diffstat of debian/ for libxml2_2.9.4+dfsg1-6.1 libxml2_2.9.4+dfsg1-6.1ubuntu1.2 changelog | 57 +++++++++++++++++++++ control | 20 ++++++- patches/CVE-2016-9318.patch | 51 +++++++++++++++++++ patches/CVE-2017-16932.patch | 113 +++++++++++++++++++++++++++++++++++++++++++ patches/CVE-2017-18258.patch | 25 +++++++++ patches/CVE-2018-14404.patch | 47 +++++++++++++++++ patches/CVE-2018-14567.patch | 43 ++++++++++++++++ patches/series | 5 + rules | 3 - 9 files changed, 358 insertions(+), 6 deletions(-) diff -Nru libxml2-2.9.4+dfsg1/debian/changelog libxml2-2.9.4+dfsg1/debian/changelog --- libxml2-2.9.4+dfsg1/debian/changelog 2018-01-02 07:59:03.000000000 +0000 +++ libxml2-2.9.4+dfsg1/debian/changelog 2018-08-10 18:30:23.000000000 +0000 @@ -1,3 +1,33 @@ +libxml2 (2.9.4+dfsg1-6.1ubuntu1.2) bionic-security; urgency=medium + + * SECURITY UPDATE: XXE attacks + - debian/patches/CVE-2016-9318.patch: fix in parser.c. + - CVE-2016-9318 + * SECURITY UPDATE: Denial of service + - debian/patches/CVE-2017-18258.patch: fix in xzlib.c. + - CVE-2017-18258 + * SECURITY UPDATE: Denial of service + - debian/patches/CVE-2018-14404.patch: fix in xpath.c. + - CVE-2018-14404 + * SECURITY UPDATE: Infinite loop in LZMA decompression + - debian/patches/CVE-2018-14567.patch: fix in xzlib.c. + - CVE-2018-14567 + * SECURITY UPDATE: Infinite recursion/Denial of service + - debian/patches/CVE-2017-16932.patch: fix in parser.c and + add some error check files result/errors/759579.xml, + result/errors/759579.xml.err, result/errors/759579.xml.str, + test/errors/759579.xml. + - CVE-2017-16932 + + -- Leonidas S. Barbosa Fri, 10 Aug 2018 15:30:23 -0300 + +libxml2 (2.9.4+dfsg1-6.1ubuntu1) bionic; urgency=low + + * Merge from Debian unstable. Remaining changes: + - debian/{rules,control}: Drop dep on libicu-dbg, icu59 doesn't ship it. + + -- Gianfranco Costamagna Tue, 02 Jan 2018 10:35:09 +0100 + libxml2 (2.9.4+dfsg1-6.1) unstable; urgency=medium * Non-maintainer upload. @@ -32,6 +62,13 @@ -- Mattia Rizzolo Tue, 02 Jan 2018 00:54:05 +0100 +libxml2 (2.9.4+dfsg1-5.2ubuntu1) bionic; urgency=low + + * Merge from Debian unstable. Remaining changes: + - debian/{rules,control}: Drop dep on libicu-dbg, icu59 doesn't ship it. + + -- Gianfranco Costamagna Mon, 18 Dec 2017 19:20:37 +0100 + libxml2 (2.9.4+dfsg1-5.2) unstable; urgency=medium * Non-maintainer upload. @@ -39,6 +76,13 @@ -- Salvatore Bonaccorso Thu, 14 Dec 2017 20:36:07 +0100 +libxml2 (2.9.4+dfsg1-5.1ubuntu1) bionic; urgency=low + + * Merge from Debian unstable. Remaining changes: + - debian/{rules,control}: Drop dep on libicu-dbg, icu59 doesn't ship it. + + -- Gianfranco Costamagna Mon, 27 Nov 2017 10:26:16 +0100 + libxml2 (2.9.4+dfsg1-5.1) unstable; urgency=medium * Non-maintainer upload. @@ -51,6 +95,18 @@ -- Salvatore Bonaccorso Sat, 18 Nov 2017 16:39:04 +0100 +libxml2 (2.9.4+dfsg1-5ubuntu2) bionic; urgency=medium + + * No-change rebuild for icu soname change. + + -- Matthias Klose Tue, 07 Nov 2017 08:54:26 +0000 + +libxml2 (2.9.4+dfsg1-5ubuntu1) bionic; urgency=medium + + * debian/{rules,control}: Drop dep on libicu-dbg, icu59 doesn't ship it. + + -- Adam Conrad Thu, 26 Oct 2017 01:32:39 -0600 + libxml2 (2.9.4+dfsg1-5) unstable; urgency=medium * Team upload. @@ -1117,7 +1173,6 @@ -- Mike Hommey Thu, 28 Oct 2004 17:34:54 +0900 - libxml2 (2.6.14-1) experimental; urgency=low * New upstream release. Closes: #273961. diff -Nru libxml2-2.9.4+dfsg1/debian/control libxml2-2.9.4+dfsg1/debian/control --- libxml2-2.9.4+dfsg1/debian/control 2018-01-02 07:59:03.000000000 +0000 +++ libxml2-2.9.4+dfsg1/debian/control 2018-01-02 04:14:17.000000000 +0000 @@ -1,7 +1,8 @@ Source: libxml2 Priority: optional Section: libs -Maintainer: Debian XML/SGML Group +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian XML/SGML Group Uploaders: Aron Xu , YunQiang Su , @@ -91,7 +92,6 @@ Section: debug Depends: libxml2 (= ${binary:Version}), - ${dep:libicudbg}, ${misc:Depends}, Multi-Arch: same Description: Debugging symbols for the GNOME XML library @@ -202,3 +202,19 @@ . This package contains the files needed to use the GNOME XML library in Python3 programs for use with the Python3 debug interpreter. + +Package: libxml2-udeb +XC-Package-Type: udeb +Architecture: any +Section: debian-installer +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: GNOME XML library - minimal runtime + XML is a metalanguage to let you design your own markup language. + A regular markup language defines a way to describe information in + a certain class of documents (eg HTML). XML lets you define your + own customized markup languages for many classes of document. It + can do this because it's written in SGML, the international standard + metalanguage for markup languages. + . + This is a minimal package for use in debian-installer that yields a + library providing an extensive API to handle such XML data files. diff -Nru libxml2-2.9.4+dfsg1/debian/patches/CVE-2016-9318.patch libxml2-2.9.4+dfsg1/debian/patches/CVE-2016-9318.patch --- libxml2-2.9.4+dfsg1/debian/patches/CVE-2016-9318.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.4+dfsg1/debian/patches/CVE-2016-9318.patch 2018-08-10 18:29:35.000000000 +0000 @@ -0,0 +1,51 @@ +From ad88b54f1a28a8565964a370b5d387927b633c0d Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 8 Dec 2017 09:42:31 +0100 +Subject: [PATCH] Improve handling of context input_id + +For https://bugzilla.gnome.org/show_bug.cgi?id=772726 +This was used in xmlsec to detect issues with accessing external entities +and prevent them, but was unreliable, based on a patch from Aleksey Sanin + +* parser.c: make sure input_id is incremented when creating sub-entities + for parsing or when parsing out of context +diff --git a/parser.c b/parser.c +index a06c002..bb6d527 100644 +--- a/parser.c ++++ b/parser.c +@@ -13631,6 +13631,7 @@ xmlParseBalancedChunkMemoryInternal(xmlParserCtxtPtr oldctxt, + ctxt->userData = ctxt; + if (ctxt->dict != NULL) xmlDictFree(ctxt->dict); + ctxt->dict = oldctxt->dict; ++ ctxt->input_id = oldctxt->input_id + 1; + ctxt->str_xml = xmlDictLookup(ctxt->dict, BAD_CAST "xml", 3); + ctxt->str_xmlns = xmlDictLookup(ctxt->dict, BAD_CAST "xmlns", 5); + ctxt->str_xml_ns = xmlDictLookup(ctxt->dict, XML_XML_NAMESPACE, 36); +@@ -13884,6 +13885,7 @@ xmlParseInNodeContext(xmlNodePtr node, const char *data, int datalen, + xmlDetectSAX2(ctxt); + ctxt->myDoc = doc; + /* parsing in context, i.e. as within existing content */ ++ ctxt->input_id = 2; + ctxt->instate = XML_PARSER_CONTENT; + + fake = xmlNewComment(NULL); +@@ -14096,6 +14098,7 @@ xmlParseBalancedChunkMemoryRecover(xmlDocPtr doc, xmlSAXHandlerPtr sax, + newDoc->oldNs = doc->oldNs; + } + ctxt->instate = XML_PARSER_CONTENT; ++ ctxt->input_id = 2; + ctxt->depth = depth; + + /* +@@ -14256,6 +14259,11 @@ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID, + if (pctx != NULL) { + ctxt->options = pctx->options; + ctxt->_private = pctx->_private; ++ /* ++ * this is a subparser of pctx, so the input_id should be ++ * incremented to distinguish from main entity ++ */ ++ ctxt->input_id = pctx->input_id + 1; + } + + uri = xmlBuildURI(URL, base); diff -Nru libxml2-2.9.4+dfsg1/debian/patches/CVE-2017-16932.patch libxml2-2.9.4+dfsg1/debian/patches/CVE-2017-16932.patch --- libxml2-2.9.4+dfsg1/debian/patches/CVE-2017-16932.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.4+dfsg1/debian/patches/CVE-2017-16932.patch 2018-08-10 18:30:23.000000000 +0000 @@ -0,0 +1,113 @@ +From 899a5d9f0ed13b8e32449a08a361e0de127dd961 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 25 Jul 2017 14:59:49 +0200 +Subject: [PATCH] Detect infinite recursion in parameter entities + +When expanding a parameter entity in a DTD, infinite recursion could +lead to an infinite loop or memory exhaustion. + +Thanks to Wei Lei for the first of many reports. + +Fixes bug 759579. +--- + parser.c | 15 +++++++++++++-- + result/errors/759579.xml | 0 + result/errors/759579.xml.err | 6 ++++++ + result/errors/759579.xml.str | 7 +++++++ + test/errors/759579.xml | 11 +++++++++++ + 5 files changed, 37 insertions(+), 2 deletions(-) + create mode 100644 result/errors/759579.xml + create mode 100644 result/errors/759579.xml.err + create mode 100644 result/errors/759579.xml.str + create mode 100644 test/errors/759579.xml + +diff --git a/parser.c b/parser.c +index bb6d527..e79cadb 100644 +--- a/parser.c ++++ b/parser.c +@@ -2238,6 +2238,13 @@ xmlPushInput(xmlParserCtxtPtr ctxt, xmlParserInputPtr input) { + xmlGenericError(xmlGenericErrorContext, + "Pushing input %d : %.30s\n", ctxt->inputNr+1, input->cur); + } ++ if (((ctxt->inputNr > 40) && ((ctxt->options & XML_PARSE_HUGE) == 0)) || ++ (ctxt->inputNr > 1024)) { ++ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); ++ while (ctxt->inputNr > 1) ++ xmlFreeInputStream(inputPop(ctxt)); ++ return(-1); ++ } + ret = inputPush(ctxt, input); + if (ctxt->instate == XML_PARSER_EOF) + return(-1); +@@ -8122,8 +8129,10 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) + name, NULL); + } else if (ctxt->input->free != deallocblankswrapper) { + input = xmlNewBlanksWrapperInputStream(ctxt, entity); +- if (xmlPushInput(ctxt, input) < 0) ++ if (xmlPushInput(ctxt, input) < 0) { ++ xmlFreeInputStream(input); + return; ++ } + } else { + if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && + ((ctxt->options & XML_PARSE_NOENT) == 0) && +@@ -8140,8 +8149,10 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) + * c.f. http://www.w3.org/TR/REC-xml#as-PE + */ + input = xmlNewEntityInputStream(ctxt, entity); +- if (xmlPushInput(ctxt, input) < 0) ++ if (xmlPushInput(ctxt, input) < 0) { ++ xmlFreeInputStream(input); + return; ++ } + if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && + (CMP5(CUR_PTR, '<', '?', 'x', 'm', 'l')) && + (IS_BLANK_CH(NXT(5)))) { +diff --git a/result/errors/759579.xml b/result/errors/759579.xml +new file mode 100644 +index 0000000..e69de29 +diff --git a/result/errors/759579.xml.err b/result/errors/759579.xml.err +new file mode 100644 +index 0000000..288026e +--- /dev/null ++++ b/result/errors/759579.xml.err +@@ -0,0 +1,6 @@ ++Entity: line 2: parser error : Detected an entity reference loop ++ %z; %z; %z; %z; %z; ++ ^ ++Entity: line 2: ++ %z; %z; %z; %z; %z; ++ ^ +diff --git a/result/errors/759579.xml.str b/result/errors/759579.xml.str +new file mode 100644 +index 0000000..09408f5 +--- /dev/null ++++ b/result/errors/759579.xml.str +@@ -0,0 +1,7 @@ ++Entity: line 2: parser error : Detected an entity reference loop ++ %z; %z; %z; %z; %z; ++ ^ ++Entity: line 2: ++ %z; %z; %z; %z; %z; ++ ^ ++./test/errors/759579.xml : failed to parse +diff --git a/test/errors/759579.xml b/test/errors/759579.xml +new file mode 100644 +index 0000000..7fadd70 +--- /dev/null ++++ b/test/errors/759579.xml +@@ -0,0 +1,11 @@ ++ ++ %z; ++]> ++ +-- +2.7.4 + diff -Nru libxml2-2.9.4+dfsg1/debian/patches/CVE-2017-18258.patch libxml2-2.9.4+dfsg1/debian/patches/CVE-2017-18258.patch --- libxml2-2.9.4+dfsg1/debian/patches/CVE-2017-18258.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.4+dfsg1/debian/patches/CVE-2017-18258.patch 2018-08-10 18:29:49.000000000 +0000 @@ -0,0 +1,25 @@ +From e2a9122b8dde53d320750451e9907a7dcb2ca8bb Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 7 Sep 2017 18:36:01 +0200 +Subject: [PATCH] Set memory limit for LZMA decompression + +Otherwise malicious LZMA compressed files could consume large amounts +of memory when decompressed. + +According to the xz man page, files compressed with `xz -9` currently +require 65 MB to decompress, so set the limit to 100 MB. + +Should fix bug 786696. +diff --git a/xzlib.c b/xzlib.c +index 782957f..f43632b 100644 +--- a/xzlib.c ++++ b/xzlib.c +@@ -408,7 +408,7 @@ xz_head(xz_statep state) + state->strm = init; + state->strm.avail_in = 0; + state->strm.next_in = NULL; +- if (lzma_auto_decoder(&state->strm, UINT64_MAX, 0) != LZMA_OK) { ++ if (lzma_auto_decoder(&state->strm, 100000000, 0) != LZMA_OK) { + xmlFree(state->out); + xmlFree(state->in); + state->size = 0; diff -Nru libxml2-2.9.4+dfsg1/debian/patches/CVE-2018-14404.patch libxml2-2.9.4+dfsg1/debian/patches/CVE-2018-14404.patch --- libxml2-2.9.4+dfsg1/debian/patches/CVE-2018-14404.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.4+dfsg1/debian/patches/CVE-2018-14404.patch 2018-08-10 18:30:01.000000000 +0000 @@ -0,0 +1,47 @@ +From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 30 Jul 2018 12:54:38 +0200 +Subject: [PATCH] Fix nullptr deref with XPath logic ops + +If the XPath stack is corrupted, for example by a misbehaving extension +function, the "and" and "or" XPath operators could dereference NULL +pointers. Check that the XPath stack isn't empty and optimize the +logic operators slightly. + +Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5 + +Also see +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817 +https://bugzilla.redhat.com/show_bug.cgi?id=1595985 + +This is CVE-2018-14404. + +Thanks to Guy Inbar for the report. +diff --git a/xpath.c b/xpath.c +index 1787be1..13e0812 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -13320,9 +13320,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + return(0); + } + xmlXPathBooleanFunction(ctxt, 1); +- arg1 = valuePop(ctxt); +- arg1->boolval &= arg2->boolval; +- valuePush(ctxt, arg1); ++ if (ctxt->value != NULL) ++ ctxt->value->boolval &= arg2->boolval; + xmlXPathReleaseObject(ctxt->context, arg2); + return (total); + case XPATH_OP_OR: +@@ -13346,9 +13345,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + return(0); + } + xmlXPathBooleanFunction(ctxt, 1); +- arg1 = valuePop(ctxt); +- arg1->boolval |= arg2->boolval; +- valuePush(ctxt, arg1); ++ if (ctxt->value != NULL) ++ ctxt->value->boolval |= arg2->boolval; + xmlXPathReleaseObject(ctxt->context, arg2); + return (total); + case XPATH_OP_EQUAL: diff -Nru libxml2-2.9.4+dfsg1/debian/patches/CVE-2018-14567.patch libxml2-2.9.4+dfsg1/debian/patches/CVE-2018-14567.patch --- libxml2-2.9.4+dfsg1/debian/patches/CVE-2018-14567.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.4+dfsg1/debian/patches/CVE-2018-14567.patch 2018-08-10 18:30:14.000000000 +0000 @@ -0,0 +1,43 @@ +From 2240fbf5912054af025fb6e01e26375100275e74 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 30 Jul 2018 13:14:11 +0200 +Subject: [PATCH] Fix infinite loop in LZMA decompression +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Check the liblzma error code more thoroughly to avoid infinite loops. + +Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13 +Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914 + +This is CVE-2018-9251 and CVE-2018-14567. + +Thanks to Dongliang Mu and Simon Wörner for the reports. +diff --git a/xzlib.c b/xzlib.c +index f43632b..5df477e 100644 +--- a/xzlib.c ++++ b/xzlib.c +@@ -562,6 +562,10 @@ xz_decomp(xz_statep state) + "internal error: inflate stream corrupt"); + return -1; + } ++ /* ++ * FIXME: Remapping a couple of error codes and falling through ++ * to the LZMA error handling looks fragile. ++ */ + if (ret == Z_MEM_ERROR) + ret = LZMA_MEM_ERROR; + if (ret == Z_DATA_ERROR) +@@ -587,6 +591,11 @@ xz_decomp(xz_statep state) + xz_error(state, LZMA_PROG_ERROR, "compression error"); + return -1; + } ++ if ((state->how != GZIP) && ++ (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) { ++ xz_error(state, ret, "lzma error"); ++ return -1; ++ } + } while (strm->avail_out && ret != LZMA_STREAM_END); + + /* update available output and crc check value */ diff -Nru libxml2-2.9.4+dfsg1/debian/patches/series libxml2-2.9.4+dfsg1/debian/patches/series --- libxml2-2.9.4+dfsg1/debian/patches/series 2018-01-02 07:59:03.000000000 +0000 +++ libxml2-2.9.4+dfsg1/debian/patches/series 2018-08-10 18:30:23.000000000 +0000 @@ -17,3 +17,8 @@ 0017-python-remove-single-use-of-_PyVerify_fd.patch 0018-Fix-XPath-stack-frame-logic.patch 0019-CVE-2017-8872.patch +CVE-2016-9318.patch +CVE-2017-18258.patch +CVE-2018-14404.patch +CVE-2018-14567.patch +CVE-2017-16932.patch diff -Nru libxml2-2.9.4+dfsg1/debian/rules libxml2-2.9.4+dfsg1/debian/rules --- libxml2-2.9.4+dfsg1/debian/rules 2018-01-02 07:59:03.000000000 +0000 +++ libxml2-2.9.4+dfsg1/debian/rules 2018-01-02 04:14:17.000000000 +0000 @@ -119,9 +119,6 @@ override_dh_makeshlibs: dh_makeshlibs -a -V 'libxml2 (>= 2.7.4)' -- -c4 -override_dh_gencontrol: - dh_gencontrol -- -Vdep:libicudbg="`dpkg-query -f '$${Depends}' -W libicu-dev | sed 's/.*\(libicu[0-9]*\).*/\1/'`-dbg" - %: dh $@ \ $(if $(filter python-libxml2 python-libxml2-dbg,$(DOPACKAGES)),--with python2) \