Control: tags 949582 + patch Control: tags 949582 + pending Control: tags 949583 + patch Control: tags 949583 + pending
Dear maintainer, I've prepared an NMU for libxml2 (versioned as 2.9.10+dfsg-2.1) but not uploaded, actually the merge request proposed here: https://salsa.debian.org/xml-sgml-team/libxml2/merge_requests/2 Attached as well just the debdiff for the BTS bugs. Regards, Salvatore
diff -Nru libxml2-2.9.10+dfsg/debian/changelog libxml2-2.9.10+dfsg/debian/changelog --- libxml2-2.9.10+dfsg/debian/changelog 2020-02-21 14:45:03.000000000 +0100 +++ libxml2-2.9.10+dfsg/debian/changelog 2020-02-22 23:36:57.000000000 +0100 @@ -1,3 +1,13 @@ +libxml2 (2.9.10+dfsg-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix memory leak in xmlSchemaValidateStream (CVE-2019-20388) + (Closes: #949583) + * Fix infinite loop in xmlStringLenDecodeEntities (CVE-2020-7595) + (Closes: #949582) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 22 Feb 2020 23:36:57 +0100 + libxml2 (2.9.10+dfsg-2) unstable; urgency=medium * Team upload diff -Nru libxml2-2.9.10+dfsg/debian/patches/Fix-infinite-loop-in-xmlStringLenDecodeEntities.patch libxml2-2.9.10+dfsg/debian/patches/Fix-infinite-loop-in-xmlStringLenDecodeEntities.patch --- libxml2-2.9.10+dfsg/debian/patches/Fix-infinite-loop-in-xmlStringLenDecodeEntities.patch 1970-01-01 01:00:00.000000000 +0100 +++ libxml2-2.9.10+dfsg/debian/patches/Fix-infinite-loop-in-xmlStringLenDecodeEntities.patch 2020-02-22 23:36:57.000000000 +0100 @@ -0,0 +1,34 @@ +From: Zhipeng Xie <xiezhipe...@huawei.com> +Date: Thu, 12 Dec 2019 17:30:55 +0800 +Subject: Fix infinite loop in xmlStringLenDecodeEntities +Origin: https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c8907645d2e155f0d89d4d9895ac5112b5 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-7595 +Bug-Debian: https://bugs.debian.org/949582 + +When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef +return NULL which cause a infinite loop in xmlStringLenDecodeEntities + +Found with libFuzzer. + +Signed-off-by: Zhipeng Xie <xiezhipe...@huawei.com> +--- + parser.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index d1c319631fc9..a34bb6cdd81b 100644 +--- a/parser.c ++++ b/parser.c +@@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + else + c = 0; + while ((c != 0) && (c != end) && /* non input consuming loop */ +- (c != end2) && (c != end3)) { ++ (c != end2) && (c != end3) && ++ (ctxt->instate != XML_PARSER_EOF)) { + + if (c == 0) break; + if ((c == '&') && (str[1] == '#')) { +-- +2.20.1 + diff -Nru libxml2-2.9.10+dfsg/debian/patches/Fix-memory-leak-in-xmlSchemaValidateStream.patch libxml2-2.9.10+dfsg/debian/patches/Fix-memory-leak-in-xmlSchemaValidateStream.patch --- libxml2-2.9.10+dfsg/debian/patches/Fix-memory-leak-in-xmlSchemaValidateStream.patch 1970-01-01 01:00:00.000000000 +0100 +++ libxml2-2.9.10+dfsg/debian/patches/Fix-memory-leak-in-xmlSchemaValidateStream.patch 2020-02-22 23:36:57.000000000 +0100 @@ -0,0 +1,35 @@ +From: Zhipeng Xie <xiezhipe...@huawei.com> +Date: Tue, 20 Aug 2019 16:33:06 +0800 +Subject: Fix memory leak in xmlSchemaValidateStream +Origin: https://gitlab.gnome.org/GNOME/libxml2/commit/7ffcd44d7e6c46704f8af0321d9314cd26e0e18a +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-20388 +Bug-Debian: https://bugs.debian.org/949583 + +When ctxt->schema is NULL, xmlSchemaSAXPlug->xmlSchemaPreRun +alloc a new schema for ctxt->schema and set vctxt->xsiAssemble +to 1. Then xmlSchemaVStart->xmlSchemaPreRun initialize +vctxt->xsiAssemble to 0 again which cause the alloced schema +can not be freed anymore. + +Found with libFuzzer. + +Signed-off-by: Zhipeng Xie <xiezhipe...@huawei.com> +--- + xmlschemas.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/xmlschemas.c b/xmlschemas.c +index 301c84499d41..39d92182f51f 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -28090,7 +28090,6 @@ xmlSchemaPreRun(xmlSchemaValidCtxtPtr vctxt) { + vctxt->nberrors = 0; + vctxt->depth = -1; + vctxt->skipDepth = -1; +- vctxt->xsiAssemble = 0; + vctxt->hasKeyrefs = 0; + #ifdef ENABLE_IDC_NODE_TABLES_TEST + vctxt->createIDCNodeTables = 1; +-- +2.20.1 + diff -Nru libxml2-2.9.10+dfsg/debian/patches/series libxml2-2.9.10+dfsg/debian/patches/series --- libxml2-2.9.10+dfsg/debian/patches/series 2020-01-15 22:17:33.000000000 +0100 +++ libxml2-2.9.10+dfsg/debian/patches/series 2020-02-22 23:36:57.000000000 +0100 @@ -1 +1,3 @@ 0002-fix-python-multiarch-includes.patch +Fix-memory-leak-in-xmlSchemaValidateStream.patch +Fix-infinite-loop-in-xmlStringLenDecodeEntities.patch