[xml/sgml-pkgs] Bug#994765: xmlParseEntityDecl: entity xhtml-qname-extra.mod not terminated

Mon Sep 20 18:38:04 BST 2021

Control: forwarded -1 https://gitlab.gnome.org/GNOME/libxml2/-/issues/306
Control: tag -1 confirmed upstream

On Mon, Sep 20, 2021 at 04:08:15PM +0000, Torrance, Douglas wrote:
> A bit more information is given by running xmllint on one of the affected files:
> 
> $  xmllint --noout --loaddtd
> /usr/share/doc/Macaulay2/Macaulay2Doc/html/_ideal.html file:///usr/share/xml/w3c-sgml-lib/schema/dtd/WD-XHTMLplusMathMLplusSVG-20020809/xhtml-math-svg.dtd:338:
> parser error : xmlParseEntityDecl: entity xhtml-qname-extra.mod not
> terminated
>   %xhtml-qname-extra.decl;
>                           ^
> Entity: line 2:
> "http://www.w3.org/Math/DTD/mathml2/mathml2-qname-1.mod"
>                                                                   ^
> The problem appears to be that the latest release of libxml2 is more strict
> when parsing DTD files, xhtml-math-svg.dtd in this particular case.
> 
> See also [3], which involves a similar error related to the file
> xhtml1-strict.dtd.

As others pointed out, #993638 is a completely different matter.

Anyway, after another round of bisecting libxml2:

mattia at warren ..TEAM/xml-sgml/libxml2/upstream/libxml2 (git)-[CVE-2021-3541~189|bisect] % git bisect good
a28f7d8789e63f5e2ac63b42083754cba58f1a0e is the first bad commit
commit a28f7d8789e63f5e2ac63b42083754cba58f1a0e
Author: Nick Wellnhofer <wellnhofer at aevum.de>
Date:   Wed Jun 10 13:41:13 2020 +0200

    Never expand parameter entities in text declaration

    When parsing the text declaration of external DTDs or entities, make
    sure that parameter entities are not expanded. This also fixes a memory
    leak in certain error cases.

    The change to xmlSkipBlankChars assumes that the parser state is
    maintained correctly when parsing external DTDs or parameter entities,
    and might expose bugs in the code that were hidden previously.

    Found by OSS-Fuzz.

 parser.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

https://gitlab.gnome.org/GNOME/libxml2/-/commit/a28f7d8789e63f5e2ac63b42083754cba58f1a0e

Not sure what to do about it for now, so I've reported it upstream.

-- 
regards,
                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540      .''`.
More about me:  https://mapreri.org                             : :'  :
Launchpad user: https://launchpad.net/~mapreri                  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-xml-sgml-pkgs/attachments/20210920/57ab235f/attachment-0001.sig>