summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAron Xu <aron@debian.org>2015-09-21 22:54:59 +0800
committerAron Xu <aron@debian.org>2015-09-21 22:54:59 +0800
commitd837811e969fac31afdf39c00ba579b33f6adeb6 (patch)
treeeac97bc22ada158533631911302acb1aa6682195
parentd2d60c1093371b07000cd1a1a10104b096f28cf4 (diff)
downloadlibxml2-d837811e969fac31afdf39c00ba579b33f6adeb6.tar.gz
Revert "Fix 3 security issues by adding 4 patches"
This reverts commit c8bb544cf113e1231e9f1f391bd70a5c55480453.
-rw-r--r--debian/changelog8
-rw-r--r--debian/patches/0003-Fix-missing-entities-after-CVE-2014-3660-fix.patch27
-rw-r--r--debian/patches/0056-Stop-parsing-on-entities-boundaries-errors.patch28
-rw-r--r--debian/patches/0057-Cleanup-conditional-section-error-handling.patch45
-rw-r--r--debian/patches/0058-Fix-upstream-bug-299127.patch99
-rw-r--r--debian/patches/0059-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch172
-rw-r--r--debian/patches/series4
7 files changed, 27 insertions, 356 deletions
diff --git a/debian/changelog b/debian/changelog
index 78e557c..dc762be 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,14 +5,6 @@ libxml2 (2.9.2+really2.9.1+dfsg1-0.1) unstable; urgency=medium
again. Closes: #766884
* Restore all patches available in 2.9.1+dfsg1-5 in stretch, ensuring
CVE-2014-3660 is fixed too.
- * Fix 3 security issues by adding 4 patches:
- - CVE-2015-1819: The xmlreader in libxml allows remote attackers to cause
- a denial of service (memory consumption) via crafted XML data, related to
- an XML Entity Expansion (XEE) attack. Closes: #782782
- - Out-of-bounds access when parsing unclosed HTML comment
- https://bugzilla.gnome.org/show_bug.cgi?id=746048 Closes: #782985
- - Out-of-bounds memory access
- https://bugzilla.gnome.org/show_bug.cgi?id=744980 Closes: #783010
-- Raphaƫl Hertzog <hertzog@debian.org> Tue, 25 Aug 2015 22:31:29 +0200
diff --git a/debian/patches/0003-Fix-missing-entities-after-CVE-2014-3660-fix.patch b/debian/patches/0003-Fix-missing-entities-after-CVE-2014-3660-fix.patch
new file mode 100644
index 0000000..2afe1f0
--- /dev/null
+++ b/debian/patches/0003-Fix-missing-entities-after-CVE-2014-3660-fix.patch
@@ -0,0 +1,27 @@
+From: Daniel Veillard <veillard@redhat.com>
+Date: Thu, 23 Oct 2014 11:35:36 +0800
+Subject: Fix missing entities after CVE-2014-3660 fix
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=738805
+
+The fix for CVE-2014-3660 introduced a regression in some case
+where entity substitution is required and the entity is used
+first in anotther entity referenced from an attribute value
+---
+ parser.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index 1d93967..313ff28 100644
+--- a/parser.c
++++ b/parser.c
+@@ -7235,7 +7235,8 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+ * far more secure as the parser will only process data coming from
+ * the document entity by default.
+ */
+- if ((ent->checked == 0) &&
++ if (((ent->checked == 0) ||
++ ((ent->children == NULL) && (ctxt->options & XML_PARSE_NOENT))) &&
+ ((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) ||
+ (ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) {
+ unsigned long oldnbent = ctxt->nbentities;
diff --git a/debian/patches/0056-Stop-parsing-on-entities-boundaries-errors.patch b/debian/patches/0056-Stop-parsing-on-entities-boundaries-errors.patch
deleted file mode 100644
index d0d9a79..0000000
--- a/debian/patches/0056-Stop-parsing-on-entities-boundaries-errors.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From: Daniel Veillard <veillard@redhat.com>
-Date: Mon, 23 Feb 2015 11:17:35 +0800
-Subject: Stop parsing on entities boundaries errors
-
-For https://bugzilla.gnome.org/show_bug.cgi?id=744980
-
-There are times, like on unterminated entities that it's preferable to
-stop parsing, even if that means less error reporting. Entities are
-feeding the parser on further processing, and if they are ill defined
-then it's possible to get the parser to bug. Also do the same on
-Conditional Sections if the input is broken, as the structure of
-the document can't be guessed.
----
- parser.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/parser.c b/parser.c
-index c187327..f96cd5f 100644
---- a/parser.c
-+++ b/parser.c
-@@ -5653,6 +5653,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) {
- if (RAW != '>') {
- xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
- "xmlParseEntityDecl: entity %s not terminated\n", name);
-+ xmlStopParser(ctxt);
- } else {
- if (input != ctxt->input) {
- xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
diff --git a/debian/patches/0057-Cleanup-conditional-section-error-handling.patch b/debian/patches/0057-Cleanup-conditional-section-error-handling.patch
deleted file mode 100644
index 27b5e2e..0000000
--- a/debian/patches/0057-Cleanup-conditional-section-error-handling.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From: Daniel Veillard <veillard@redhat.com>
-Date: Mon, 23 Feb 2015 11:29:20 +0800
-Subject: Cleanup conditional section error handling
-
-For https://bugzilla.gnome.org/show_bug.cgi?id=744980
-
-The error handling of Conditional Section also need to be
-straightened as the structure of the document can't be
-guessed on a failure there and it's better to stop parsing
-as further errors are likely to be irrelevant.
----
- parser.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/parser.c b/parser.c
-index f96cd5f..5342cdb 100644
---- a/parser.c
-+++ b/parser.c
-@@ -6765,6 +6765,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
- SKIP_BLANKS;
- if (RAW != '[') {
- xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
-+ xmlStopParser(ctxt);
-+ return;
- } else {
- if (ctxt->input->id != id) {
- xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
-@@ -6825,6 +6827,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
- SKIP_BLANKS;
- if (RAW != '[') {
- xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
-+ xmlStopParser(ctxt);
-+ return;
- } else {
- if (ctxt->input->id != id) {
- xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
-@@ -6880,6 +6884,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
-
- } else {
- xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
-+ xmlStopParser(ctxt);
-+ return;
- }
-
- if (RAW == 0)
diff --git a/debian/patches/0058-Fix-upstream-bug-299127.patch b/debian/patches/0058-Fix-upstream-bug-299127.patch
deleted file mode 100644
index b42b8ee..0000000
--- a/debian/patches/0058-Fix-upstream-bug-299127.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From: =?utf-8?q?Rapha=C3=ABl_Hertzog?= <hertzog@debian.org>
-Date: Tue, 25 Aug 2015 23:17:02 +0200
-Subject: Fix upstream bug 299127
-
-Out of bound access when parsing unclosed comment
-
-Author: Francois Chagnon
-Bug: https://bugzilla.gnome.org/show_bug.cgi?id=746048
----
- HTMLparser.c | 22 +++++++++++++++-------
- 1 file changed, 15 insertions(+), 7 deletions(-)
-
-diff --git a/HTMLparser.c b/HTMLparser.c
-index 8d34fd1..69ccfd3 100644
---- a/HTMLparser.c
-+++ b/HTMLparser.c
-@@ -3245,13 +3245,20 @@ htmlParseComment(htmlParserCtxtPtr ctxt) {
- ctxt->instate = state;
- return;
- }
-+ if ((ctxt->input->end - ctxt->input->cur) < 3) {
-+ ctxt->instate = XML_PARSER_EOF;
-+ htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
-+ "Comment not terminated\n", NULL, NULL);
-+ xmlFree(buf);
-+ return;
-+ }
- q = CUR_CHAR(ql);
- NEXTL(ql);
- r = CUR_CHAR(rl);
- NEXTL(rl);
- cur = CUR_CHAR(l);
- len = 0;
-- while (IS_CHAR(cur) &&
-+ while (((ctxt->input->end - ctxt->input->cur) > 0) && IS_CHAR(cur) &&
- ((cur != '>') ||
- (r != '-') || (q != '-'))) {
- if (len + 5 >= size) {
-@@ -3281,7 +3288,7 @@ htmlParseComment(htmlParserCtxtPtr ctxt) {
- }
- }
- buf[len] = 0;
-- if (!IS_CHAR(cur)) {
-+ if (!(ctxt->input->end - ctxt->input->cur) || !IS_CHAR(cur)) {
- htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
- "Comment not terminated \n<!--%.50s\n", buf, NULL);
- xmlFree(buf);
-@@ -4465,6 +4472,7 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) {
- depth = ctxt->nameNr;
- while (1) {
- long cons = ctxt->nbChars;
-+ long rem = ctxt->input->end - ctxt->input->cur;
-
- GROW;
-
-@@ -4540,7 +4548,7 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) {
- /*
- * Sometimes DOCTYPE arrives in the middle of the document
- */
-- if ((CUR == '<') && (NXT(1) == '!') &&
-+ if ((rem >= 9) && (CUR == '<') && (NXT(1) == '!') &&
- (UPP(2) == 'D') && (UPP(3) == 'O') &&
- (UPP(4) == 'C') && (UPP(5) == 'T') &&
- (UPP(6) == 'Y') && (UPP(7) == 'P') &&
-@@ -4554,7 +4562,7 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) {
- /*
- * First case : a comment
- */
-- if ((CUR == '<') && (NXT(1) == '!') &&
-+ if ((rem >= 4) && (CUR == '<') && (NXT(1) == '!') &&
- (NXT(2) == '-') && (NXT(3) == '-')) {
- htmlParseComment(ctxt);
- }
-@@ -4562,14 +4570,14 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) {
- /*
- * Second case : a Processing Instruction.
- */
-- else if ((CUR == '<') && (NXT(1) == '?')) {
-+ else if ((rem >= 2) && (CUR == '<') && (NXT(1) == '?')) {
- htmlParsePI(ctxt);
- }
-
- /*
- * Third case : a sub-element.
- */
-- else if (CUR == '<') {
-+ else if ((rem >= 1) && (CUR == '<')) {
- htmlParseElementInternal(ctxt);
- if (currentNode != NULL) xmlFree(currentNode);
-
-@@ -4581,7 +4589,7 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) {
- * Fourth case : a reference. If if has not been resolved,
- * parsing returns it's Name, create the node
- */
-- else if (CUR == '&') {
-+ else if ((rem >= 1) && (CUR == '&')) {
- htmlParseReference(ctxt);
- }
-
diff --git a/debian/patches/0059-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch b/debian/patches/0059-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch
deleted file mode 100644
index 0f1bd51..0000000
--- a/debian/patches/0059-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch
+++ /dev/null
@@ -1,172 +0,0 @@
-From: Daniel Veillard <veillard@redhat.com>
-Date: Tue, 14 Apr 2015 17:41:48 +0800
-Subject: CVE-2015-1819 Enforce the reader to run in constant memory
-
-One of the operation on the reader could resolve entities
-leading to the classic expansion issue. Make sure the
-buffer used for xmlreader operation is bounded.
-Introduce a new allocation type for the buffers for this effect.
----
- buf.c | 43 ++++++++++++++++++++++++++++++++++++++++++-
- include/libxml/tree.h | 3 ++-
- xmlreader.c | 20 +++++++++++++++++++-
- 3 files changed, 63 insertions(+), 3 deletions(-)
-
-diff --git a/buf.c b/buf.c
-index d1756c4..b52e41d 100644
---- a/buf.c
-+++ b/buf.c
-@@ -27,6 +27,7 @@
- #include <libxml/tree.h>
- #include <libxml/globals.h>
- #include <libxml/tree.h>
-+#include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */
- #include "buf.h"
-
- #define WITH_BUFFER_COMPAT
-@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf,
- if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) ||
- (scheme == XML_BUFFER_ALLOC_EXACT) ||
- (scheme == XML_BUFFER_ALLOC_HYBRID) ||
-- (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) {
-+ (scheme == XML_BUFFER_ALLOC_IMMUTABLE) ||
-+ (scheme == XML_BUFFER_ALLOC_BOUNDED)) {
- buf->alloc = scheme;
- if (buf->buffer)
- buf->buffer->alloc = scheme;
-@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) {
- size = buf->use + len + 100;
- #endif
-
-+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
-+ /*
-+ * Used to provide parsing limits
-+ */
-+ if ((buf->use + len >= XML_MAX_TEXT_LENGTH) ||
-+ (buf->size >= XML_MAX_TEXT_LENGTH)) {
-+ xmlBufMemoryError(buf, "buffer error: text too long\n");
-+ return(0);
-+ }
-+ if (size >= XML_MAX_TEXT_LENGTH)
-+ size = XML_MAX_TEXT_LENGTH;
-+ }
- if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {
- size_t start_buf = buf->content - buf->contentIO;
-
-@@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size)
- CHECK_COMPAT(buf)
-
- if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
-+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
-+ /*
-+ * Used to provide parsing limits
-+ */
-+ if (size >= XML_MAX_TEXT_LENGTH) {
-+ xmlBufMemoryError(buf, "buffer error: text too long\n");
-+ return(0);
-+ }
-+ }
-
- /* Don't resize if we don't have to */
- if (size < buf->size)
-@@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {
-
- needSize = buf->use + len + 2;
- if (needSize > buf->size){
-+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
-+ /*
-+ * Used to provide parsing limits
-+ */
-+ if (needSize >= XML_MAX_TEXT_LENGTH) {
-+ xmlBufMemoryError(buf, "buffer error: text too long\n");
-+ return(-1);
-+ }
-+ }
- if (!xmlBufResize(buf, needSize)){
- xmlBufMemoryError(buf, "growing buffer");
- return XML_ERR_NO_MEMORY;
-@@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) {
- }
- needSize = buf->use + len + 2;
- if (needSize > buf->size){
-+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
-+ /*
-+ * Used to provide parsing limits
-+ */
-+ if (needSize >= XML_MAX_TEXT_LENGTH) {
-+ xmlBufMemoryError(buf, "buffer error: text too long\n");
-+ return(-1);
-+ }
-+ }
- if (!xmlBufResize(buf, needSize)){
- xmlBufMemoryError(buf, "growing buffer");
- return XML_ERR_NO_MEMORY;
-diff --git a/include/libxml/tree.h b/include/libxml/tree.h
-index 7e06686..d904a44 100644
---- a/include/libxml/tree.h
-+++ b/include/libxml/tree.h
-@@ -76,7 +76,8 @@ typedef enum {
- XML_BUFFER_ALLOC_EXACT, /* grow only to the minimal size */
- XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */
- XML_BUFFER_ALLOC_IO, /* special allocation scheme used for I/O */
-- XML_BUFFER_ALLOC_HYBRID /* exact up to a threshold, and doubleit thereafter */
-+ XML_BUFFER_ALLOC_HYBRID, /* exact up to a threshold, and doubleit thereafter */
-+ XML_BUFFER_ALLOC_BOUNDED /* limit the upper size of the buffer */
- } xmlBufferAllocationScheme;
-
- /**
-diff --git a/xmlreader.c b/xmlreader.c
-index 8834f50..04c9a3d 100644
---- a/xmlreader.c
-+++ b/xmlreader.c
-@@ -2087,6 +2087,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) {
- "xmlNewTextReader : malloc failed\n");
- return(NULL);
- }
-+ /* no operation on a reader should require a huge buffer */
-+ xmlBufSetAllocationScheme(ret->buffer,
-+ XML_BUFFER_ALLOC_BOUNDED);
- ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
- if (ret->sax == NULL) {
- xmlBufFree(ret->buffer);
-@@ -3612,6 +3615,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
- return(((xmlNsPtr) node)->href);
- case XML_ATTRIBUTE_NODE:{
- xmlAttrPtr attr = (xmlAttrPtr) node;
-+ const xmlChar *ret;
-
- if ((attr->children != NULL) &&
- (attr->children->type == XML_TEXT_NODE) &&
-@@ -3625,10 +3629,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
- "xmlTextReaderSetup : malloc failed\n");
- return (NULL);
- }
-+ xmlBufSetAllocationScheme(reader->buffer,
-+ XML_BUFFER_ALLOC_BOUNDED);
- } else
- xmlBufEmpty(reader->buffer);
- xmlBufGetNodeContent(reader->buffer, node);
-- return(xmlBufContent(reader->buffer));
-+ ret = xmlBufContent(reader->buffer);
-+ if (ret == NULL) {
-+ /* error on the buffer best to reallocate */
-+ xmlBufFree(reader->buffer);
-+ reader->buffer = xmlBufCreateSize(100);
-+ xmlBufSetAllocationScheme(reader->buffer,
-+ XML_BUFFER_ALLOC_BOUNDED);
-+ ret = BAD_CAST "";
-+ }
-+ return(ret);
- }
- break;
- }
-@@ -5127,6 +5142,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader,
- "xmlTextReaderSetup : malloc failed\n");
- return (-1);
- }
-+ /* no operation on a reader should require a huge buffer */
-+ xmlBufSetAllocationScheme(reader->buffer,
-+ XML_BUFFER_ALLOC_BOUNDED);
- if (reader->sax == NULL)
- reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
- if (reader->sax == NULL) {
diff --git a/debian/patches/series b/debian/patches/series
index 5d07130..99fd190 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -53,7 +53,3 @@
0053-fix-memory-leak-xml-header-encoding-field-with-XML_P.patch
0054-Fix-for-CVE-2014-3660.patch
0055-Fix-missing-entities-after-CVE-2014-3660-fix.patch
-0056-Stop-parsing-on-entities-boundaries-errors.patch
-0057-Cleanup-conditional-section-error-handling.patch
-0058-Fix-upstream-bug-299127.patch
-0059-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch