Your message dated Thu, 20 Apr 2023 10:24:16 +0200
with message-id <[email protected]>
and subject line Re: Bug#1034617: unblock: libxml2/2.9.14+dfsg-1.2
has caused the Debian Bug report #1034617,
regarding unblock: libxml2/2.9.14+dfsg-1.2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1034617: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034617
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:libxml2
Dear release team,
Please unblock package libxml2
[ Reason ]
libxml2 in bookworm is affected by two CVEs CVE-2023-28484 (#1034436)
and CVE-2023-29469 (#1034437).
[ Impact ]
Issues remain open until a future update to cover those CVEs as well.
Though for bullseye an update has been prepared, and technically would
imply a regression from bullseye.
[ Tests ]
I explicity manually tested the testcase for CVE-2023-28484 (and a
related issue without CVE, which is as well included in this update).
No explicit test for CVE-2023-29469 done.
Additionally the autopkgtest did run, and there are no new failures.
[ Risks ]
Patches directly taken from upstream without need of backports.
Isolated in changes.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
DSA should go out in not too distant future. If unblocking please
consider as well aging for faster testing migration.
unblock libxml2/2.9.14+dfsg-1.2
Regards,
Salvatore
diff -Nru libxml2-2.9.14+dfsg/debian/changelog
libxml2-2.9.14+dfsg/debian/changelog
--- libxml2-2.9.14+dfsg/debian/changelog 2022-10-30 11:18:06.000000000
+0100
+++ libxml2-2.9.14+dfsg/debian/changelog 2023-04-15 16:25:06.000000000
+0200
@@ -1,3 +1,14 @@
+libxml2 (2.9.14+dfsg-1.2) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK
+ * Fix null deref in xmlSchemaFixupComplexType (CVE-2023-28484)
+ (Closes: #1034436)
+ * Hashing of empty dict strings isn't deterministic (CVE-2023-29469)
+ (Closes: #1034437)
+
+ -- Salvatore Bonaccorso <[email protected]> Sat, 15 Apr 2023 16:25:06 +0200
+
libxml2 (2.9.14+dfsg-1.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru
libxml2-2.9.14+dfsg/debian/patches/CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch
libxml2-2.9.14+dfsg/debian/patches/CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch
---
libxml2-2.9.14+dfsg/debian/patches/CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch
1970-01-01 01:00:00.000000000 +0100
+++
libxml2-2.9.14+dfsg/debian/patches/CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch
2023-04-15 16:25:06.000000000 +0200
@@ -0,0 +1,76 @@
+From: Nick Wellnhofer <[email protected]>
+Date: Fri, 7 Apr 2023 11:46:35 +0200
+Subject: [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
+Origin:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/647e072ea0a2f12687fa05c172f4c4713fdb0c4f
+Bug-Debian: https://bugs.debian.org/1034436
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-28484
+
+Fix a null pointer dereference when parsing (invalid) XML schemas.
+
+Thanks to Robby Simpson for the report!
+
+Fixes #491.
+---
+ result/schemas/issue491_0_0.err | 1 +
+ test/schemas/issue491_0.xml | 1 +
+ test/schemas/issue491_0.xsd | 18 ++++++++++++++++++
+ xmlschemas.c | 2 +-
+ 4 files changed, 21 insertions(+), 1 deletion(-)
+ create mode 100644 result/schemas/issue491_0_0.err
+ create mode 100644 test/schemas/issue491_0.xml
+ create mode 100644 test/schemas/issue491_0.xsd
+
+diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err
+new file mode 100644
+index 000000000000..9b2bb9691f55
+--- /dev/null
++++ b/result/schemas/issue491_0_0.err
+@@ -0,0 +1 @@
++./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error :
complex type 'ChildType': The content type of both, the type and its base type,
must either 'mixed' or 'element-only'.
+diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml
+new file mode 100644
+index 000000000000..e2b2fc2e359b
+--- /dev/null
++++ b/test/schemas/issue491_0.xml
+@@ -0,0 +1 @@
++<Child xmlns="http://www.test.com";>5</Child>
+diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd
+new file mode 100644
+index 000000000000..8170264987b7
+--- /dev/null
++++ b/test/schemas/issue491_0.xsd
+@@ -0,0 +1,18 @@
++<?xml version='1.0' encoding='UTF-8'?>
++<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema";
xmlns="http://www.test.com"; targetNamespace="http://www.test.com";
elementFormDefault="qualified" attributeFormDefault="unqualified">
++ <xs:complexType name="BaseType">
++ <xs:simpleContent>
++ <xs:extension base="xs:int" />
++ </xs:simpleContent>
++ </xs:complexType>
++ <xs:complexType name="ChildType">
++ <xs:complexContent>
++ <xs:extension base="BaseType">
++ <xs:sequence>
++ <xs:element name="bad" type="xs:int" minOccurs="0" maxOccurs="1"/>
++ </xs:sequence>
++ </xs:extension>
++ </xs:complexContent>
++ </xs:complexType>
++ <xs:element name="Child" type="ChildType" />
++</xs:schema>
+diff --git a/xmlschemas.c b/xmlschemas.c
+index 152b7c3f521b..eec24a95fca9 100644
+--- a/xmlschemas.c
++++ b/xmlschemas.c
+@@ -18619,7 +18619,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt,
+ "allowed to appear inside other model groups",
+ NULL, NULL);
+
+- } else if (! dummySequence) {
++ } else if ((!dummySequence) && (baseType->subtypes != NULL)) {
+ xmlSchemaTreeItemPtr effectiveContent =
+ (xmlSchemaTreeItemPtr) type->subtypes;
+ /*
+--
+2.40.0
+
diff -Nru
libxml2-2.9.14+dfsg/debian/patches/CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch
libxml2-2.9.14+dfsg/debian/patches/CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch
---
libxml2-2.9.14+dfsg/debian/patches/CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch
1970-01-01 01:00:00.000000000 +0100
+++
libxml2-2.9.14+dfsg/debian/patches/CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch
2023-04-15 16:25:06.000000000 +0200
@@ -0,0 +1,38 @@
+From: Nick Wellnhofer <[email protected]>
+Date: Fri, 7 Apr 2023 11:49:27 +0200
+Subject: [CVE-2023-29469] Hashing of empty dict strings isn't deterministic
+Origin:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/09a2dd453007f9c7205274623acdd73747c22d64
+Bug-Debian: https://bugs.debian.org/1034437
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-29469
+
+When hashing empty strings which aren't null-terminated,
+xmlDictComputeFastKey could produce inconsistent results. This could
+lead to various logic or memory errors, including double frees.
+
+For consistency the seed is also taken into account, but this shouldn't
+have an impact on security.
+
+Found by OSS-Fuzz.
+
+Fixes #510.
+---
+ dict.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/dict.c b/dict.c
+index c29d2af77a77..12ba94fd51b5 100644
+--- a/dict.c
++++ b/dict.c
+@@ -453,7 +453,8 @@ static unsigned long
+ xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
+ unsigned long value = seed;
+
+- if (name == NULL) return(0);
++ if ((name == NULL) || (namelen <= 0))
++ return(value);
+ value += *name;
+ value <<= 5;
+ if (namelen > 10) {
+--
+2.40.0
+
diff -Nru
libxml2-2.9.14+dfsg/debian/patches/schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch
libxml2-2.9.14+dfsg/debian/patches/schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch
---
libxml2-2.9.14+dfsg/debian/patches/schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch
1970-01-01 01:00:00.000000000 +0100
+++
libxml2-2.9.14+dfsg/debian/patches/schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch
2023-04-15 16:25:06.000000000 +0200
@@ -0,0 +1,70 @@
+From: Nick Wellnhofer <[email protected]>
+Date: Tue, 13 Sep 2022 16:40:31 +0200
+Subject: schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK
+Origin:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/4c6922f763ad958c48ff66f82823ae21f2e92ee6
+
+Found by OSS-Fuzz.
+---
+ result/schemas/oss-fuzz-51295_0_0.err | 2 ++
+ test/schemas/oss-fuzz-51295_0.xml | 1 +
+ test/schemas/oss-fuzz-51295_0.xsd | 4 ++++
+ xmlschemas.c | 15 +++++++++++++--
+ 4 files changed, 20 insertions(+), 2 deletions(-)
+ create mode 100644 result/schemas/oss-fuzz-51295_0_0.err
+ create mode 100644 test/schemas/oss-fuzz-51295_0.xml
+ create mode 100644 test/schemas/oss-fuzz-51295_0.xsd
+
+diff --git a/result/schemas/oss-fuzz-51295_0_0.err
b/result/schemas/oss-fuzz-51295_0_0.err
+new file mode 100644
+index 000000000000..1e89524f63ea
+--- /dev/null
++++ b/result/schemas/oss-fuzz-51295_0_0.err
+@@ -0,0 +1,2 @@
++./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error
: element decl. 'e': The element declaration 'e' defines a circular
substitution group to element declaration 'e'.
++./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error
: element decl. 'e': The element declaration 'e' defines a circular
substitution group to element declaration 'e'.
+diff --git a/test/schemas/oss-fuzz-51295_0.xml
b/test/schemas/oss-fuzz-51295_0.xml
+new file mode 100644
+index 000000000000..10a7e703b2b1
+--- /dev/null
++++ b/test/schemas/oss-fuzz-51295_0.xml
+@@ -0,0 +1 @@
++<e/>
+diff --git a/test/schemas/oss-fuzz-51295_0.xsd
b/test/schemas/oss-fuzz-51295_0.xsd
+new file mode 100644
+index 000000000000..fde96af5c60b
+--- /dev/null
++++ b/test/schemas/oss-fuzz-51295_0.xsd
+@@ -0,0 +1,4 @@
++<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema";>
++ <xs:element name="e" substitutionGroup="e"/>
++ <xs:element name="t" substitutionGroup="e" type='xs:decimal'/>
++</xs:schema>
+diff --git a/xmlschemas.c b/xmlschemas.c
+index f31d3d1f618f..152b7c3f521b 100644
+--- a/xmlschemas.c
++++ b/xmlschemas.c
+@@ -13345,8 +13345,19 @@ xmlSchemaResolveElementReferences(xmlSchemaElementPtr
elemDecl,
+ * declaration `resolved` to by the `actual value`
+ * of the substitutionGroup [attribute], if present"
+ */
+- if (elemDecl->subtypes == NULL)
+- elemDecl->subtypes = substHead->subtypes;
++ if (elemDecl->subtypes == NULL) {
++ if (substHead->subtypes == NULL) {
++ /*
++ * This can happen with self-referencing substitution
++ * groups. The cycle will be detected later, but we have
++ * to set subtypes to avoid null-pointer dereferences.
++ */
++ elemDecl->subtypes = xmlSchemaGetBuiltInType(
++ XML_SCHEMAS_ANYTYPE);
++ } else {
++ elemDecl->subtypes = substHead->subtypes;
++ }
++ }
+ }
+ }
+ /*
+--
+2.40.0
+
diff -Nru libxml2-2.9.14+dfsg/debian/patches/series
libxml2-2.9.14+dfsg/debian/patches/series
--- libxml2-2.9.14+dfsg/debian/patches/series 2022-10-30 11:18:06.000000000
+0100
+++ libxml2-2.9.14+dfsg/debian/patches/series 2023-04-15 16:25:06.000000000
+0200
@@ -3,3 +3,6 @@
python3-unicode-errors.patch
CVE-2022-40303-Fix-integer-overflows-with-XML_PARSE_.patch
CVE-2022-40304-Fix-dict-corruption-caused-by-entity-.patch
+schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch
+CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch
+CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch
--- End Message ---
--- Begin Message ---
Done.
Paul
OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---
