diff options
7 files changed, 27 insertions, 356 deletions
diff --git a/debian/changelog b/debian/changelog index 78e557c..dc762be 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,14 +5,6 @@ libxml2 (2.9.2+really2.9.1+dfsg1-0.1) unstable; urgency=medium again. Closes: #766884 * Restore all patches available in 2.9.1+dfsg1-5 in stretch, ensuring CVE-2014-3660 is fixed too. - * Fix 3 security issues by adding 4 patches: - - CVE-2015-1819: The xmlreader in libxml allows remote attackers to cause - a denial of service (memory consumption) via crafted XML data, related to - an XML Entity Expansion (XEE) attack. Closes: #782782 - - Out-of-bounds access when parsing unclosed HTML comment - https://bugzilla.gnome.org/show_bug.cgi?id=746048 Closes: #782985 - - Out-of-bounds memory access - https://bugzilla.gnome.org/show_bug.cgi?id=744980 Closes: #783010 -- Raphaƫl Hertzog <hertzog@debian.org> Tue, 25 Aug 2015 22:31:29 +0200 diff --git a/debian/patches/0003-Fix-missing-entities-after-CVE-2014-3660-fix.patch b/debian/patches/0003-Fix-missing-entities-after-CVE-2014-3660-fix.patch new file mode 100644 index 0000000..2afe1f0 --- /dev/null +++ b/debian/patches/0003-Fix-missing-entities-after-CVE-2014-3660-fix.patch @@ -0,0 +1,27 @@ +From: Daniel Veillard <veillard@redhat.com> +Date: Thu, 23 Oct 2014 11:35:36 +0800 +Subject: Fix missing entities after CVE-2014-3660 fix + +For https://bugzilla.gnome.org/show_bug.cgi?id=738805 + +The fix for CVE-2014-3660 introduced a regression in some case +where entity substitution is required and the entity is used +first in anotther entity referenced from an attribute value +--- + parser.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index 1d93967..313ff28 100644 +--- a/parser.c ++++ b/parser.c +@@ -7235,7 +7235,8 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { + * far more secure as the parser will only process data coming from + * the document entity by default. + */ +- if ((ent->checked == 0) && ++ if (((ent->checked == 0) || ++ ((ent->children == NULL) && (ctxt->options & XML_PARSE_NOENT))) && + ((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) || + (ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) { + unsigned long oldnbent = ctxt->nbentities; diff --git a/debian/patches/0056-Stop-parsing-on-entities-boundaries-errors.patch b/debian/patches/0056-Stop-parsing-on-entities-boundaries-errors.patch deleted file mode 100644 index d0d9a79..0000000 --- a/debian/patches/0056-Stop-parsing-on-entities-boundaries-errors.patch +++ /dev/null @@ -1,28 +0,0 @@ -From: Daniel Veillard <veillard@redhat.com> -Date: Mon, 23 Feb 2015 11:17:35 +0800 -Subject: Stop parsing on entities boundaries errors - -For https://bugzilla.gnome.org/show_bug.cgi?id=744980 - -There are times, like on unterminated entities that it's preferable to -stop parsing, even if that means less error reporting. Entities are -feeding the parser on further processing, and if they are ill defined -then it's possible to get the parser to bug. Also do the same on -Conditional Sections if the input is broken, as the structure of -the document can't be guessed. ---- - parser.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/parser.c b/parser.c -index c187327..f96cd5f 100644 ---- a/parser.c -+++ b/parser.c -@@ -5653,6 +5653,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) { - if (RAW != '>') { - xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED, - "xmlParseEntityDecl: entity %s not terminated\n", name); -+ xmlStopParser(ctxt); - } else { - if (input != ctxt->input) { - xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY, diff --git a/debian/patches/0057-Cleanup-conditional-section-error-handling.patch b/debian/patches/0057-Cleanup-conditional-section-error-handling.patch deleted file mode 100644 index 27b5e2e..0000000 --- a/debian/patches/0057-Cleanup-conditional-section-error-handling.patch +++ /dev/null @@ -1,45 +0,0 @@ -From: Daniel Veillard <veillard@redhat.com> -Date: Mon, 23 Feb 2015 11:29:20 +0800 -Subject: Cleanup conditional section error handling - -For https://bugzilla.gnome.org/show_bug.cgi?id=744980 - -The error handling of Conditional Section also need to be -straightened as the structure of the document can't be -guessed on a failure there and it's better to stop parsing -as further errors are likely to be irrelevant. ---- - parser.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/parser.c b/parser.c -index f96cd5f..5342cdb 100644 ---- a/parser.c -+++ b/parser.c -@@ -6765,6 +6765,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { - SKIP_BLANKS; - if (RAW != '[') { - xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); -+ xmlStopParser(ctxt); -+ return; - } else { - if (ctxt->input->id != id) { - xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, -@@ -6825,6 +6827,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { - SKIP_BLANKS; - if (RAW != '[') { - xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); -+ xmlStopParser(ctxt); -+ return; - } else { - if (ctxt->input->id != id) { - xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, -@@ -6880,6 +6884,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { - - } else { - xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL); -+ xmlStopParser(ctxt); -+ return; - } - - if (RAW == 0) diff --git a/debian/patches/0058-Fix-upstream-bug-299127.patch b/debian/patches/0058-Fix-upstream-bug-299127.patch deleted file mode 100644 index b42b8ee..0000000 --- a/debian/patches/0058-Fix-upstream-bug-299127.patch +++ /dev/null @@ -1,99 +0,0 @@ -From: =?utf-8?q?Rapha=C3=ABl_Hertzog?= <hertzog@debian.org> -Date: Tue, 25 Aug 2015 23:17:02 +0200 -Subject: Fix upstream bug 299127 - -Out of bound access when parsing unclosed comment - -Author: Francois Chagnon -Bug: https://bugzilla.gnome.org/show_bug.cgi?id=746048 ---- - HTMLparser.c | 22 +++++++++++++++------- - 1 file changed, 15 insertions(+), 7 deletions(-) - -diff --git a/HTMLparser.c b/HTMLparser.c -index 8d34fd1..69ccfd3 100644 ---- a/HTMLparser.c -+++ b/HTMLparser.c -@@ -3245,13 +3245,20 @@ htmlParseComment(htmlParserCtxtPtr ctxt) { - ctxt->instate = state; - return; - } -+ if ((ctxt->input->end - ctxt->input->cur) < 3) { -+ ctxt->instate = XML_PARSER_EOF; -+ htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, -+ "Comment not terminated\n", NULL, NULL); -+ xmlFree(buf); -+ return; -+ } - q = CUR_CHAR(ql); - NEXTL(ql); - r = CUR_CHAR(rl); - NEXTL(rl); - cur = CUR_CHAR(l); - len = 0; -- while (IS_CHAR(cur) && -+ while (((ctxt->input->end - ctxt->input->cur) > 0) && IS_CHAR(cur) && - ((cur != '>') || - (r != '-') || (q != '-'))) { - if (len + 5 >= size) { -@@ -3281,7 +3288,7 @@ htmlParseComment(htmlParserCtxtPtr ctxt) { - } - } - buf[len] = 0; -- if (!IS_CHAR(cur)) { -+ if (!(ctxt->input->end - ctxt->input->cur) || !IS_CHAR(cur)) { - htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, - "Comment not terminated \n<!--%.50s\n", buf, NULL); - xmlFree(buf); -@@ -4465,6 +4472,7 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { - depth = ctxt->nameNr; - while (1) { - long cons = ctxt->nbChars; -+ long rem = ctxt->input->end - ctxt->input->cur; - - GROW; - -@@ -4540,7 +4548,7 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { - /* - * Sometimes DOCTYPE arrives in the middle of the document - */ -- if ((CUR == '<') && (NXT(1) == '!') && -+ if ((rem >= 9) && (CUR == '<') && (NXT(1) == '!') && - (UPP(2) == 'D') && (UPP(3) == 'O') && - (UPP(4) == 'C') && (UPP(5) == 'T') && - (UPP(6) == 'Y') && (UPP(7) == 'P') && -@@ -4554,7 +4562,7 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { - /* - * First case : a comment - */ -- if ((CUR == '<') && (NXT(1) == '!') && -+ if ((rem >= 4) && (CUR == '<') && (NXT(1) == '!') && - (NXT(2) == '-') && (NXT(3) == '-')) { - htmlParseComment(ctxt); - } -@@ -4562,14 +4570,14 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { - /* - * Second case : a Processing Instruction. - */ -- else if ((CUR == '<') && (NXT(1) == '?')) { -+ else if ((rem >= 2) && (CUR == '<') && (NXT(1) == '?')) { - htmlParsePI(ctxt); - } - - /* - * Third case : a sub-element. - */ -- else if (CUR == '<') { -+ else if ((rem >= 1) && (CUR == '<')) { - htmlParseElementInternal(ctxt); - if (currentNode != NULL) xmlFree(currentNode); - -@@ -4581,7 +4589,7 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { - * Fourth case : a reference. If if has not been resolved, - * parsing returns it's Name, create the node - */ -- else if (CUR == '&') { -+ else if ((rem >= 1) && (CUR == '&')) { - htmlParseReference(ctxt); - } - diff --git a/debian/patches/0059-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch b/debian/patches/0059-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch deleted file mode 100644 index 0f1bd51..0000000 --- a/debian/patches/0059-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch +++ /dev/null @@ -1,172 +0,0 @@ -From: Daniel Veillard <veillard@redhat.com> -Date: Tue, 14 Apr 2015 17:41:48 +0800 -Subject: CVE-2015-1819 Enforce the reader to run in constant memory - -One of the operation on the reader could resolve entities -leading to the classic expansion issue. Make sure the -buffer used for xmlreader operation is bounded. -Introduce a new allocation type for the buffers for this effect. ---- - buf.c | 43 ++++++++++++++++++++++++++++++++++++++++++- - include/libxml/tree.h | 3 ++- - xmlreader.c | 20 +++++++++++++++++++- - 3 files changed, 63 insertions(+), 3 deletions(-) - -diff --git a/buf.c b/buf.c -index d1756c4..b52e41d 100644 ---- a/buf.c -+++ b/buf.c -@@ -27,6 +27,7 @@ - #include <libxml/tree.h> - #include <libxml/globals.h> - #include <libxml/tree.h> -+#include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */ - #include "buf.h" - - #define WITH_BUFFER_COMPAT -@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf, - if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) || - (scheme == XML_BUFFER_ALLOC_EXACT) || - (scheme == XML_BUFFER_ALLOC_HYBRID) || -- (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) { -+ (scheme == XML_BUFFER_ALLOC_IMMUTABLE) || -+ (scheme == XML_BUFFER_ALLOC_BOUNDED)) { - buf->alloc = scheme; - if (buf->buffer) - buf->buffer->alloc = scheme; -@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) { - size = buf->use + len + 100; - #endif - -+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { -+ /* -+ * Used to provide parsing limits -+ */ -+ if ((buf->use + len >= XML_MAX_TEXT_LENGTH) || -+ (buf->size >= XML_MAX_TEXT_LENGTH)) { -+ xmlBufMemoryError(buf, "buffer error: text too long\n"); -+ return(0); -+ } -+ if (size >= XML_MAX_TEXT_LENGTH) -+ size = XML_MAX_TEXT_LENGTH; -+ } - if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) { - size_t start_buf = buf->content - buf->contentIO; - -@@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size) - CHECK_COMPAT(buf) - - if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0); -+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { -+ /* -+ * Used to provide parsing limits -+ */ -+ if (size >= XML_MAX_TEXT_LENGTH) { -+ xmlBufMemoryError(buf, "buffer error: text too long\n"); -+ return(0); -+ } -+ } - - /* Don't resize if we don't have to */ - if (size < buf->size) -@@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) { - - needSize = buf->use + len + 2; - if (needSize > buf->size){ -+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { -+ /* -+ * Used to provide parsing limits -+ */ -+ if (needSize >= XML_MAX_TEXT_LENGTH) { -+ xmlBufMemoryError(buf, "buffer error: text too long\n"); -+ return(-1); -+ } -+ } - if (!xmlBufResize(buf, needSize)){ - xmlBufMemoryError(buf, "growing buffer"); - return XML_ERR_NO_MEMORY; -@@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) { - } - needSize = buf->use + len + 2; - if (needSize > buf->size){ -+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { -+ /* -+ * Used to provide parsing limits -+ */ -+ if (needSize >= XML_MAX_TEXT_LENGTH) { -+ xmlBufMemoryError(buf, "buffer error: text too long\n"); -+ return(-1); -+ } -+ } - if (!xmlBufResize(buf, needSize)){ - xmlBufMemoryError(buf, "growing buffer"); - return XML_ERR_NO_MEMORY; -diff --git a/include/libxml/tree.h b/include/libxml/tree.h -index 7e06686..d904a44 100644 ---- a/include/libxml/tree.h -+++ b/include/libxml/tree.h -@@ -76,7 +76,8 @@ typedef enum { - XML_BUFFER_ALLOC_EXACT, /* grow only to the minimal size */ - XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */ - XML_BUFFER_ALLOC_IO, /* special allocation scheme used for I/O */ -- XML_BUFFER_ALLOC_HYBRID /* exact up to a threshold, and doubleit thereafter */ -+ XML_BUFFER_ALLOC_HYBRID, /* exact up to a threshold, and doubleit thereafter */ -+ XML_BUFFER_ALLOC_BOUNDED /* limit the upper size of the buffer */ - } xmlBufferAllocationScheme; - - /** -diff --git a/xmlreader.c b/xmlreader.c -index 8834f50..04c9a3d 100644 ---- a/xmlreader.c -+++ b/xmlreader.c -@@ -2087,6 +2087,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) { - "xmlNewTextReader : malloc failed\n"); - return(NULL); - } -+ /* no operation on a reader should require a huge buffer */ -+ xmlBufSetAllocationScheme(ret->buffer, -+ XML_BUFFER_ALLOC_BOUNDED); - ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); - if (ret->sax == NULL) { - xmlBufFree(ret->buffer); -@@ -3612,6 +3615,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) { - return(((xmlNsPtr) node)->href); - case XML_ATTRIBUTE_NODE:{ - xmlAttrPtr attr = (xmlAttrPtr) node; -+ const xmlChar *ret; - - if ((attr->children != NULL) && - (attr->children->type == XML_TEXT_NODE) && -@@ -3625,10 +3629,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) { - "xmlTextReaderSetup : malloc failed\n"); - return (NULL); - } -+ xmlBufSetAllocationScheme(reader->buffer, -+ XML_BUFFER_ALLOC_BOUNDED); - } else - xmlBufEmpty(reader->buffer); - xmlBufGetNodeContent(reader->buffer, node); -- return(xmlBufContent(reader->buffer)); -+ ret = xmlBufContent(reader->buffer); -+ if (ret == NULL) { -+ /* error on the buffer best to reallocate */ -+ xmlBufFree(reader->buffer); -+ reader->buffer = xmlBufCreateSize(100); -+ xmlBufSetAllocationScheme(reader->buffer, -+ XML_BUFFER_ALLOC_BOUNDED); -+ ret = BAD_CAST ""; -+ } -+ return(ret); - } - break; - } -@@ -5127,6 +5142,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader, - "xmlTextReaderSetup : malloc failed\n"); - return (-1); - } -+ /* no operation on a reader should require a huge buffer */ -+ xmlBufSetAllocationScheme(reader->buffer, -+ XML_BUFFER_ALLOC_BOUNDED); - if (reader->sax == NULL) - reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); - if (reader->sax == NULL) { diff --git a/debian/patches/series b/debian/patches/series index 5d07130..99fd190 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -53,7 +53,3 @@ 0053-fix-memory-leak-xml-header-encoding-field-with-XML_P.patch 0054-Fix-for-CVE-2014-3660.patch 0055-Fix-missing-entities-after-CVE-2014-3660-fix.patch -0056-Stop-parsing-on-entities-boundaries-errors.patch -0057-Cleanup-conditional-section-error-handling.patch -0058-Fix-upstream-bug-299127.patch -0059-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch |