[xml/sgml-pkgs] Bug#1034617: unblock: libxml2/2.9.14+dfsg-1.2
Salvatore Bonaccorso
carnil at debian.org
Wed Apr 19 21:03:40 BST 2023
Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock
X-Debbugs-Cc: libxml2 at packages.debian.org, carnil at debian.org
Control: affects -1 + src:libxml2
Dear release team,
Please unblock package libxml2
[ Reason ]
libxml2 in bookworm is affected by two CVEs CVE-2023-28484 (#1034436)
and CVE-2023-29469 (#1034437).
[ Impact ]
Issues remain open until a future update to cover those CVEs as well.
Though for bullseye an update has been prepared, and technically would
imply a regression from bullseye.
[ Tests ]
I explicity manually tested the testcase for CVE-2023-28484 (and a
related issue without CVE, which is as well included in this update).
No explicit test for CVE-2023-29469 done.
Additionally the autopkgtest did run, and there are no new failures.
[ Risks ]
Patches directly taken from upstream without need of backports.
Isolated in changes.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
DSA should go out in not too distant future. If unblocking please
consider as well aging for faster testing migration.
unblock libxml2/2.9.14+dfsg-1.2
Regards,
Salvatore
-------------- next part --------------
diff -Nru libxml2-2.9.14+dfsg/debian/changelog libxml2-2.9.14+dfsg/debian/changelog
--- libxml2-2.9.14+dfsg/debian/changelog 2022-10-30 11:18:06.000000000 +0100
+++ libxml2-2.9.14+dfsg/debian/changelog 2023-04-15 16:25:06.000000000 +0200
@@ -1,3 +1,14 @@
+libxml2 (2.9.14+dfsg-1.2) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK
+ * Fix null deref in xmlSchemaFixupComplexType (CVE-2023-28484)
+ (Closes: #1034436)
+ * Hashing of empty dict strings isn't deterministic (CVE-2023-29469)
+ (Closes: #1034437)
+
+ -- Salvatore Bonaccorso <carnil at debian.org> Sat, 15 Apr 2023 16:25:06 +0200
+
libxml2 (2.9.14+dfsg-1.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru libxml2-2.9.14+dfsg/debian/patches/CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch libxml2-2.9.14+dfsg/debian/patches/CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch
--- libxml2-2.9.14+dfsg/debian/patches/CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch 1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.14+dfsg/debian/patches/CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch 2023-04-15 16:25:06.000000000 +0200
@@ -0,0 +1,76 @@
+From: Nick Wellnhofer <wellnhofer at aevum.de>
+Date: Fri, 7 Apr 2023 11:46:35 +0200
+Subject: [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
+Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/647e072ea0a2f12687fa05c172f4c4713fdb0c4f
+Bug-Debian: https://bugs.debian.org/1034436
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-28484
+
+Fix a null pointer dereference when parsing (invalid) XML schemas.
+
+Thanks to Robby Simpson for the report!
+
+Fixes #491.
+---
+ result/schemas/issue491_0_0.err | 1 +
+ test/schemas/issue491_0.xml | 1 +
+ test/schemas/issue491_0.xsd | 18 ++++++++++++++++++
+ xmlschemas.c | 2 +-
+ 4 files changed, 21 insertions(+), 1 deletion(-)
+ create mode 100644 result/schemas/issue491_0_0.err
+ create mode 100644 test/schemas/issue491_0.xml
+ create mode 100644 test/schemas/issue491_0.xsd
+
+diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err
+new file mode 100644
+index 000000000000..9b2bb9691f55
+--- /dev/null
++++ b/result/schemas/issue491_0_0.err
+@@ -0,0 +1 @@
++./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'.
+diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml
+new file mode 100644
+index 000000000000..e2b2fc2e359b
+--- /dev/null
++++ b/test/schemas/issue491_0.xml
+@@ -0,0 +1 @@
++<Child xmlns="http://www.test.com">5</Child>
+diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd
+new file mode 100644
+index 000000000000..8170264987b7
+--- /dev/null
++++ b/test/schemas/issue491_0.xsd
+@@ -0,0 +1,18 @@
++<?xml version='1.0' encoding='UTF-8'?>
++<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://www.test.com" targetNamespace="http://www.test.com" elementFormDefault="qualified" attributeFormDefault="unqualified">
++ <xs:complexType name="BaseType">
++ <xs:simpleContent>
++ <xs:extension base="xs:int" />
++ </xs:simpleContent>
++ </xs:complexType>
++ <xs:complexType name="ChildType">
++ <xs:complexContent>
++ <xs:extension base="BaseType">
++ <xs:sequence>
++ <xs:element name="bad" type="xs:int" minOccurs="0" maxOccurs="1"/>
++ </xs:sequence>
++ </xs:extension>
++ </xs:complexContent>
++ </xs:complexType>
++ <xs:element name="Child" type="ChildType" />
++</xs:schema>
+diff --git a/xmlschemas.c b/xmlschemas.c
+index 152b7c3f521b..eec24a95fca9 100644
+--- a/xmlschemas.c
++++ b/xmlschemas.c
+@@ -18619,7 +18619,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt,
+ "allowed to appear inside other model groups",
+ NULL, NULL);
+
+- } else if (! dummySequence) {
++ } else if ((!dummySequence) && (baseType->subtypes != NULL)) {
+ xmlSchemaTreeItemPtr effectiveContent =
+ (xmlSchemaTreeItemPtr) type->subtypes;
+ /*
+--
+2.40.0
+
diff -Nru libxml2-2.9.14+dfsg/debian/patches/CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch libxml2-2.9.14+dfsg/debian/patches/CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch
--- libxml2-2.9.14+dfsg/debian/patches/CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch 1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.14+dfsg/debian/patches/CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch 2023-04-15 16:25:06.000000000 +0200
@@ -0,0 +1,38 @@
+From: Nick Wellnhofer <wellnhofer at aevum.de>
+Date: Fri, 7 Apr 2023 11:49:27 +0200
+Subject: [CVE-2023-29469] Hashing of empty dict strings isn't deterministic
+Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/09a2dd453007f9c7205274623acdd73747c22d64
+Bug-Debian: https://bugs.debian.org/1034437
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-29469
+
+When hashing empty strings which aren't null-terminated,
+xmlDictComputeFastKey could produce inconsistent results. This could
+lead to various logic or memory errors, including double frees.
+
+For consistency the seed is also taken into account, but this shouldn't
+have an impact on security.
+
+Found by OSS-Fuzz.
+
+Fixes #510.
+---
+ dict.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/dict.c b/dict.c
+index c29d2af77a77..12ba94fd51b5 100644
+--- a/dict.c
++++ b/dict.c
+@@ -453,7 +453,8 @@ static unsigned long
+ xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
+ unsigned long value = seed;
+
+- if (name == NULL) return(0);
++ if ((name == NULL) || (namelen <= 0))
++ return(value);
+ value += *name;
+ value <<= 5;
+ if (namelen > 10) {
+--
+2.40.0
+
diff -Nru libxml2-2.9.14+dfsg/debian/patches/schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch libxml2-2.9.14+dfsg/debian/patches/schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch
--- libxml2-2.9.14+dfsg/debian/patches/schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch 1970-01-01 01:00:00.000000000 +0100
+++ libxml2-2.9.14+dfsg/debian/patches/schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch 2023-04-15 16:25:06.000000000 +0200
@@ -0,0 +1,70 @@
+From: Nick Wellnhofer <wellnhofer at aevum.de>
+Date: Tue, 13 Sep 2022 16:40:31 +0200
+Subject: schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK
+Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/4c6922f763ad958c48ff66f82823ae21f2e92ee6
+
+Found by OSS-Fuzz.
+---
+ result/schemas/oss-fuzz-51295_0_0.err | 2 ++
+ test/schemas/oss-fuzz-51295_0.xml | 1 +
+ test/schemas/oss-fuzz-51295_0.xsd | 4 ++++
+ xmlschemas.c | 15 +++++++++++++--
+ 4 files changed, 20 insertions(+), 2 deletions(-)
+ create mode 100644 result/schemas/oss-fuzz-51295_0_0.err
+ create mode 100644 test/schemas/oss-fuzz-51295_0.xml
+ create mode 100644 test/schemas/oss-fuzz-51295_0.xsd
+
+diff --git a/result/schemas/oss-fuzz-51295_0_0.err b/result/schemas/oss-fuzz-51295_0_0.err
+new file mode 100644
+index 000000000000..1e89524f63ea
+--- /dev/null
++++ b/result/schemas/oss-fuzz-51295_0_0.err
+@@ -0,0 +1,2 @@
++./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'.
++./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'.
+diff --git a/test/schemas/oss-fuzz-51295_0.xml b/test/schemas/oss-fuzz-51295_0.xml
+new file mode 100644
+index 000000000000..10a7e703b2b1
+--- /dev/null
++++ b/test/schemas/oss-fuzz-51295_0.xml
+@@ -0,0 +1 @@
++<e/>
+diff --git a/test/schemas/oss-fuzz-51295_0.xsd b/test/schemas/oss-fuzz-51295_0.xsd
+new file mode 100644
+index 000000000000..fde96af5c60b
+--- /dev/null
++++ b/test/schemas/oss-fuzz-51295_0.xsd
+@@ -0,0 +1,4 @@
++<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
++ <xs:element name="e" substitutionGroup="e"/>
++ <xs:element name="t" substitutionGroup="e" type='xs:decimal'/>
++</xs:schema>
+diff --git a/xmlschemas.c b/xmlschemas.c
+index f31d3d1f618f..152b7c3f521b 100644
+--- a/xmlschemas.c
++++ b/xmlschemas.c
+@@ -13345,8 +13345,19 @@ xmlSchemaResolveElementReferences(xmlSchemaElementPtr elemDecl,
+ * declaration `resolved` to by the `actual value`
+ * of the substitutionGroup [attribute], if present"
+ */
+- if (elemDecl->subtypes == NULL)
+- elemDecl->subtypes = substHead->subtypes;
++ if (elemDecl->subtypes == NULL) {
++ if (substHead->subtypes == NULL) {
++ /*
++ * This can happen with self-referencing substitution
++ * groups. The cycle will be detected later, but we have
++ * to set subtypes to avoid null-pointer dereferences.
++ */
++ elemDecl->subtypes = xmlSchemaGetBuiltInType(
++ XML_SCHEMAS_ANYTYPE);
++ } else {
++ elemDecl->subtypes = substHead->subtypes;
++ }
++ }
+ }
+ }
+ /*
+--
+2.40.0
+
diff -Nru libxml2-2.9.14+dfsg/debian/patches/series libxml2-2.9.14+dfsg/debian/patches/series
--- libxml2-2.9.14+dfsg/debian/patches/series 2022-10-30 11:18:06.000000000 +0100
+++ libxml2-2.9.14+dfsg/debian/patches/series 2023-04-15 16:25:06.000000000 +0200
@@ -3,3 +3,6 @@
python3-unicode-errors.patch
CVE-2022-40303-Fix-integer-overflows-with-XML_PARSE_.patch
CVE-2022-40304-Fix-dict-corruption-caused-by-entity-.patch
+schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch
+CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch
+CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch
More information about the debian-xml-sgml-pkgs
mailing list