Re: [xml] Release of libxml2 2.9.13

2022-02-21 Thread Mike Dalessio via xml 
This is very helpful. Thanks as always, Nick.

On Mon, Feb 21, 2022 at 11:42 AM Nick Wellnhofer 
wrote:

> On 21/02/2022 14:57, Mike Dalessio wrote:
> > I'm not asking specifically for a CVSS score for this vulnerability, and
> I'm
> > certainly not asking you to create a CVE for every memory fix that's
> found.
> > I'm only asking for a more accessible explanation of the conditions
> under
> > which an application might be vulnerable to this already-published CVE.
>
>  From my limited analysis, there are two scenarios:
>
> 1. When using the reader API (xmlreader.h, xmlTextReader)
>
>Conditions:
>
>- Create a reader with parser option XML_PARSE_DTDVALID (or "parser
>  property" XML_PARSER_VALIDATE) but without parser option
> XML_PARSE_NOENT
>  (XML_PARSER_SUBST_ENTITIES)
>- Parse an untrusted document
>
>Impact:
>
>- Crash (DoS)
>- Memory disclosure via error channel
>
> 2. When using another parser API
>
>Conditions:
>
>- Parse an untrusted document with XML_PARSE_DTDVALID but without
>  XML_PARSE_NOENT
>- Delete a portion of the resulting document
>- Call xmlGetID on the document
>
>Potential impact:
>
>- Crash (DoS)
>- Arbitrary memory disclosure
>- Arbitrary code execution
>
> > Would this be an appropriate explanation for me to include in my
> security
> > advisory?
> >
> >  > An application may be vulnerable to a denial-of-service attack if it
> parses
> > an untrusted document with parse options `DTDVALID` on, and `NOENT` off.
>
> No, that's understating the severity. As I tried to explain, it's
> impossible
> to assess the severity without auditing each and every downstream project.
> Since clever exploitation of use-after-free errors can result in code
> execution, I have to assume the worst case if you force me to make a
> general
> statement.
>
> DISCLAIMER: I make no guarantees regarding the accuracy and completeness
> of my
> statements above.
>
> Nick
>
___
xml mailing list, project page  http://xmlsoft.org/
xml@gnome.org
https://mail.gnome.org/mailman/listinfo/xml

Re: [xml] Release of libxml2 2.9.13

2022-02-21 Thread Mike Dalessio via xml 
Hi Nick,

I understand and appreciate the general difficulty of scoring severity
without some application-specific context. And I don't disagree with your
take on CVSS scores for libraries.

However, downstream maintainers may want to issue our own security
advisories so that our users can make an informed decision about
mitigation. When there is a published CVE (whether you created it or not),
expectations are usually higher with respect to information disclosure and
evaluation, and I'd like to be able to answer any questions that I get.

In some cases, like libxslt's CVE-2021-30560, this is easy: it's possible
to find a working exploit and CVSS score and I can confidently tell my
users to upgrade if they're using an untrusted stylesheet. However, in the
specific case of CVE-2022-23308 it's more challenging to determine how and
whether my users are impacted.

I'm not asking specifically for a CVSS score for this vulnerability, and
I'm certainly not asking you to create a CVE for every memory fix that's
found. I'm only asking for a more accessible explanation of the conditions
under which an application might be vulnerable to this already-published
CVE.

Would this be an appropriate explanation for me to include in my security
advisory?

> An application may be vulnerable to a denial-of-service attack if it
parses an untrusted document with parse options `DTDVALID` on, and `NOENT`
off.

Again, thanks for the work you're doing. I hope you understand I'm not
trying to be pedantic, I'm only trying to keep my users informed and give
them good advice.


On Sun, Feb 20, 2022 at 6:09 PM Nick Wellnhofer  wrote:

> On 20/02/2022 20:50, Mike Dalessio wrote:
> > Is there any additional information about CVE-2022-23308 (other than the
> > commit log) that would help downstream projects triage? Was there a CVSS
> score
> > calculated or severity assigned?
>
> In this case, the CVE record is managed by a third party. It should be
> made
> public soon, but I have no influence on that. In my personal opinion, the
> whole CVE system is severely flawed with regard to OSS projects.
> Basically,
> anyone can request a CVE ID for arbitrary projects without having to
> coordinate with maintainers.
>
> It's often hard, if not impossible, to come up with meaningful CVSS scores
> for
> vulnerabilities in software libraries. If there's a flaw in a certain
> library
> function, it really depends on how this function used by downstream
> projects.
> If you look at major Linux distros, there are 500+ projects with a direct
> dependency on libxml2, and thousands with an indirect dependency. Most of
> them
> don't call the vulnerable functions at all, some others are libraries
> themselves, so it all depends on their users.
>
> There are quite a few preconditions to be met to trigger a use-after-free
> in
> this particular case, so I'm not overly concerned. Even then, it seems
> anything but trivial come up with a serious exploit. But I'm not really an
> expert and you never can tell without auditing tens or hundreds of
> downstream
> projects. Besides, I only have limited resources to assess the impact of
> security issues, and it's always possible that I missed something.
>
> Note that for some reason, GitLab truncates the commit message after ~1000
> characters with no obvious way to expand it, at least on gitlab.gnome.org.
> You
> can see the full commit message on the GitHub mirror:
>
>
>
> https://github.com/GNOME/libxml2/commit/652dd12a858989b14eed4e84e453059cd3ba340e
>
> Nick
>
>
>
>
___
xml mailing list, project page  http://xmlsoft.org/
xml@gnome.org
https://mail.gnome.org/mailman/listinfo/xml

Re: [xml] Release of libxml2 2.9.13

2022-02-20 Thread Mike Dalessio via xml 
Nick, thank you for shipping this release!

Is there any additional information about CVE-2022-23308 (other than the
commit log) that would help downstream projects triage? Was there a CVSS
score calculated or severity assigned?

On Sun, Feb 20, 2022 at 7:53 AM Nick Wellnhofer via xml 
wrote:

> Version 2.9.13 of libxml2 is available at:
>
>  https://download.gnome.org/sources/libxml2/2.9/
>
> Note that starting with this release, libxml2 tarballs are published on
> download.gnome.org instead of ftp.xmlsoft.org.
>
> ### Security
>
> - [CVE-2022-23308] Use-after-free of ID and IDREF attributes
>(Thanks to Shinji Sato for the report)
> - Use-after-free in xmlXIncludeCopyRange (David Kilzer)
> - Fix null deref in xmlSchemaGetComponentTargetNs (huangduirong)
> - Fix memory leak in xmlXPathCompNodeTest
> - Fix null pointer deref in xmlStringGetNodeList
> - Fix several memory leaks found by Coverity (David King)
>
> ### Fixed regressions
>
> - Fix regression in RelaxNG pattern matching
> - Properly handle nested documents in xmlFreeNode
> - Fix regression with PEs in external DTD
> - Fix random dropping of characters on dumping ASCII encoded XML (Mohammad
>Razavi)
> - Revert "Make schema validation fail with multiple top-level elements"
> - Fix regression when parsing invalid HTML tags in push mode
> - Fix regression parsing public IDs literals in HTML
> - Fix buffering in xmlOutputBufferWrite
> - Fix whitespace when serializing empty HTML documents
> - Fix XPath recursion limit
> - Fix regression in xmlNodeDumpOutputInternal
> - Work around lxml API abuse
>
> ### Bug fixes
>
> - Fix xmlSetTreeDoc with entity references
> - Fix double counting of CRLF in comments
> - Make sure to grow input buffer in xmlParseMisc
> - Don't ignore xmllint options after "-"
> - Don't normalize namespace URIs in XPointer xmlns() scheme
> - Fix handling of XSD with empty namespace
> - Also register HTML document nodes
> - Make xmllint return an error if arguments are missing
> - Fix handling of ctxt->base in xmlXPtrEvalXPtrPart
> - Fix xmllint --maxmem
> - Fix htmlReadFd, which was using a mix of xml and html context functions
>(Finn Barber)
> - Move current position before possible calling of ctxt->sax->characters
>(Yulin Li)
> - Fix parse failure when 4-byte character in UTF-16 BE is split across a
> chunk
>(David Kilzer)
> - Patch to forbid epsilon-reduction of final states (Arne Becker)
> - Avoid segfault at exit when using custom memory functions (Mike Dalessio)
>
> ### Tests, code quality, fuzzing
>
> - Remove .travis.yml
> - Make xmlFuzzReadString return a zero size in error case
> - Fix unused function warning in testapi.c
> - Update NewsML DTD in test suite
> - Add more checks for malloc failures in xmllint.c
> - Avoid potential integer overflow in xmlstring.c
> - Run CI tests with UBSan implicit-conversion checks
> - Fix casting of line numbers in SAX2.c
> - Fix integer conversion warnings in hash.c
> - Add explicit casts in runtest.c
> - Fix integer conversion warning in xmlIconvWrapper
> - Add suffix to unsigned constant in xmlmemory.c
> - Add explicit casts in testchar.c
> - Fix integer conversion warnings in xmlstring.c
> - Add explicit cast in xmlURIUnescapeString
> - Remove unused variable in xmlCharEncOutFunc (David King)
>
> ### Build system, portability
>
> - Remove xmlwin32version.h
> - Fix fuzzer test with VPATH build
> - Support custom prefix when installing Python module
> - Remove Makefile.win
> - Remove CVS and SVN-related code
> - Port python 3.x module to Windows and improve distutils (Chun-wei Fan)
> - Correctly install the HTML examples into their subdirectory (Mattia
> Rizzolo)
> - Refactor the settings of $docdir (Mattia Rizzolo)
> - Remove unused configure checks (Ben Boeckel)
> - python/Makefile.am: use *_LIBADD, not *_LDFLAGS for LIBS (Sam James)
> - Fix check for libtool in autogen.sh
> - Use version in configure.ac for CMake (Timothy Lyanguzov)
> - Add CMake alias targets for embedded projects (Markus Rickert)
>
> ### Documentation
>
> - Remove SVN keyword anchors
> - Rework README
> - Remove README.cvs-commits
> - Remove old ChangeLog
> - Update hyperlinks
> - Remove README.docs
> - Remove MAINTAINERS
> - Remove xmltutorial.pdf
> - Upload documentation to GitLab pages
> - Document how to escape XML_CATALOG_FILES
> - Fix libxml2.doap
> - Update URL for libxml++ C++ binding (Kjell Ahlstedt)
> - Generate devhelp2 index file (Emmanuele Bassi)
> - Mention XML_CATALOG_FILES is space-separated (Jan Tojnar)
> - Add documentaiton for xmllint exit code 10 (Rainer Canavan)
> - Fix some validation errors in the FAQ (David King)
> - Add instructions on how to use CMake to compile libxml (Markus Rickert)
>
> Thanks to all contributors!
>
> Nick
>
> ___
> xml mailing list, project page  http://xmlsoft.org/
> xml@gnome.org
> https://mail.gnome.org/mailman/listinfo/xml
>
___
xml mailing list, project pa

Re: [xml] Resuming maintenance

2022-01-10 Thread Mike Dalessio via xml 
I'm so happy to hear that you'll be able to spend time on libxml2 this
year, Nick. Thank you and thanks to Google.

Although I'm relieved, the potential loss of maintainers from the project
 was
alarming. Perhaps another goal to consider for the year is to expand the
pool of contributors and maintainers. I (and others, I assume) am
interested in volunteering more time so that the burden isn't carried by
you alone, and so that if in the future you're unable to secure funding the
user community will be able to sustain that loss.

Thanks again, and please think about what work volunteers can pick up to
get more involved.

On Mon, Jan 10, 2022 at 9:20 AM Nick Wellnhofer via xml 
wrote:

> Hello,
>
> Thanks to a donation from Google, I'm able to resume maintenance of
> libxml2
> (and libxslt) for the remainder of 2022.
>
> My immediate plans are:
>
> - Make a bug fix release fixing many regressions.
> - Establish a new release schedule, possibly with multiple branches being
>maintained.
> - Move releases from the old FTP server to GNOME's Gitlab infrastructure.
> - Move documentation to GNOME infrastructure.
> - Set up an official way to sponsor libxml2 maintainers.
>
> In the future I'll focus less on security improvements and more on typical
> maintenance duties like bug fixes and modernizing the code base in a few
> ways.
>
> Thanks (again) to Google for making this possible.
>
> Nick
> ___
> xml mailing list, project page  http://xmlsoft.org/
> xml@gnome.org
> https://mail.gnome.org/mailman/listinfo/xml
>
___
xml mailing list, project page  http://xmlsoft.org/
xml@gnome.org
https://mail.gnome.org/mailman/listinfo/xml

Re: [xml] Stepping down

2021-07-25 Thread Mike Dalessio via xml 
Nick,

I'm very sorry to hear that you're stepping away from the project. You've
done an enormous amount of work over the past few years, and you'll be
missed.

Thanks for everything, and I hope to get to work with you again at some
point in the future.

On Thu, Jul 22, 2021 at 7:23 AM Nick Wellnhofer via xml 
wrote:

> I never really asked for it but in the last years I became de-facto
> maintainer
> of both libxml2 and libxslt. Luckily, I was able to fund my involvement
> through Chrome VRP bug bounties and OSS-Fuzz integration rewards. Big
> thanks
> to Google for these outstanding programs.
>
> Unfortunately, returns from security research are diminishing quickly and
> I
> see no way to obtain a minimal level of funding anymore. So I'm stepping
> down
> as contributor and maintainer.
>
> Thanks to everyone who reported bugs and contributed patches!
>
> Nick
>
> ___
> xml mailing list, project page  http://xmlsoft.org/
> xml@gnome.org
> https://mail.gnome.org/mailman/listinfo/xml
>
___
xml mailing list, project page  http://xmlsoft.org/
xml@gnome.org
https://mail.gnome.org/mailman/listinfo/xml

Re: [xml] Trouble figuring out xmlregexp regular expressions

2021-03-20 Thread Mike Dalessio via xml 
Hi Tim,

I don't know much about the regular expression support, but there does
appear to be a test harness that exercises it. You may want to take a look
at https://gitlab.gnome.org/GNOME/libxml2/-/blob/master/testRegexp.c.

-m


On Sat, Mar 20, 2021 at 12:05 AM Timothy Wrona via xml 
wrote:

> Hi,
>
> I am working on a library that will need to parse strings using regular
> expressions conformant to the XML Schema regular expression grammar (
> https://www.regular-expressions.info/xml.html). I ended up coming across
> libxml2 and it looks very promising, but I can't seem to figure out how the
> xmlregexp portion of the library works. I read through the autogenerated
> documentation http://xmlsoft.org/html/libxml-xmlregexp.html, but it isn't
> really clear exactly where to start. Is there anywhere I can find some
> examples of the regular expression portion of the library in use?
>
> Thanks,
> Tim
> ___
> xml mailing list, project page  http://xmlsoft.org/
> xml@gnome.org
> https://mail.gnome.org/mailman/listinfo/xml
>
___
xml mailing list, project page  http://xmlsoft.org/
xml@gnome.org
https://mail.gnome.org/mailman/listinfo/xml

Re: [xml] Entering freeze for libxml2-2.9.10

2019-10-28 Thread Mike Dalessio via xml 
Hi all,

Just FYI - the Nokogiri (Ruby gem wrapping libxml2) test pipelines are all
*green* with 2.9.10-rc1.

See
https://ci.nokogiri.org/teams/nokogiri-core/pipelines/nokogiri-libxml-2.9.10
for
details, but RC1 looks good from here.

-m


On Mon, Oct 28, 2019 at 10:12 AM Daniel Veillard via xml 
wrote:

> On Mon, Oct 28, 2019 at 02:35:06PM +0100, Christoph M. Becker wrote:
> > Hi,
> >
> > On 28.10.2019 at 10:06, Daniel Veillard via xml wrote:
> >
> > >   In the absence of feedback or changes since RC1, I am not pushing
> > > an RC2 for libxml2-2.9.10, assume a final release for Wed or Thursday,
> > >
> > >   in the meantime, please give it a try !
> >
> > I just ran the php-src test suite for all relevant PHP extensions using
> > libxml2, and I detected no regression compared to 2.9.9 (besides some
> > minor] error reporting difference regarding a broken XML file[1).
> >
> > So RC1 looks good to me.  Thanks!
> >
> > [1]
> > <
> https://github.com/php/php-src/blob/php-7.3.11/ext/dom/tests/not_well_formed.xml
> >
> >
> > Regards,
> > Christoph
>
>   Cool, thanks for the report Christoph !
>
> Daniel
>
> --
> Daniel Veillard  | Red Hat Developers Tools
> http://developer.redhat.com/
> veill...@redhat.com  | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
> http://veillard.com/ | virtualization library  http://libvirt.org/
>
> ___
> xml mailing list, project page  http://xmlsoft.org/
> xml@gnome.org
> https://mail.gnome.org/mailman/listinfo/xml
>
___
xml mailing list, project page  http://xmlsoft.org/
xml@gnome.org
https://mail.gnome.org/mailman/listinfo/xml

Re: [xml] Entering freeze for release of libxml2-2.9.9

2018-12-13 Thread Mike Dalessio via xml 
Hi Daniel,

I'm curious if you have an updated release schedule for 2.9.9 final?

Thanks much for coordinating this release.

-m


On Thu, Nov 29, 2018 at 4:58 PM Daniel Veillard via xml 
wrote:

>   I pushed RC2 in git and pushed signed tarball and rpms to the usual
> place:
>
>ftp://xmlsoft.org/libxml2
>
> we have a couple of issues which were raised against rc1 and not completely
> solved, depending on how we resolve those and if no new ones pop-up I
> will either push an rc3 around Monday or proceed to 2.9.9 release.
>
>   So please ocntinue to give it some testing,
>
>thanks everybody,
>
> Daniel
>
> --
> Daniel Veillard  | Red Hat Developers Tools
> http://developer.redhat.com/
> veill...@redhat.com  | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
> http://veillard.com/ | virtualization library  http://libvirt.org/
> ___
> xml mailing list, project page  http://xmlsoft.org/
> xml@gnome.org
> https://mail.gnome.org/mailman/listinfo/xml
>
___
xml mailing list, project page  http://xmlsoft.org/
xml@gnome.org
https://mail.gnome.org/mailman/listinfo/xml

Re: [xml] Entering freeze for release of libxml2-2.9.9

2018-12-01 Thread Mike Dalessio via xml 
Nokogiri (a Ruby wrapper around libxml2) went green with RC2. I'll keep
this github PR up to date as more RCs or the Final get released:
https://github.com/sparklemotion/nokogiri/pull/1824

On Thu, Nov 29, 2018 at 4:58 PM Daniel Veillard via xml 
wrote:

>   I pushed RC2 in git and pushed signed tarball and rpms to the usual
> place:
>
>ftp://xmlsoft.org/libxml2
>
> we have a couple of issues which were raised against rc1 and not completely
> solved, depending on how we resolve those and if no new ones pop-up I
> will either push an rc3 around Monday or proceed to 2.9.9 release.
>
>   So please ocntinue to give it some testing,
>
>thanks everybody,
>
> Daniel
>
> --
> Daniel Veillard  | Red Hat Developers Tools
> http://developer.redhat.com/
> veill...@redhat.com  | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
> http://veillard.com/ | virtualization library  http://libvirt.org/
> ___
> xml mailing list, project page  http://xmlsoft.org/
> xml@gnome.org
> https://mail.gnome.org/mailman/listinfo/xml
>
___
xml mailing list, project page  http://xmlsoft.org/
xml@gnome.org
https://mail.gnome.org/mailman/listinfo/xml