[xml/sgml-pkgs] Bug#1012179: CVE-2021-46143: Integer overflow in expat can be found on libxmltok

Tue May 31 15:30:28 BST 2022

Package: libxmltok
Version: 1.2-4
Severity: normal
Tags: patch
User: ubuntu-devel at lists.ubuntu.com
Usertags: origin-ubuntu kinetic ubuntu-patch

Dear Maintainer,

While triaging CVE-2021-46143 for expat, it was found that one part of
the reported integer oveflow, in doProlog() in xmlparse.c, is also
present in libxmltok.
So, I'm suggesting to apply this patch for libxmltok in Debian as well.

In Ubuntu, the attached patch was applied to achieve the following:

  * SECURITY UPDATE: Integer overflow
    - debian/patches/CVE-2021-46143.patch: add an integer overflow check
      for groupSize variable at doProlog() in xmlparse/xmlparse.c.
    - CVE-2021-46143


Thanks for considering the patch.


-- System Information:
Debian Release: bookworm/sid
  APT prefers jammy-updates
  APT policy: (500, 'jammy-updates'), (500, 'jammy-security'), (500, 'jammy'), (100, 'jammy-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.15.0-33-generic (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-------------- next part --------------
diff -Nru libxmltok-1.2/debian/patches/CVE-2021-46143.patch libxmltok-1.2/debian/patches/CVE-2021-46143.patch

--- libxmltok-1.2/debian/patches/CVE-2021-46143.patch	1969-12-31 21:00:00.000000000 -0300
+++ libxmltok-1.2/debian/patches/CVE-2021-46143.patch	2022-05-30 16:58:54.000000000 -0300
@@ -0,0 +1,29 @@
+Description: backport of libexpat upstream patch
+ Backport of libexpat patch that is included in libxmltok:
+ Prevent integer overflow on groupSize in function doProlog
+Author: Rodrigo Figueiredo Zaiden <rodrigo.zaiden at canonical.com>
+Origin: upstream, https://github.com/libexpat/libexpat/commit/82c11af9d3dafc1b086a15efecd6ec07b6e13613
+Bug: https://github.com/libexpat/libexpat/issues/532
+Forwarded: no
+Last-Update: 2022-05-27
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libxmltok-1.2.orig/xmlparse/xmlparse.c
++++ libxmltok-1.2/xmlparse/xmlparse.c
+@@ -2616,9 +2616,14 @@ doProlog(XML_Parser parser,
+ #endif /* XML_DTD */
+     case XML_ROLE_GROUP_OPEN:
+       if (prologState.level >= groupSize) {
+-	if (groupSize)
++	if (groupSize) {
++	  /* Detect and prevent integer overflow */
++	  if (groupSize > (unsigned int)(-1) / 2u) {
++	    return XML_ERROR_NO_MEMORY;
++	  }
++
+ 	  groupConnector = realloc(groupConnector, groupSize *= 2);
+-	else
++  } else
+ 	  groupConnector = malloc(groupSize = 32);
+ 	if (!groupConnector)
+ 	  return XML_ERROR_NO_MEMORY;
diff -Nru libxmltok-1.2/debian/patches/series libxmltok-1.2/debian/patches/series
--- libxmltok-1.2/debian/patches/series	2017-08-10 08:53:42.000000000 -0300
+++ libxmltok-1.2/debian/patches/series	2022-05-30 16:58:54.000000000 -0300
@@ -1 +1,2 @@
 debian-changes.patch
+CVE-2021-46143.patch
