diff options
author | Raphaël Hertzog <hertzog@debian.org> | 2015-08-25 23:25:29 +0200 |
---|---|---|
committer | Raphaël Hertzog <hertzog@debian.org> | 2015-08-25 23:25:29 +0200 |
commit | c8bb544cf113e1231e9f1f391bd70a5c55480453 (patch) | |
tree | dc57a1e9173e88105a4341d74e8eb8d3cc3349c0 /debian | |
parent | 37f590756a23e167808f76f1389c36f0a2d39f11 (diff) | |
download | libxml2-c8bb544cf113e1231e9f1f391bd70a5c55480453.tar.gz |
Fix 3 security issues by adding 4 patches
- CVE-2015-1819: The xmlreader in libxml allows remote attackers to cause
a denial of service (memory consumption) via crafted XML data, related to
an XML Entity Expansion (XEE) attack. Closes: #782782
- Out-of-bounds access when parsing unclosed HTML comment
https://bugzilla.gnome.org/show_bug.cgi?id=746048 Closes: #782985
- Out-of-bounds memory access
https://bugzilla.gnome.org/show_bug.cgi?id=744980 Closes: #783010
Diffstat (limited to 'debian')
7 files changed, 356 insertions, 27 deletions
diff --git a/debian/changelog b/debian/changelog index dc762be..78e557c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,6 +5,14 @@ libxml2 (2.9.2+really2.9.1+dfsg1-0.1) unstable; urgency=medium again. Closes: #766884 * Restore all patches available in 2.9.1+dfsg1-5 in stretch, ensuring CVE-2014-3660 is fixed too. + * Fix 3 security issues by adding 4 patches: + - CVE-2015-1819: The xmlreader in libxml allows remote attackers to cause + a denial of service (memory consumption) via crafted XML data, related to + an XML Entity Expansion (XEE) attack. Closes: #782782 + - Out-of-bounds access when parsing unclosed HTML comment + https://bugzilla.gnome.org/show_bug.cgi?id=746048 Closes: #782985 + - Out-of-bounds memory access + https://bugzilla.gnome.org/show_bug.cgi?id=744980 Closes: #783010 -- Raphaël Hertzog <hertzog@debian.org> Tue, 25 Aug 2015 22:31:29 +0200 diff --git a/debian/patches/0003-Fix-missing-entities-after-CVE-2014-3660-fix.patch b/debian/patches/0003-Fix-missing-entities-after-CVE-2014-3660-fix.patch deleted file mode 100644 index 2afe1f0..0000000 --- a/debian/patches/0003-Fix-missing-entities-after-CVE-2014-3660-fix.patch +++ /dev/null @@ -1,27 +0,0 @@ -From: Daniel Veillard <veillard@redhat.com> -Date: Thu, 23 Oct 2014 11:35:36 +0800 -Subject: Fix missing entities after CVE-2014-3660 fix - -For https://bugzilla.gnome.org/show_bug.cgi?id=738805 - -The fix for CVE-2014-3660 introduced a regression in some case -where entity substitution is required and the entity is used -first in anotther entity referenced from an attribute value ---- - parser.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/parser.c b/parser.c -index 1d93967..313ff28 100644 ---- a/parser.c -+++ b/parser.c -@@ -7235,7 +7235,8 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { - * far more secure as the parser will only process data coming from - * the document entity by default. - */ -- if ((ent->checked == 0) && -+ if (((ent->checked == 0) || -+ ((ent->children == NULL) && (ctxt->options & XML_PARSE_NOENT))) && - ((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) || - (ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) { - unsigned long oldnbent = ctxt->nbentities; diff --git a/debian/patches/0056-Stop-parsing-on-entities-boundaries-errors.patch b/debian/patches/0056-Stop-parsing-on-entities-boundaries-errors.patch new file mode 100644 index 0000000..d0d9a79 --- /dev/null +++ b/debian/patches/0056-Stop-parsing-on-entities-boundaries-errors.patch @@ -0,0 +1,28 @@ +From: Daniel Veillard <veillard@redhat.com> +Date: Mon, 23 Feb 2015 11:17:35 +0800 +Subject: Stop parsing on entities boundaries errors + +For https://bugzilla.gnome.org/show_bug.cgi?id=744980 + +There are times, like on unterminated entities that it's preferable to +stop parsing, even if that means less error reporting. Entities are +feeding the parser on further processing, and if they are ill defined +then it's possible to get the parser to bug. Also do the same on +Conditional Sections if the input is broken, as the structure of +the document can't be guessed. +--- + parser.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/parser.c b/parser.c +index c187327..f96cd5f 100644 +--- a/parser.c ++++ b/parser.c +@@ -5653,6 +5653,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) { + if (RAW != '>') { + xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED, + "xmlParseEntityDecl: entity %s not terminated\n", name); ++ xmlStopParser(ctxt); + } else { + if (input != ctxt->input) { + xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY, diff --git a/debian/patches/0057-Cleanup-conditional-section-error-handling.patch b/debian/patches/0057-Cleanup-conditional-section-error-handling.patch new file mode 100644 index 0000000..27b5e2e --- /dev/null +++ b/debian/patches/0057-Cleanup-conditional-section-error-handling.patch @@ -0,0 +1,45 @@ +From: Daniel Veillard <veillard@redhat.com> +Date: Mon, 23 Feb 2015 11:29:20 +0800 +Subject: Cleanup conditional section error handling + +For https://bugzilla.gnome.org/show_bug.cgi?id=744980 + +The error handling of Conditional Section also need to be +straightened as the structure of the document can't be +guessed on a failure there and it's better to stop parsing +as further errors are likely to be irrelevant. +--- + parser.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/parser.c b/parser.c +index f96cd5f..5342cdb 100644 +--- a/parser.c ++++ b/parser.c +@@ -6765,6 +6765,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + SKIP_BLANKS; + if (RAW != '[') { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); ++ xmlStopParser(ctxt); ++ return; + } else { + if (ctxt->input->id != id) { + xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, +@@ -6825,6 +6827,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + SKIP_BLANKS; + if (RAW != '[') { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); ++ xmlStopParser(ctxt); ++ return; + } else { + if (ctxt->input->id != id) { + xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, +@@ -6880,6 +6884,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + + } else { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL); ++ xmlStopParser(ctxt); ++ return; + } + + if (RAW == 0) diff --git a/debian/patches/0058-Fix-upstream-bug-299127.patch b/debian/patches/0058-Fix-upstream-bug-299127.patch new file mode 100644 index 0000000..b42b8ee --- /dev/null +++ b/debian/patches/0058-Fix-upstream-bug-299127.patch @@ -0,0 +1,99 @@ +From: =?utf-8?q?Rapha=C3=ABl_Hertzog?= <hertzog@debian.org> +Date: Tue, 25 Aug 2015 23:17:02 +0200 +Subject: Fix upstream bug 299127 + +Out of bound access when parsing unclosed comment + +Author: Francois Chagnon +Bug: https://bugzilla.gnome.org/show_bug.cgi?id=746048 +--- + HTMLparser.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index 8d34fd1..69ccfd3 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -3245,13 +3245,20 @@ htmlParseComment(htmlParserCtxtPtr ctxt) { + ctxt->instate = state; + return; + } ++ if ((ctxt->input->end - ctxt->input->cur) < 3) { ++ ctxt->instate = XML_PARSER_EOF; ++ htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, ++ "Comment not terminated\n", NULL, NULL); ++ xmlFree(buf); ++ return; ++ } + q = CUR_CHAR(ql); + NEXTL(ql); + r = CUR_CHAR(rl); + NEXTL(rl); + cur = CUR_CHAR(l); + len = 0; +- while (IS_CHAR(cur) && ++ while (((ctxt->input->end - ctxt->input->cur) > 0) && IS_CHAR(cur) && + ((cur != '>') || + (r != '-') || (q != '-'))) { + if (len + 5 >= size) { +@@ -3281,7 +3288,7 @@ htmlParseComment(htmlParserCtxtPtr ctxt) { + } + } + buf[len] = 0; +- if (!IS_CHAR(cur)) { ++ if (!(ctxt->input->end - ctxt->input->cur) || !IS_CHAR(cur)) { + htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, + "Comment not terminated \n<!--%.50s\n", buf, NULL); + xmlFree(buf); +@@ -4465,6 +4472,7 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { + depth = ctxt->nameNr; + while (1) { + long cons = ctxt->nbChars; ++ long rem = ctxt->input->end - ctxt->input->cur; + + GROW; + +@@ -4540,7 +4548,7 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { + /* + * Sometimes DOCTYPE arrives in the middle of the document + */ +- if ((CUR == '<') && (NXT(1) == '!') && ++ if ((rem >= 9) && (CUR == '<') && (NXT(1) == '!') && + (UPP(2) == 'D') && (UPP(3) == 'O') && + (UPP(4) == 'C') && (UPP(5) == 'T') && + (UPP(6) == 'Y') && (UPP(7) == 'P') && +@@ -4554,7 +4562,7 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { + /* + * First case : a comment + */ +- if ((CUR == '<') && (NXT(1) == '!') && ++ if ((rem >= 4) && (CUR == '<') && (NXT(1) == '!') && + (NXT(2) == '-') && (NXT(3) == '-')) { + htmlParseComment(ctxt); + } +@@ -4562,14 +4570,14 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { + /* + * Second case : a Processing Instruction. + */ +- else if ((CUR == '<') && (NXT(1) == '?')) { ++ else if ((rem >= 2) && (CUR == '<') && (NXT(1) == '?')) { + htmlParsePI(ctxt); + } + + /* + * Third case : a sub-element. + */ +- else if (CUR == '<') { ++ else if ((rem >= 1) && (CUR == '<')) { + htmlParseElementInternal(ctxt); + if (currentNode != NULL) xmlFree(currentNode); + +@@ -4581,7 +4589,7 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { + * Fourth case : a reference. If if has not been resolved, + * parsing returns it's Name, create the node + */ +- else if (CUR == '&') { ++ else if ((rem >= 1) && (CUR == '&')) { + htmlParseReference(ctxt); + } + diff --git a/debian/patches/0059-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch b/debian/patches/0059-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch new file mode 100644 index 0000000..0f1bd51 --- /dev/null +++ b/debian/patches/0059-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch @@ -0,0 +1,172 @@ +From: Daniel Veillard <veillard@redhat.com> +Date: Tue, 14 Apr 2015 17:41:48 +0800 +Subject: CVE-2015-1819 Enforce the reader to run in constant memory + +One of the operation on the reader could resolve entities +leading to the classic expansion issue. Make sure the +buffer used for xmlreader operation is bounded. +Introduce a new allocation type for the buffers for this effect. +--- + buf.c | 43 ++++++++++++++++++++++++++++++++++++++++++- + include/libxml/tree.h | 3 ++- + xmlreader.c | 20 +++++++++++++++++++- + 3 files changed, 63 insertions(+), 3 deletions(-) + +diff --git a/buf.c b/buf.c +index d1756c4..b52e41d 100644 +--- a/buf.c ++++ b/buf.c +@@ -27,6 +27,7 @@ + #include <libxml/tree.h> + #include <libxml/globals.h> + #include <libxml/tree.h> ++#include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */ + #include "buf.h" + + #define WITH_BUFFER_COMPAT +@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf, + if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) || + (scheme == XML_BUFFER_ALLOC_EXACT) || + (scheme == XML_BUFFER_ALLOC_HYBRID) || +- (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) { ++ (scheme == XML_BUFFER_ALLOC_IMMUTABLE) || ++ (scheme == XML_BUFFER_ALLOC_BOUNDED)) { + buf->alloc = scheme; + if (buf->buffer) + buf->buffer->alloc = scheme; +@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) { + size = buf->use + len + 100; + #endif + ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if ((buf->use + len >= XML_MAX_TEXT_LENGTH) || ++ (buf->size >= XML_MAX_TEXT_LENGTH)) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(0); ++ } ++ if (size >= XML_MAX_TEXT_LENGTH) ++ size = XML_MAX_TEXT_LENGTH; ++ } + if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) { + size_t start_buf = buf->content - buf->contentIO; + +@@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size) + CHECK_COMPAT(buf) + + if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0); ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if (size >= XML_MAX_TEXT_LENGTH) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(0); ++ } ++ } + + /* Don't resize if we don't have to */ + if (size < buf->size) +@@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) { + + needSize = buf->use + len + 2; + if (needSize > buf->size){ ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if (needSize >= XML_MAX_TEXT_LENGTH) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(-1); ++ } ++ } + if (!xmlBufResize(buf, needSize)){ + xmlBufMemoryError(buf, "growing buffer"); + return XML_ERR_NO_MEMORY; +@@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) { + } + needSize = buf->use + len + 2; + if (needSize > buf->size){ ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if (needSize >= XML_MAX_TEXT_LENGTH) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(-1); ++ } ++ } + if (!xmlBufResize(buf, needSize)){ + xmlBufMemoryError(buf, "growing buffer"); + return XML_ERR_NO_MEMORY; +diff --git a/include/libxml/tree.h b/include/libxml/tree.h +index 7e06686..d904a44 100644 +--- a/include/libxml/tree.h ++++ b/include/libxml/tree.h +@@ -76,7 +76,8 @@ typedef enum { + XML_BUFFER_ALLOC_EXACT, /* grow only to the minimal size */ + XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */ + XML_BUFFER_ALLOC_IO, /* special allocation scheme used for I/O */ +- XML_BUFFER_ALLOC_HYBRID /* exact up to a threshold, and doubleit thereafter */ ++ XML_BUFFER_ALLOC_HYBRID, /* exact up to a threshold, and doubleit thereafter */ ++ XML_BUFFER_ALLOC_BOUNDED /* limit the upper size of the buffer */ + } xmlBufferAllocationScheme; + + /** +diff --git a/xmlreader.c b/xmlreader.c +index 8834f50..04c9a3d 100644 +--- a/xmlreader.c ++++ b/xmlreader.c +@@ -2087,6 +2087,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) { + "xmlNewTextReader : malloc failed\n"); + return(NULL); + } ++ /* no operation on a reader should require a huge buffer */ ++ xmlBufSetAllocationScheme(ret->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); + ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); + if (ret->sax == NULL) { + xmlBufFree(ret->buffer); +@@ -3612,6 +3615,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) { + return(((xmlNsPtr) node)->href); + case XML_ATTRIBUTE_NODE:{ + xmlAttrPtr attr = (xmlAttrPtr) node; ++ const xmlChar *ret; + + if ((attr->children != NULL) && + (attr->children->type == XML_TEXT_NODE) && +@@ -3625,10 +3629,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) { + "xmlTextReaderSetup : malloc failed\n"); + return (NULL); + } ++ xmlBufSetAllocationScheme(reader->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); + } else + xmlBufEmpty(reader->buffer); + xmlBufGetNodeContent(reader->buffer, node); +- return(xmlBufContent(reader->buffer)); ++ ret = xmlBufContent(reader->buffer); ++ if (ret == NULL) { ++ /* error on the buffer best to reallocate */ ++ xmlBufFree(reader->buffer); ++ reader->buffer = xmlBufCreateSize(100); ++ xmlBufSetAllocationScheme(reader->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); ++ ret = BAD_CAST ""; ++ } ++ return(ret); + } + break; + } +@@ -5127,6 +5142,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader, + "xmlTextReaderSetup : malloc failed\n"); + return (-1); + } ++ /* no operation on a reader should require a huge buffer */ ++ xmlBufSetAllocationScheme(reader->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); + if (reader->sax == NULL) + reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); + if (reader->sax == NULL) { diff --git a/debian/patches/series b/debian/patches/series index 99fd190..5d07130 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -53,3 +53,7 @@ 0053-fix-memory-leak-xml-header-encoding-field-with-XML_P.patch 0054-Fix-for-CVE-2014-3660.patch 0055-Fix-missing-entities-after-CVE-2014-3660-fix.patch +0056-Stop-parsing-on-entities-boundaries-errors.patch +0057-Cleanup-conditional-section-error-handling.patch +0058-Fix-upstream-bug-299127.patch +0059-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch |