[xml/sgml-pkgs] Bug#782782: patch proposal for fixing CVE-2015-1819 in wheezy

Mike Gabriel mike.gabriel at das-netzwerkteam.de
Fri May 29 13:51:19 UTC 2015 

Control: tags -1 patch

Hi,

under the umbrella of the LTS team, I worked out a patch for libxml2  
in squeeze(-lts).

The patch is very similar to the patch required for wheezy.

Please note: it hasn't been tested much, yet, it is more a request for  
feedback.

The patch has been derived from the content of the upstream commit  
that fixes CVE-2015-1819.

Please test well before uploading to wheezy-pu.

Greets,
Mike
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
diff -Nru libxml2-2.8.0+dfsg1/debian/changelog libxml2-2.8.0+dfsg1/debian/changelog
--- libxml2-2.8.0+dfsg1/debian/changelog	2015-04-07 16:22:41.000000000 +0200
+++ libxml2-2.8.0+dfsg1/debian/changelog	2015-05-29 15:47:04.000000000 +0200
@@ -1,3 +1,12 @@
+libxml2 (2.8.0+dfsg1-7+wheezy4.1) wheezy-proposed-updates; urgency=medium
+
+  * Non-maintainer upload.
+  * debian/patches:
+    + Add cve-2015-1819.patch. Fix CVE-2015-1819: Enforce the reader to run in
+      constant memory. (Closes: #782782).
+
+ -- Mike Gabriel <sunweaver at debian.org>  Fri, 29 May 2015 15:45:45 +0200
+
 libxml2 (2.8.0+dfsg1-7+wheezy4) wheezy-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru libxml2-2.8.0+dfsg1/debian/patches/cve-2015-1819.patch libxml2-2.8.0+dfsg1/debian/patches/cve-2015-1819.patch
--- libxml2-2.8.0+dfsg1/debian/patches/cve-2015-1819.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.8.0+dfsg1/debian/patches/cve-2015-1819.patch	2015-05-29 15:33:03.000000000 +0200
@@ -0,0 +1,139 @@
+From 213f1fe0d76d30eaed6e5853057defc43e6df2c9 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard at redhat.com>
+Date: Tue, 14 Apr 2015 17:41:48 +0800
+Subject: CVE-2015-1819 Enforce the reader to run in constant memory
+
+One of the operation on the reader could resolve entities
+leading to the classic expansion issue. Make sure the
+buffer used for xmlreader operation is bounded.
+Introduce a new allocation type for the buffers for this effect.
+
+v2: rebased against libxml2 (<< 2.9)
+    Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
+--- a/include/libxml/tree.h
++++ b/include/libxml/tree.h
+@@ -75,7 +75,8 @@
+     XML_BUFFER_ALLOC_EXACT,	/* grow only to the minimal size */
+     XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */
+     XML_BUFFER_ALLOC_IO,	/* special allocation scheme used for I/O */
+-    XML_BUFFER_ALLOC_HYBRID	/* exact up to a threshold, and doubleit thereafter */
++    XML_BUFFER_ALLOC_HYBRID,	/* exact up to a threshold, and doubleit thereafter */
++    XML_BUFFER_ALLOC_BOUNDED	/* limit the upper size of the buffer */
+ } xmlBufferAllocationScheme;
+ 
+ /**
+--- a/tree.c
++++ b/tree.c
+@@ -683,7 +683,8 @@
+ xmlSetBufferAllocationScheme(xmlBufferAllocationScheme scheme) {
+     if ((scheme == XML_BUFFER_ALLOC_EXACT) ||
+         (scheme == XML_BUFFER_ALLOC_DOUBLEIT) ||
+-        (scheme == XML_BUFFER_ALLOC_HYBRID))
++        (scheme == XML_BUFFER_ALLOC_HYBRID) ||
++        (scheme == XML_BUFFER_ALLOC_BOUNDED))
+ 	xmlBufferAllocScheme = scheme;
+ }
+ 
+@@ -7148,6 +7149,19 @@
+     size = buf->use + len + 100;
+ #endif
+ 
++    if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++	/*
++	 * Used to provide parsing limits
++	 */
++	if ((buf->use + len >= XML_MAX_TEXT_LENGTH) ||
++	    (buf->size >= XML_MAX_TEXT_LENGTH)) {
++	    xmlTreeErrMemory("buffer error: text too long");
++	    return(0);
++	}
++	if (size >= XML_MAX_TEXT_LENGTH)
++	    size = XML_MAX_TEXT_LENGTH;
++    }
++
+     if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {
+         size_t start_buf = buf->content - buf->contentIO;
+ 
+@@ -7258,7 +7272,15 @@
+         return(0);
+ 
+     if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
+-
++    if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++	/*
++	 * Used to provide parsing limits
++	 */
++	if (size >= XML_MAX_TEXT_LENGTH) {
++	    xmlTreeErrMemory("buffer error: text too long");
++	    return(0);
++	}
++    }
+     /* Don't resize if we don't have to */
+     if (size < buf->size)
+         return 1;
+@@ -7452,6 +7474,15 @@
+     }
+     needSize = buf->use + len + 2;
+     if (needSize > buf->size){
++	if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++	    /*
++	     * Used to provide parsing limits
++	     */
++	    if (needSize >= XML_MAX_TEXT_LENGTH) {
++		    xmlTreeErrMemory("buffer error: text too long");
++		    return(-1);
++	    }
++	}
+         if (!xmlBufferResize(buf, needSize)){
+ 	    xmlTreeErrMemory("growing buffer");
+             return XML_ERR_NO_MEMORY;
+--- a/xmlreader.c
++++ b/xmlreader.c
+@@ -2072,6 +2072,8 @@
+ 		"xmlNewTextReader : malloc failed\n");
+ 	return(NULL);
+     }
++    /* no operation on a reader should require a huge buffer */
++    xmlSetBufferAllocationScheme(XML_BUFFER_ALLOC_BOUNDED);
+     ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
+     if (ret->sax == NULL) {
+ 	xmlBufferFree(ret->buffer);
+@@ -3596,6 +3598,7 @@
+ 	    return(((xmlNsPtr) node)->href);
+         case XML_ATTRIBUTE_NODE:{
+ 	    xmlAttrPtr attr = (xmlAttrPtr) node;
++	    const xmlChar *ret;
+ 
+ 	    if ((attr->children != NULL) &&
+ 	        (attr->children->type == XML_TEXT_NODE) &&
+@@ -3610,8 +3613,20 @@
+ 		    return (NULL);
+ 		}
+ 	        reader->buffer->use = 0;
++		xmlSetBufferAllocationScheme(XML_BUFFER_ALLOC_BOUNDED);
+ 	        xmlNodeBufGetContent(reader->buffer, node);
+-		return(reader->buffer->content);
++		if (!reader->buffer)
++		    ret = NULL;
++		else
++		    ret = reader->buffer->content;
++		if (ret == NULL) {
++		    /* error on the buffer best to reallocate */
++		    xmlBufferFree(reader->buffer);
++		    reader->buffer = xmlBufferCreateSize(100);
++		    xmlSetBufferAllocationScheme(XML_BUFFER_ALLOC_BOUNDED);
++		    ret = BAD_CAST "";
++		}
++		return(ret);
+ 	    }
+ 	    break;
+ 	}
+@@ -5056,6 +5071,8 @@
+                         "xmlTextReaderSetup : malloc failed\n");
+         return (-1);
+     }
++    /* no operation on a reader should require a huge buffer */
++    xmlSetBufferAllocationScheme(XML_BUFFER_ALLOC_BOUNDED);
+     xmlSAXVersion(reader->sax, 2);
+     reader->startElement = reader->sax->startElement;
+     reader->sax->startElement = xmlTextReaderStartElement;
diff -Nru libxml2-2.8.0+dfsg1/debian/patches/series libxml2-2.8.0+dfsg1/debian/patches/series
--- libxml2-2.8.0+dfsg1/debian/patches/series	2015-04-07 16:22:41.000000000 +0200
+++ libxml2-2.8.0+dfsg1/debian/patches/series	2015-05-29 15:31:20.000000000 +0200
@@ -14,3 +14,4 @@
 0001-Cache-presence-of-in-entities-content.patch
 cve-2014-3660.patch
 cve-2014-3660-bis.patch
+cve-2015-1819.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.alioth.debian.org/pipermail/debian-xml-sgml-pkgs/attachments/20150529/314c3ac1/attachment-0001.sig>

More information about the debian-xml-sgml-pkgs mailing list