which aren't null-terminated, +xmlDictComputeFastKey could produce inconsistent results. This could +lead to various logic or memory errors, including double frees. + +For consistency the seed is also taken into account, but this shouldn't +have an impact on security. + +Found by OSS-Fuzz. + +Fixes #510. +--- + dict.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/dict.c b/dict.c +index c29d2af77a77..12ba94fd51b5 100644 +--- a/dict.c ++++ b/dict.c +@@ -453,7 +453,8 @@ static unsigned long + xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) { + unsigned long value = seed; + +- if (name == NULL) return(0); ++ if ((name == NULL) || (namelen <= 0)) ++ return(value); + value += *name; + value <<= 5; + if (namelen > 10) { +-- +2.40.0 + diff -Nru libxml2-2.9.14+dfsg/debian/patches/schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch libxml2-2.9.14+dfsg/debian/patches/schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch --- libxml2-2.9.14+dfsg/debian/patches/schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch 1970-01-01 01:00:00.000000000 +0100 +++ libxml2-2.9.14+dfsg/debian/patches/schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch 2023-04-15 16:25:06.000000000 +0200 @@ -0,0 +1,70 @@ +From: Nick Wellnhofer <wellnho...@aevum.de> +Date: Tue, 13 Sep 2022 16:40:31 +0200 +Subject: schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK +Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/4c6922f763ad958c48ff66f82823ae21f2e92ee6 + +Found by OSS-Fuzz. +--- + result/schemas/oss-fuzz-51295_0_0.err | 2 ++ + test/schemas/oss-fuzz-51295_0.xml | 1 + + test/schemas/oss-fuzz-51295_0.xsd | 4 ++++ + xmlschemas.c | 15 +++++++++++++-- + 4 files changed, 20 insertions(+), 2 deletions(-) + create mode 100644 result/schemas/oss-fuzz-51295_0_0.err + create mode 100644 test/schemas/oss-fuzz-51295_0.xml + create mode 100644 test/schemas/oss-fuzz-51295_0.xsd + +diff --git a/result/schemas/oss-fuzz-51295_0_0.err b/result/schemas/oss-fuzz-51295_0_0.err +new file mode 100644 +index 000000000000..1e89524f63ea +--- /dev/null ++++ b/result/schemas/oss-fuzz-51295_0_0.err +@@ -0,0 +1,2 @@ ++./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'. ++./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'. +diff --git a/test/schemas/oss-fuzz-51295_0.xml b/test/schemas/oss-fuzz-51295_0.xml +new file mode 100644 +index 000000000000..10a7e703b2b1 +--- /dev/null ++++ b/test/schemas/oss-fuzz-51295_0.xml +@@ -0,0 +1 @@ ++<e/> +diff --git a/test/schemas/oss-fuzz-51295_0.xsd b/test/schemas/oss-fuzz-51295_0.xsd +new file mode 100644 +index 000000000000..fde96af5c60b +--- /dev/null ++++ b/test/schemas/oss-fuzz-51295_0.xsd +@@ -0,0 +1,4 @@ ++<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema";> ++ <xs:element name="e" substitutionGroup="e"/> ++ <xs:element name="t" substitutionGroup="e" type='xs:decimal'/> ++</xs:schema> +diff --git a/xmlschemas.c b/xmlschemas.c +index f31d3d1f618f..152b7c3f521b 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -13345,8 +13345,19 @@ xmlSchemaResolveElementReferences(xmlSchemaElementPtr elemDecl, + * declaration `resolved` to by the `actual value` + * of the substitutionGroup [attribute], if present" + */ +- if (elemDecl->subtypes == NULL) +- elemDecl->subtypes = substHead->subtypes; ++ if (elemDecl->subtypes == NULL) { ++ if (substHead->subtypes == NULL) { ++ /* ++ * This can happen with self-referencing substitution ++ * groups. The cycle will be detected later, but we have ++ * to set subtypes to avoid null-pointer dereferences. ++ */ ++ elemDecl->subtypes = xmlSchemaGetBuiltInType( ++ XML_SCHEMAS_ANYTYPE); ++ } else { ++ elemDecl->subtypes = substHead->subtypes; ++ } ++ } + } + } + /* +-- +2.40.0 + diff -Nru libxml2-2.9.14+dfsg/debian/patches/series libxml2-2.9.14+dfsg/debian/patches/series --- libxml2-2.9.14+dfsg/debian/patches/series 2022-10-30 11:18:06.000000000 +0100 +++ libxml2-2.9.14+dfsg/debian/patches/series 2023-04-15 16:25:06.000000000 +0200 @@ -3,3 +3,6 @@ python3-unicode-errors.patch CVE-2022-40303-Fix-integer-overflows-with-XML_PARSE_.patch CVE-2022-40304-Fix-dict-corruption-caused-by-entity-.patch +schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch +CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch +CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch
