Your message dated Tue, 18 Mar 2025 23:41:45 +0000
with message-id <[email protected]>
and subject line Bug#1012179: fixed in libxmltok 1.2-4.2
has caused the Debian Bug report #1012179,
regarding CVE-2021-46143: Integer overflow in expat can be found on libxmltok
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1012179: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012179
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libxmltok
Version: 1.2-4
Severity: normal
Tags: patch
User: [email protected]
Usertags: origin-ubuntu kinetic ubuntu-patch

Dear Maintainer,

While triaging CVE-2021-46143 for expat, it was found that one part of
the reported integer oveflow, in doProlog() in xmlparse.c, is also
present in libxmltok.
So, I'm suggesting to apply this patch for libxmltok in Debian as well.

In Ubuntu, the attached patch was applied to achieve the following:

  * SECURITY UPDATE: Integer overflow
    - debian/patches/CVE-2021-46143.patch: add an integer overflow check
      for groupSize variable at doProlog() in xmlparse/xmlparse.c.
    - CVE-2021-46143


Thanks for considering the patch.


-- System Information:
Debian Release: bookworm/sid
  APT prefers jammy-updates
  APT policy: (500, 'jammy-updates'), (500, 'jammy-security'), (500, 'jammy'), 
(100, 'jammy-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.15.0-33-generic (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru libxmltok-1.2/debian/patches/CVE-2021-46143.patch 
libxmltok-1.2/debian/patches/CVE-2021-46143.patch
--- libxmltok-1.2/debian/patches/CVE-2021-46143.patch   1969-12-31 
21:00:00.000000000 -0300
+++ libxmltok-1.2/debian/patches/CVE-2021-46143.patch   2022-05-30 
16:58:54.000000000 -0300
@@ -0,0 +1,29 @@
+Description: backport of libexpat upstream patch
+ Backport of libexpat patch that is included in libxmltok:
+ Prevent integer overflow on groupSize in function doProlog
+Author: Rodrigo Figueiredo Zaiden <[email protected]>
+Origin: upstream, 
https://github.com/libexpat/libexpat/commit/82c11af9d3dafc1b086a15efecd6ec07b6e13613
+Bug: https://github.com/libexpat/libexpat/issues/532
+Forwarded: no
+Last-Update: 2022-05-27
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libxmltok-1.2.orig/xmlparse/xmlparse.c
++++ libxmltok-1.2/xmlparse/xmlparse.c
+@@ -2616,9 +2616,14 @@ doProlog(XML_Parser parser,
+ #endif /* XML_DTD */
+     case XML_ROLE_GROUP_OPEN:
+       if (prologState.level >= groupSize) {
+-      if (groupSize)
++      if (groupSize) {
++        /* Detect and prevent integer overflow */
++        if (groupSize > (unsigned int)(-1) / 2u) {
++          return XML_ERROR_NO_MEMORY;
++        }
++
+         groupConnector = realloc(groupConnector, groupSize *= 2);
+-      else
++  } else
+         groupConnector = malloc(groupSize = 32);
+       if (!groupConnector)
+         return XML_ERROR_NO_MEMORY;
diff -Nru libxmltok-1.2/debian/patches/series 
libxmltok-1.2/debian/patches/series
--- libxmltok-1.2/debian/patches/series 2017-08-10 08:53:42.000000000 -0300
+++ libxmltok-1.2/debian/patches/series 2022-05-30 16:58:54.000000000 -0300
@@ -1 +1,2 @@
 debian-changes.patch
+CVE-2021-46143.patch

--- End Message ---
--- Begin Message ---
Source: libxmltok
Source-Version: 1.2-4.2
Done: Bastian Germann <[email protected]>

We believe that the bug you reported is fixed in the latest version of
libxmltok, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastian Germann <[email protected]> (supplier of updated libxmltok package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 18 Mar 2025 23:03:07 +0100
Source: libxmltok
Architecture: source
Version: 1.2-4.2
Distribution: unstable
Urgency: medium
Maintainer: Debian XML/SGML Group <[email protected]>
Changed-By: Bastian Germann <[email protected]>
Closes: 1012179 1075221
Changes:
 libxmltok (1.2-4.2) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * debian/patches/include_unistd_header.patch: included <unistd.h> in
     xmlwf/unixfilemap.c to address -Wimplicit-function-declaration.
     Closes: #1075221
   * debian/patches/CVE-2021-46143.patch: add an integer overflow check
     for groupSize variable at doProlog() in xmlparse/xmlparse.c.
     Closes: #1012179, CVE-2021-46143
   * debian/copyright: Convert to machine-readable format.
Checksums-Sha1:
 2ba0c67afe35d11f0c725bf65151c45fbc0f654c 1738 libxmltok_1.2-4.2.dsc
 a327fca64ec80bb23d50a017004ff53fba346467 6700 libxmltok_1.2-4.2.debian.tar.xz
 ab16c412bed02d4fe1c43138221236cd9797628d 5103 
libxmltok_1.2-4.2_source.buildinfo
Checksums-Sha256:
 79e5a0e7776910acd19d47796dcd21885ae593ab2577ec3be978197a3a0502d5 1738 
libxmltok_1.2-4.2.dsc
 729b74e2ac4b7df242397656bd9abebe3a8d34f6cccaedd70b2856d76addbbec 6700 
libxmltok_1.2-4.2.debian.tar.xz
 4853f4171044eb1eacbe20d2d8c423ff485b205d04ae72f1dad7bf9aac56d5aa 5103 
libxmltok_1.2-4.2_source.buildinfo
Files:
 ea2419284655b3c2c40ea7ec318551cf 1738 libs optional libxmltok_1.2-4.2.dsc
 d80543c895598a571696422eb0660f49 6700 libs optional 
libxmltok_1.2-4.2.debian.tar.xz
 1c7b960b213566aa572cc40978783227 5103 libs optional 
libxmltok_1.2-4.2_source.buildinfo


-----BEGIN PGP SIGNATURE-----

iQHEBAEBCgAuFiEEQGIgyLhVKAI3jM5BH1x6i0VWQxQFAmfZ9h0QHGJhZ2VAZGVi
aWFuLm9yZwAKCRAfXHqLRVZDFEm7DAC619EuHx59x8SYBvJrb1nrC2dZG5AwwJIs
UxeB9TV2mSKZLvi5+5OKALFaMom7SYqJ2zLp0a77MjDdby/v/bF/jcG8iE+fC5sz
VLOZ94kK3ErmhKUsDP+Y/ODE6PqWRmPiwUsS+G7GdlN3DpeYI3NkkL0LR+q5tjwI
8hxTzq+H1/fHbCl7sUhn7ADkpy90c6eIAIVHF1Mf+Gj/S+z7lQyqrA8JSHobTHcN
ESDlqcqAJudRuYpPSElsNBVJTlsuffcgILQe6xo/OvKaVif/xH/WDJpJCkIm0d/f
Wv+z3HO1I/I4uN7PyYnQWUiLco0lPtuYm1O+57etHXzLDzkJ421Yws0iVFvyR9dR
x7ysopn1paPjlvpux9/GClhLJSJPY6jk6tfQevChAmEN0nNlw3P5INs5iAOCQH+d
dHJA76fu9r6KNJM0Ijdm8poFIHF+AL9327V3UuskAkUOw6a7zUscEVmVgV67Q/Y5
sJtEyD3zy6vKU3MtUmLObTHpDMwtQdI=
=Pb3J
-----END PGP SIGNATURE-----

Attachment: pgpxYo_kStNZ2.pgp
Description: PGP signature


--- End Message ---

Reply via email to