From c8bb544cf113e1231e9f1f391bd70a5c55480453 Mon Sep 17 00:00:00 2001
From: Raphaël Hertzog <hertzog@debian.org>
Date: Tue, 25 Aug 2015 23:25:29 +0200
Subject: Fix 3 security issues by adding 4 patches

- CVE-2015-1819: The xmlreader in libxml allows remote attackers to cause
  a denial of service (memory consumption) via crafted XML data, related to
  an XML Entity Expansion (XEE) attack. Closes: #782782
- Out-of-bounds access when parsing unclosed HTML comment
  https://bugzilla.gnome.org/show_bug.cgi?id=746048 Closes: #782985
- Out-of-bounds memory access
  https://bugzilla.gnome.org/show_bug.cgi?id=744980 Closes: #783010
---
 debian/changelog                                   |   8 +
 ...-missing-entities-after-CVE-2014-3660-fix.patch |  27 ----
 ...top-parsing-on-entities-boundaries-errors.patch |  28 ++++
 ...leanup-conditional-section-error-handling.patch |  45 ++++++
 debian/patches/0058-Fix-upstream-bug-299127.patch  |  99 ++++++++++++
 ...19-Enforce-the-reader-to-run-in-constant-.patch | 172 +++++++++++++++++++++
 debian/patches/series                              |   4 +
 7 files changed, 356 insertions(+), 27 deletions(-)
 delete mode 100644 debian/patches/0003-Fix-missing-entities-after-CVE-2014-3660-fix.patch
 create mode 100644 debian/patches/0056-Stop-parsing-on-entities-boundaries-errors.patch
 create mode 100644 debian/patches/0057-Cleanup-conditional-section-error-handling.patch
 create mode 100644 debian/patches/0058-Fix-upstream-bug-299127.patch
 create mode 100644 debian/patches/0059-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch

(limited to 'debian')

diff --git a/debian/changelog b/debian/changelog
index dc762be..78e557c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,14 @@ libxml2 (2.9.2+really2.9.1+dfsg1-0.1) unstable; urgency=medium
     again. Closes: #766884
   * Restore all patches available in 2.9.1+dfsg1-5 in stretch, ensuring
     CVE-2014-3660 is fixed too.
+  * Fix 3 security issues by adding 4 patches:
+    - CVE-2015-1819: The xmlreader in libxml allows remote attackers to cause
+      a denial of service (memory consumption) via crafted XML data, related to
+      an XML Entity Expansion (XEE) attack. Closes: #782782
+    - Out-of-bounds access when parsing unclosed HTML comment
+      https://bugzilla.gnome.org/show_bug.cgi?id=746048 Closes: #782985
+    - Out-of-bounds memory access
+      https://bugzilla.gnome.org/show_bug.cgi?id=744980 Closes: #783010
 
  -- Raphaël Hertzog <hertzog@debian.org>  Tue, 25 Aug 2015 22:31:29 +0200
 
diff --git a/debian/patches/0003-Fix-missing-entities-after-CVE-2014-3660-fix.patch b/debian/patches/0003-Fix-missing-entities-after-CVE-2014-3660-fix.patch
deleted file mode 100644
index 2afe1f0..0000000
--- a/debian/patches/0003-Fix-missing-entities-after-CVE-2014-3660-fix.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From: Daniel Veillard <veillard@redhat.com>
-Date: Thu, 23 Oct 2014 11:35:36 +0800
-Subject: Fix missing entities after CVE-2014-3660 fix
-
-For https://bugzilla.gnome.org/show_bug.cgi?id=738805
-
-The fix for CVE-2014-3660 introduced a regression in some case
-where entity substitution is required and the entity is used
-first in anotther entity referenced from an attribute value
----
- parser.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/parser.c b/parser.c
-index 1d93967..313ff28 100644
---- a/parser.c
-+++ b/parser.c
-@@ -7235,7 +7235,8 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
-      * far more secure as the parser will only process data coming from
-      * the document entity by default.
-      */
--    if ((ent->checked == 0) &&
-+    if (((ent->checked == 0) ||
-+         ((ent->children == NULL) && (ctxt->options & XML_PARSE_NOENT))) &&
-         ((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) ||
-          (ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) {
- 	unsigned long oldnbent = ctxt->nbentities;
diff --git a/debian/patches/0056-Stop-parsing-on-entities-boundaries-errors.patch b/debian/patches/0056-Stop-parsing-on-entities-boundaries-errors.patch
new file mode 100644
index 0000000..d0d9a79
--- /dev/null
+++ b/debian/patches/0056-Stop-parsing-on-entities-boundaries-errors.patch
@@ -0,0 +1,28 @@
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 23 Feb 2015 11:17:35 +0800
+Subject: Stop parsing on entities boundaries errors
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=744980
+
+There are times, like on unterminated entities that it's preferable to
+stop parsing, even if that means less error reporting. Entities are
+feeding the parser on further processing, and if they are ill defined
+then it's possible to get the parser to bug. Also do the same on
+Conditional Sections if the input is broken, as the structure of
+the document can't be guessed.
+---
+ parser.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/parser.c b/parser.c
+index c187327..f96cd5f 100644
+--- a/parser.c
++++ b/parser.c
+@@ -5653,6 +5653,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) {
+ 	if (RAW != '>') {
+ 	    xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
+ 	            "xmlParseEntityDecl: entity %s not terminated\n", name);
++	    xmlStopParser(ctxt);
+ 	} else {
+ 	    if (input != ctxt->input) {
+ 		xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
diff --git a/debian/patches/0057-Cleanup-conditional-section-error-handling.patch b/debian/patches/0057-Cleanup-conditional-section-error-handling.patch
new file mode 100644
index 0000000..27b5e2e
--- /dev/null
+++ b/debian/patches/0057-Cleanup-conditional-section-error-handling.patch
@@ -0,0 +1,45 @@
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 23 Feb 2015 11:29:20 +0800
+Subject: Cleanup conditional section error handling
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=744980
+
+The error handling of Conditional Section also need to be
+straightened as the structure of the document can't be
+guessed on a failure there and it's better to stop parsing
+as further errors are likely to be irrelevant.
+---
+ parser.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index f96cd5f..5342cdb 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6765,6 +6765,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 	SKIP_BLANKS;
+ 	if (RAW != '[') {
+ 	    xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
++	    xmlStopParser(ctxt);
++	    return;
+ 	} else {
+ 	    if (ctxt->input->id != id) {
+ 		xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
+@@ -6825,6 +6827,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 	SKIP_BLANKS;
+ 	if (RAW != '[') {
+ 	    xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
++	    xmlStopParser(ctxt);
++	    return;
+ 	} else {
+ 	    if (ctxt->input->id != id) {
+ 		xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
+@@ -6880,6 +6884,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 
+     } else {
+ 	xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
++	xmlStopParser(ctxt);
++	return;
+     }
+ 
+     if (RAW == 0)
diff --git a/debian/patches/0058-Fix-upstream-bug-299127.patch b/debian/patches/0058-Fix-upstream-bug-299127.patch
new file mode 100644
index 0000000..b42b8ee
--- /dev/null
+++ b/debian/patches/0058-Fix-upstream-bug-299127.patch
@@ -0,0 +1,99 @@
+From: =?utf-8?q?Rapha=C3=ABl_Hertzog?= <hertzog@debian.org>
+Date: Tue, 25 Aug 2015 23:17:02 +0200
+Subject: Fix upstream bug 299127
+
+Out of bound access when parsing unclosed comment
+
+Author: Francois Chagnon
+Bug: https://bugzilla.gnome.org/show_bug.cgi?id=746048
+---
+ HTMLparser.c | 22 +++++++++++++++-------
+ 1 file changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/HTMLparser.c b/HTMLparser.c
+index 8d34fd1..69ccfd3 100644
+--- a/HTMLparser.c
++++ b/HTMLparser.c
+@@ -3245,13 +3245,20 @@ htmlParseComment(htmlParserCtxtPtr ctxt) {
+ 	ctxt->instate = state;
+ 	return;
+     }
++    if ((ctxt->input->end - ctxt->input->cur) < 3) {
++        ctxt->instate = XML_PARSER_EOF;
++        htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
++                     "Comment not terminated\n", NULL, NULL);
++        xmlFree(buf);
++        return;
++    }
+     q = CUR_CHAR(ql);
+     NEXTL(ql);
+     r = CUR_CHAR(rl);
+     NEXTL(rl);
+     cur = CUR_CHAR(l);
+     len = 0;
+-    while (IS_CHAR(cur) &&
++    while (((ctxt->input->end - ctxt->input->cur) > 0) && IS_CHAR(cur) &&
+            ((cur != '>') ||
+ 	    (r != '-') || (q != '-'))) {
+ 	if (len + 5 >= size) {
+@@ -3281,7 +3288,7 @@ htmlParseComment(htmlParserCtxtPtr ctxt) {
+ 	}
+     }
+     buf[len] = 0;
+-    if (!IS_CHAR(cur)) {
++    if (!(ctxt->input->end - ctxt->input->cur) || !IS_CHAR(cur)) {
+ 	htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
+ 	             "Comment not terminated \n<!--%.50s\n", buf, NULL);
+ 	xmlFree(buf);
+@@ -4465,6 +4472,7 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) {
+     depth = ctxt->nameNr;
+     while (1) {
+ 	long cons = ctxt->nbChars;
++    long rem = ctxt->input->end - ctxt->input->cur;
+ 
+         GROW;
+ 
+@@ -4540,7 +4548,7 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) {
+ 	    /*
+ 	     * Sometimes DOCTYPE arrives in the middle of the document
+ 	     */
+-	    if ((CUR == '<') && (NXT(1) == '!') &&
++	    if ((rem >= 9) && (CUR == '<') && (NXT(1) == '!') &&
+ 		(UPP(2) == 'D') && (UPP(3) == 'O') &&
+ 		(UPP(4) == 'C') && (UPP(5) == 'T') &&
+ 		(UPP(6) == 'Y') && (UPP(7) == 'P') &&
+@@ -4554,7 +4562,7 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) {
+ 	    /*
+ 	     * First case :  a comment
+ 	     */
+-	    if ((CUR == '<') && (NXT(1) == '!') &&
++	    if ((rem >= 4) && (CUR == '<') && (NXT(1) == '!') &&
+ 		(NXT(2) == '-') && (NXT(3) == '-')) {
+ 		htmlParseComment(ctxt);
+ 	    }
+@@ -4562,14 +4570,14 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) {
+ 	    /*
+ 	     * Second case : a Processing Instruction.
+ 	     */
+-	    else if ((CUR == '<') && (NXT(1) == '?')) {
++	    else if ((rem >= 2) && (CUR == '<') && (NXT(1) == '?')) {
+ 		htmlParsePI(ctxt);
+ 	    }
+ 
+ 	    /*
+ 	     * Third case :  a sub-element.
+ 	     */
+-	    else if (CUR == '<') {
++	    else if ((rem >= 1) && (CUR == '<')) {
+ 		htmlParseElementInternal(ctxt);
+ 		if (currentNode != NULL) xmlFree(currentNode);
+ 
+@@ -4581,7 +4589,7 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) {
+ 	     * Fourth case : a reference. If if has not been resolved,
+ 	     *    parsing returns it's Name, create the node
+ 	     */
+-	    else if (CUR == '&') {
++	    else if ((rem >= 1) && (CUR == '&')) {
+ 		htmlParseReference(ctxt);
+ 	    }
+ 
diff --git a/debian/patches/0059-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch b/debian/patches/0059-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch
new file mode 100644
index 0000000..0f1bd51
--- /dev/null
+++ b/debian/patches/0059-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch
@@ -0,0 +1,172 @@
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 14 Apr 2015 17:41:48 +0800
+Subject: CVE-2015-1819 Enforce the reader to run in constant memory
+
+One of the operation on the reader could resolve entities
+leading to the classic expansion issue. Make sure the
+buffer used for xmlreader operation is bounded.
+Introduce a new allocation type for the buffers for this effect.
+---
+ buf.c                 | 43 ++++++++++++++++++++++++++++++++++++++++++-
+ include/libxml/tree.h |  3 ++-
+ xmlreader.c           | 20 +++++++++++++++++++-
+ 3 files changed, 63 insertions(+), 3 deletions(-)
+
+diff --git a/buf.c b/buf.c
+index d1756c4..b52e41d 100644
+--- a/buf.c
++++ b/buf.c
+@@ -27,6 +27,7 @@
+ #include <libxml/tree.h>
+ #include <libxml/globals.h>
+ #include <libxml/tree.h>
++#include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */
+ #include "buf.h"
+ 
+ #define WITH_BUFFER_COMPAT
+@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf,
+     if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) ||
+         (scheme == XML_BUFFER_ALLOC_EXACT) ||
+         (scheme == XML_BUFFER_ALLOC_HYBRID) ||
+-        (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) {
++        (scheme == XML_BUFFER_ALLOC_IMMUTABLE) ||
++	(scheme == XML_BUFFER_ALLOC_BOUNDED)) {
+ 	buf->alloc = scheme;
+         if (buf->buffer)
+             buf->buffer->alloc = scheme;
+@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) {
+     size = buf->use + len + 100;
+ #endif
+ 
++    if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++        /*
++	 * Used to provide parsing limits
++	 */
++        if ((buf->use + len >= XML_MAX_TEXT_LENGTH) ||
++	    (buf->size >= XML_MAX_TEXT_LENGTH)) {
++	    xmlBufMemoryError(buf, "buffer error: text too long\n");
++	    return(0);
++	}
++	if (size >= XML_MAX_TEXT_LENGTH)
++	    size = XML_MAX_TEXT_LENGTH;
++    }
+     if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {
+         size_t start_buf = buf->content - buf->contentIO;
+ 
+@@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size)
+     CHECK_COMPAT(buf)
+ 
+     if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
++    if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++        /*
++	 * Used to provide parsing limits
++	 */
++        if (size >= XML_MAX_TEXT_LENGTH) {
++	    xmlBufMemoryError(buf, "buffer error: text too long\n");
++	    return(0);
++	}
++    }
+ 
+     /* Don't resize if we don't have to */
+     if (size < buf->size)
+@@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {
+ 
+     needSize = buf->use + len + 2;
+     if (needSize > buf->size){
++	if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++	    /*
++	     * Used to provide parsing limits
++	     */
++	    if (needSize >= XML_MAX_TEXT_LENGTH) {
++		xmlBufMemoryError(buf, "buffer error: text too long\n");
++		return(-1);
++	    }
++	}
+         if (!xmlBufResize(buf, needSize)){
+ 	    xmlBufMemoryError(buf, "growing buffer");
+             return XML_ERR_NO_MEMORY;
+@@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) {
+     }
+     needSize = buf->use + len + 2;
+     if (needSize > buf->size){
++	if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++	    /*
++	     * Used to provide parsing limits
++	     */
++	    if (needSize >= XML_MAX_TEXT_LENGTH) {
++		xmlBufMemoryError(buf, "buffer error: text too long\n");
++		return(-1);
++	    }
++	}
+         if (!xmlBufResize(buf, needSize)){
+ 	    xmlBufMemoryError(buf, "growing buffer");
+             return XML_ERR_NO_MEMORY;
+diff --git a/include/libxml/tree.h b/include/libxml/tree.h
+index 7e06686..d904a44 100644
+--- a/include/libxml/tree.h
++++ b/include/libxml/tree.h
+@@ -76,7 +76,8 @@ typedef enum {
+     XML_BUFFER_ALLOC_EXACT,	/* grow only to the minimal size */
+     XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */
+     XML_BUFFER_ALLOC_IO,	/* special allocation scheme used for I/O */
+-    XML_BUFFER_ALLOC_HYBRID	/* exact up to a threshold, and doubleit thereafter */
++    XML_BUFFER_ALLOC_HYBRID,	/* exact up to a threshold, and doubleit thereafter */
++    XML_BUFFER_ALLOC_BOUNDED	/* limit the upper size of the buffer */
+ } xmlBufferAllocationScheme;
+ 
+ /**
+diff --git a/xmlreader.c b/xmlreader.c
+index 8834f50..04c9a3d 100644
+--- a/xmlreader.c
++++ b/xmlreader.c
+@@ -2087,6 +2087,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) {
+ 		"xmlNewTextReader : malloc failed\n");
+ 	return(NULL);
+     }
++    /* no operation on a reader should require a huge buffer */
++    xmlBufSetAllocationScheme(ret->buffer,
++			      XML_BUFFER_ALLOC_BOUNDED);
+     ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
+     if (ret->sax == NULL) {
+ 	xmlBufFree(ret->buffer);
+@@ -3612,6 +3615,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
+ 	    return(((xmlNsPtr) node)->href);
+         case XML_ATTRIBUTE_NODE:{
+ 	    xmlAttrPtr attr = (xmlAttrPtr) node;
++	    const xmlChar *ret;
+ 
+ 	    if ((attr->children != NULL) &&
+ 	        (attr->children->type == XML_TEXT_NODE) &&
+@@ -3625,10 +3629,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
+                                         "xmlTextReaderSetup : malloc failed\n");
+                         return (NULL);
+                     }
++		    xmlBufSetAllocationScheme(reader->buffer,
++		                              XML_BUFFER_ALLOC_BOUNDED);
+                 } else
+                     xmlBufEmpty(reader->buffer);
+ 	        xmlBufGetNodeContent(reader->buffer, node);
+-		return(xmlBufContent(reader->buffer));
++		ret = xmlBufContent(reader->buffer);
++		if (ret == NULL) {
++		    /* error on the buffer best to reallocate */
++		    xmlBufFree(reader->buffer);
++		    reader->buffer = xmlBufCreateSize(100);
++		    xmlBufSetAllocationScheme(reader->buffer,
++		                              XML_BUFFER_ALLOC_BOUNDED);
++		    ret = BAD_CAST "";
++		}
++		return(ret);
+ 	    }
+ 	    break;
+ 	}
+@@ -5127,6 +5142,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader,
+                         "xmlTextReaderSetup : malloc failed\n");
+         return (-1);
+     }
++    /* no operation on a reader should require a huge buffer */
++    xmlBufSetAllocationScheme(reader->buffer,
++			      XML_BUFFER_ALLOC_BOUNDED);
+     if (reader->sax == NULL)
+ 	reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
+     if (reader->sax == NULL) {
diff --git a/debian/patches/series b/debian/patches/series
index 99fd190..5d07130 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -53,3 +53,7 @@
 0053-fix-memory-leak-xml-header-encoding-field-with-XML_P.patch
 0054-Fix-for-CVE-2014-3660.patch
 0055-Fix-missing-entities-after-CVE-2014-3660-fix.patch
+0056-Stop-parsing-on-entities-boundaries-errors.patch
+0057-Cleanup-conditional-section-error-handling.patch
+0058-Fix-upstream-bug-299127.patch
+0059-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch
-- 
cgit v1.2.3