Re: [xml] Release of libxml2 2.9.13
Nick Wellnhofer schrieb am 23.02.22 um 11:36: I asked on GNOME infra if it is possible to offer .tar.gz downloads, but this would require changes to the upload script. Thanks for asking. Stefan ___ xml mailing list, project page http://xmlsoft.org/ xml@gnome.org https://mail.gnome.org/mailman/listinfo/xml
Re: [xml] Release of libxml2 2.9.13
On 23/02/2022 08:17, Stefan Behnel wrote: Could you make the archives available in a (second) format that matches all (previous) releases? The archives are automatically converted to .tar.xz when uploaded to the GNOME download server. I have no influence on that. Personally, I'd prefer .tar.gz for compatibility reasons, but I don't have a strong opinion. I asked on GNOME infra if it is possible to offer .tar.gz downloads, but this would require changes to the upload script. https://gitlab.gnome.org/Infrastructure/Infrastructure/-/issues/768 Nick ___ xml mailing list, project page http://xmlsoft.org/ xml@gnome.org https://mail.gnome.org/mailman/listinfo/xml
Re: [xml] Release of libxml2 2.9.13
Nick Wellnhofer via xml schrieb am 20.02.22 um 13:53: Version 2.9.13 of libxml2 is available at: https://download.gnome.org/sources/libxml2/2.9/ Thank you for the release, Nick! Note that starting with this release, libxml2 tarballs are published on download.gnome.org instead of ftp.xmlsoft.org. I noticed that they now use xz compression, whereas they were simply gzip compressed before. libxslt also changed the compression. That makes it more difficult to download them automatically, because scripts that want to list the available files now have to search for different file names. Also, Python 2.7 does not have built-in lzma compression support and needs an external module in order to handle it. (Both gz and bz2 have been supported essentially forever, OTOH.) And it seems that xz is not considered safe for long-term storage by everyone: https://www.nongnu.org/lzip/xz_inadequate.html Could you make the archives available in a (second) format that matches all (previous) releases? Apparently, both libxml2 and libxslt were made available with gz and bz2 compression before. Either of them would probably be fine. bz2 seems to compress equally well as xz here. (And compression speed, where bz2 suffers a bit, was never an issue for downloads anyway, just decompression speed, where all three are fine.) Thanks, Stefan ___ xml mailing list, project page http://xmlsoft.org/ xml@gnome.org https://mail.gnome.org/mailman/listinfo/xml
Re: [xml] Release of libxml2 2.9.13
This is very helpful. Thanks as always, Nick. On Mon, Feb 21, 2022 at 11:42 AM Nick Wellnhofer wrote: > On 21/02/2022 14:57, Mike Dalessio wrote: > > I'm not asking specifically for a CVSS score for this vulnerability, and > I'm > > certainly not asking you to create a CVE for every memory fix that's > found. > > I'm only asking for a more accessible explanation of the conditions > under > > which an application might be vulnerable to this already-published CVE. > > From my limited analysis, there are two scenarios: > > 1. When using the reader API (xmlreader.h, xmlTextReader) > >Conditions: > >- Create a reader with parser option XML_PARSE_DTDVALID (or "parser > property" XML_PARSER_VALIDATE) but without parser option > XML_PARSE_NOENT > (XML_PARSER_SUBST_ENTITIES) >- Parse an untrusted document > >Impact: > >- Crash (DoS) >- Memory disclosure via error channel > > 2. When using another parser API > >Conditions: > >- Parse an untrusted document with XML_PARSE_DTDVALID but without > XML_PARSE_NOENT >- Delete a portion of the resulting document >- Call xmlGetID on the document > >Potential impact: > >- Crash (DoS) >- Arbitrary memory disclosure >- Arbitrary code execution > > > Would this be an appropriate explanation for me to include in my > security > > advisory? > > > > > An application may be vulnerable to a denial-of-service attack if it > parses > > an untrusted document with parse options `DTDVALID` on, and `NOENT` off. > > No, that's understating the severity. As I tried to explain, it's > impossible > to assess the severity without auditing each and every downstream project. > Since clever exploitation of use-after-free errors can result in code > execution, I have to assume the worst case if you force me to make a > general > statement. > > DISCLAIMER: I make no guarantees regarding the accuracy and completeness > of my > statements above. > > Nick > ___ xml mailing list, project page http://xmlsoft.org/ xml@gnome.org https://mail.gnome.org/mailman/listinfo/xml
Re: [xml] Release of libxml2 2.9.13
On 21/02/2022 14:57, Mike Dalessio wrote: I'm not asking specifically for a CVSS score for this vulnerability, and I'm certainly not asking you to create a CVE for every memory fix that's found. I'm only asking for a more accessible explanation of the conditions under which an application might be vulnerable to this already-published CVE. From my limited analysis, there are two scenarios: 1. When using the reader API (xmlreader.h, xmlTextReader) Conditions: - Create a reader with parser option XML_PARSE_DTDVALID (or "parser property" XML_PARSER_VALIDATE) but without parser option XML_PARSE_NOENT (XML_PARSER_SUBST_ENTITIES) - Parse an untrusted document Impact: - Crash (DoS) - Memory disclosure via error channel 2. When using another parser API Conditions: - Parse an untrusted document with XML_PARSE_DTDVALID but without XML_PARSE_NOENT - Delete a portion of the resulting document - Call xmlGetID on the document Potential impact: - Crash (DoS) - Arbitrary memory disclosure - Arbitrary code execution Would this be an appropriate explanation for me to include in my security advisory? > An application may be vulnerable to a denial-of-service attack if it parses an untrusted document with parse options `DTDVALID` on, and `NOENT` off. No, that's understating the severity. As I tried to explain, it's impossible to assess the severity without auditing each and every downstream project. Since clever exploitation of use-after-free errors can result in code execution, I have to assume the worst case if you force me to make a general statement. DISCLAIMER: I make no guarantees regarding the accuracy and completeness of my statements above. Nick ___ xml mailing list, project page http://xmlsoft.org/ xml@gnome.org https://mail.gnome.org/mailman/listinfo/xml
Re: [xml] Release of libxml2 2.9.13
Hi Nick, I understand and appreciate the general difficulty of scoring severity without some application-specific context. And I don't disagree with your take on CVSS scores for libraries. However, downstream maintainers may want to issue our own security advisories so that our users can make an informed decision about mitigation. When there is a published CVE (whether you created it or not), expectations are usually higher with respect to information disclosure and evaluation, and I'd like to be able to answer any questions that I get. In some cases, like libxslt's CVE-2021-30560, this is easy: it's possible to find a working exploit and CVSS score and I can confidently tell my users to upgrade if they're using an untrusted stylesheet. However, in the specific case of CVE-2022-23308 it's more challenging to determine how and whether my users are impacted. I'm not asking specifically for a CVSS score for this vulnerability, and I'm certainly not asking you to create a CVE for every memory fix that's found. I'm only asking for a more accessible explanation of the conditions under which an application might be vulnerable to this already-published CVE. Would this be an appropriate explanation for me to include in my security advisory? > An application may be vulnerable to a denial-of-service attack if it parses an untrusted document with parse options `DTDVALID` on, and `NOENT` off. Again, thanks for the work you're doing. I hope you understand I'm not trying to be pedantic, I'm only trying to keep my users informed and give them good advice. On Sun, Feb 20, 2022 at 6:09 PM Nick Wellnhofer wrote: > On 20/02/2022 20:50, Mike Dalessio wrote: > > Is there any additional information about CVE-2022-23308 (other than the > > commit log) that would help downstream projects triage? Was there a CVSS > score > > calculated or severity assigned? > > In this case, the CVE record is managed by a third party. It should be > made > public soon, but I have no influence on that. In my personal opinion, the > whole CVE system is severely flawed with regard to OSS projects. > Basically, > anyone can request a CVE ID for arbitrary projects without having to > coordinate with maintainers. > > It's often hard, if not impossible, to come up with meaningful CVSS scores > for > vulnerabilities in software libraries. If there's a flaw in a certain > library > function, it really depends on how this function used by downstream > projects. > If you look at major Linux distros, there are 500+ projects with a direct > dependency on libxml2, and thousands with an indirect dependency. Most of > them > don't call the vulnerable functions at all, some others are libraries > themselves, so it all depends on their users. > > There are quite a few preconditions to be met to trigger a use-after-free > in > this particular case, so I'm not overly concerned. Even then, it seems > anything but trivial come up with a serious exploit. But I'm not really an > expert and you never can tell without auditing tens or hundreds of > downstream > projects. Besides, I only have limited resources to assess the impact of > security issues, and it's always possible that I missed something. > > Note that for some reason, GitLab truncates the commit message after ~1000 > characters with no obvious way to expand it, at least on gitlab.gnome.org. > You > can see the full commit message on the GitHub mirror: > > > > https://github.com/GNOME/libxml2/commit/652dd12a858989b14eed4e84e453059cd3ba340e > > Nick > > > > ___ xml mailing list, project page http://xmlsoft.org/ xml@gnome.org https://mail.gnome.org/mailman/listinfo/xml
Re: [xml] Release of libxml2 2.9.13
On 20/02/2022 20:50, Mike Dalessio wrote: Is there any additional information about CVE-2022-23308 (other than the commit log) that would help downstream projects triage? Was there a CVSS score calculated or severity assigned? In this case, the CVE record is managed by a third party. It should be made public soon, but I have no influence on that. In my personal opinion, the whole CVE system is severely flawed with regard to OSS projects. Basically, anyone can request a CVE ID for arbitrary projects without having to coordinate with maintainers. It's often hard, if not impossible, to come up with meaningful CVSS scores for vulnerabilities in software libraries. If there's a flaw in a certain library function, it really depends on how this function used by downstream projects. If you look at major Linux distros, there are 500+ projects with a direct dependency on libxml2, and thousands with an indirect dependency. Most of them don't call the vulnerable functions at all, some others are libraries themselves, so it all depends on their users. There are quite a few preconditions to be met to trigger a use-after-free in this particular case, so I'm not overly concerned. Even then, it seems anything but trivial come up with a serious exploit. But I'm not really an expert and you never can tell without auditing tens or hundreds of downstream projects. Besides, I only have limited resources to assess the impact of security issues, and it's always possible that I missed something. Note that for some reason, GitLab truncates the commit message after ~1000 characters with no obvious way to expand it, at least on gitlab.gnome.org. You can see the full commit message on the GitHub mirror: https://github.com/GNOME/libxml2/commit/652dd12a858989b14eed4e84e453059cd3ba340e Nick ___ xml mailing list, project page http://xmlsoft.org/ xml@gnome.org https://mail.gnome.org/mailman/listinfo/xml
Re: [xml] Release of libxml2 2.9.13
Nick, thank you for shipping this release! Is there any additional information about CVE-2022-23308 (other than the commit log) that would help downstream projects triage? Was there a CVSS score calculated or severity assigned? On Sun, Feb 20, 2022 at 7:53 AM Nick Wellnhofer via xml wrote: > Version 2.9.13 of libxml2 is available at: > > https://download.gnome.org/sources/libxml2/2.9/ > > Note that starting with this release, libxml2 tarballs are published on > download.gnome.org instead of ftp.xmlsoft.org. > > ### Security > > - [CVE-2022-23308] Use-after-free of ID and IDREF attributes >(Thanks to Shinji Sato for the report) > - Use-after-free in xmlXIncludeCopyRange (David Kilzer) > - Fix null deref in xmlSchemaGetComponentTargetNs (huangduirong) > - Fix memory leak in xmlXPathCompNodeTest > - Fix null pointer deref in xmlStringGetNodeList > - Fix several memory leaks found by Coverity (David King) > > ### Fixed regressions > > - Fix regression in RelaxNG pattern matching > - Properly handle nested documents in xmlFreeNode > - Fix regression with PEs in external DTD > - Fix random dropping of characters on dumping ASCII encoded XML (Mohammad >Razavi) > - Revert "Make schema validation fail with multiple top-level elements" > - Fix regression when parsing invalid HTML tags in push mode > - Fix regression parsing public IDs literals in HTML > - Fix buffering in xmlOutputBufferWrite > - Fix whitespace when serializing empty HTML documents > - Fix XPath recursion limit > - Fix regression in xmlNodeDumpOutputInternal > - Work around lxml API abuse > > ### Bug fixes > > - Fix xmlSetTreeDoc with entity references > - Fix double counting of CRLF in comments > - Make sure to grow input buffer in xmlParseMisc > - Don't ignore xmllint options after "-" > - Don't normalize namespace URIs in XPointer xmlns() scheme > - Fix handling of XSD with empty namespace > - Also register HTML document nodes > - Make xmllint return an error if arguments are missing > - Fix handling of ctxt->base in xmlXPtrEvalXPtrPart > - Fix xmllint --maxmem > - Fix htmlReadFd, which was using a mix of xml and html context functions >(Finn Barber) > - Move current position before possible calling of ctxt->sax->characters >(Yulin Li) > - Fix parse failure when 4-byte character in UTF-16 BE is split across a > chunk >(David Kilzer) > - Patch to forbid epsilon-reduction of final states (Arne Becker) > - Avoid segfault at exit when using custom memory functions (Mike Dalessio) > > ### Tests, code quality, fuzzing > > - Remove .travis.yml > - Make xmlFuzzReadString return a zero size in error case > - Fix unused function warning in testapi.c > - Update NewsML DTD in test suite > - Add more checks for malloc failures in xmllint.c > - Avoid potential integer overflow in xmlstring.c > - Run CI tests with UBSan implicit-conversion checks > - Fix casting of line numbers in SAX2.c > - Fix integer conversion warnings in hash.c > - Add explicit casts in runtest.c > - Fix integer conversion warning in xmlIconvWrapper > - Add suffix to unsigned constant in xmlmemory.c > - Add explicit casts in testchar.c > - Fix integer conversion warnings in xmlstring.c > - Add explicit cast in xmlURIUnescapeString > - Remove unused variable in xmlCharEncOutFunc (David King) > > ### Build system, portability > > - Remove xmlwin32version.h > - Fix fuzzer test with VPATH build > - Support custom prefix when installing Python module > - Remove Makefile.win > - Remove CVS and SVN-related code > - Port python 3.x module to Windows and improve distutils (Chun-wei Fan) > - Correctly install the HTML examples into their subdirectory (Mattia > Rizzolo) > - Refactor the settings of $docdir (Mattia Rizzolo) > - Remove unused configure checks (Ben Boeckel) > - python/Makefile.am: use *_LIBADD, not *_LDFLAGS for LIBS (Sam James) > - Fix check for libtool in autogen.sh > - Use version in configure.ac for CMake (Timothy Lyanguzov) > - Add CMake alias targets for embedded projects (Markus Rickert) > > ### Documentation > > - Remove SVN keyword anchors > - Rework README > - Remove README.cvs-commits > - Remove old ChangeLog > - Update hyperlinks > - Remove README.docs > - Remove MAINTAINERS > - Remove xmltutorial.pdf > - Upload documentation to GitLab pages > - Document how to escape XML_CATALOG_FILES > - Fix libxml2.doap > - Update URL for libxml++ C++ binding (Kjell Ahlstedt) > - Generate devhelp2 index file (Emmanuele Bassi) > - Mention XML_CATALOG_FILES is space-separated (Jan Tojnar) > - Add documentaiton for xmllint exit code 10 (Rainer Canavan) > - Fix some validation errors in the FAQ (David King) > - Add instructions on how to use CMake to compile libxml (Markus Rickert) > > Thanks to all contributors! > > Nick > > ___ > xml mailing list, project page http://xmlsoft.org/ > xml@gnome.org > https://mail.gnome.org/mailman/listinfo/xml > ___ xml mailing list, project pa
Re: [xml] Release of libxml2 2.9.13
On Sun, Feb 20, 2022 at 7:53 AM Nick Wellnhofer via xml wrote: > > Version 2.9.13 of libxml2 is available at: > > https://download.gnome.org/sources/libxml2/2.9/ > > Note that starting with this release, libxml2 tarballs are published on > download.gnome.org instead of ftp.xmlsoft.org. > > ### Security > > - [CVE-2022-23308] Use-after-free of ID and IDREF attributes >(Thanks to Shinji Sato for the report) > - Use-after-free in xmlXIncludeCopyRange (David Kilzer) > - Fix null deref in xmlSchemaGetComponentTargetNs (huangduirong) > - Fix memory leak in xmlXPathCompNodeTest > - Fix null pointer deref in xmlStringGetNodeList > - Fix several memory leaks found by Coverity (David King) > > ### Fixed regressions > > - Fix regression in RelaxNG pattern matching > - Properly handle nested documents in xmlFreeNode > - Fix regression with PEs in external DTD > - Fix random dropping of characters on dumping ASCII encoded XML (Mohammad >Razavi) > - Revert "Make schema validation fail with multiple top-level elements" > - Fix regression when parsing invalid HTML tags in push mode > - Fix regression parsing public IDs literals in HTML > - Fix buffering in xmlOutputBufferWrite > - Fix whitespace when serializing empty HTML documents > - Fix XPath recursion limit > - Fix regression in xmlNodeDumpOutputInternal > - Work around lxml API abuse > > ### Bug fixes > > - Fix xmlSetTreeDoc with entity references > - Fix double counting of CRLF in comments > - Make sure to grow input buffer in xmlParseMisc > - Don't ignore xmllint options after "-" > - Don't normalize namespace URIs in XPointer xmlns() scheme > - Fix handling of XSD with empty namespace > - Also register HTML document nodes > - Make xmllint return an error if arguments are missing > - Fix handling of ctxt->base in xmlXPtrEvalXPtrPart > - Fix xmllint --maxmem > - Fix htmlReadFd, which was using a mix of xml and html context functions >(Finn Barber) > - Move current position before possible calling of ctxt->sax->characters >(Yulin Li) > - Fix parse failure when 4-byte character in UTF-16 BE is split across a chunk >(David Kilzer) > - Patch to forbid epsilon-reduction of final states (Arne Becker) > - Avoid segfault at exit when using custom memory functions (Mike Dalessio) > > ### Tests, code quality, fuzzing > > - Remove .travis.yml > - Make xmlFuzzReadString return a zero size in error case > - Fix unused function warning in testapi.c > - Update NewsML DTD in test suite > - Add more checks for malloc failures in xmllint.c > - Avoid potential integer overflow in xmlstring.c > - Run CI tests with UBSan implicit-conversion checks > - Fix casting of line numbers in SAX2.c > - Fix integer conversion warnings in hash.c > - Add explicit casts in runtest.c > - Fix integer conversion warning in xmlIconvWrapper > - Add suffix to unsigned constant in xmlmemory.c > - Add explicit casts in testchar.c > - Fix integer conversion warnings in xmlstring.c > - Add explicit cast in xmlURIUnescapeString > - Remove unused variable in xmlCharEncOutFunc (David King) > > ### Build system, portability > > - Remove xmlwin32version.h > - Fix fuzzer test with VPATH build > - Support custom prefix when installing Python module > - Remove Makefile.win > - Remove CVS and SVN-related code > - Port python 3.x module to Windows and improve distutils (Chun-wei Fan) > - Correctly install the HTML examples into their subdirectory (Mattia Rizzolo) > - Refactor the settings of $docdir (Mattia Rizzolo) > - Remove unused configure checks (Ben Boeckel) > - python/Makefile.am: use *_LIBADD, not *_LDFLAGS for LIBS (Sam James) > - Fix check for libtool in autogen.sh > - Use version in configure.ac for CMake (Timothy Lyanguzov) > - Add CMake alias targets for embedded projects (Markus Rickert) > > ### Documentation > > - Remove SVN keyword anchors > - Rework README > - Remove README.cvs-commits > - Remove old ChangeLog > - Update hyperlinks > - Remove README.docs > - Remove MAINTAINERS > - Remove xmltutorial.pdf > - Upload documentation to GitLab pages > - Document how to escape XML_CATALOG_FILES > - Fix libxml2.doap > - Update URL for libxml++ C++ binding (Kjell Ahlstedt) > - Generate devhelp2 index file (Emmanuele Bassi) > - Mention XML_CATALOG_FILES is space-separated (Jan Tojnar) > - Add documentaiton for xmllint exit code 10 (Rainer Canavan) > - Fix some validation errors in the FAQ (David King) > - Add instructions on how to use CMake to compile libxml (Markus Rickert) Thank you very much for this, Nick. Jeff ___ xml mailing list, project page http://xmlsoft.org/ xml@gnome.org https://mail.gnome.org/mailman/listinfo/xml
[xml] Release of libxml2 2.9.13
Version 2.9.13 of libxml2 is available at: https://download.gnome.org/sources/libxml2/2.9/ Note that starting with this release, libxml2 tarballs are published on download.gnome.org instead of ftp.xmlsoft.org. ### Security - [CVE-2022-23308] Use-after-free of ID and IDREF attributes (Thanks to Shinji Sato for the report) - Use-after-free in xmlXIncludeCopyRange (David Kilzer) - Fix null deref in xmlSchemaGetComponentTargetNs (huangduirong) - Fix memory leak in xmlXPathCompNodeTest - Fix null pointer deref in xmlStringGetNodeList - Fix several memory leaks found by Coverity (David King) ### Fixed regressions - Fix regression in RelaxNG pattern matching - Properly handle nested documents in xmlFreeNode - Fix regression with PEs in external DTD - Fix random dropping of characters on dumping ASCII encoded XML (Mohammad Razavi) - Revert "Make schema validation fail with multiple top-level elements" - Fix regression when parsing invalid HTML tags in push mode - Fix regression parsing public IDs literals in HTML - Fix buffering in xmlOutputBufferWrite - Fix whitespace when serializing empty HTML documents - Fix XPath recursion limit - Fix regression in xmlNodeDumpOutputInternal - Work around lxml API abuse ### Bug fixes - Fix xmlSetTreeDoc with entity references - Fix double counting of CRLF in comments - Make sure to grow input buffer in xmlParseMisc - Don't ignore xmllint options after "-" - Don't normalize namespace URIs in XPointer xmlns() scheme - Fix handling of XSD with empty namespace - Also register HTML document nodes - Make xmllint return an error if arguments are missing - Fix handling of ctxt->base in xmlXPtrEvalXPtrPart - Fix xmllint --maxmem - Fix htmlReadFd, which was using a mix of xml and html context functions (Finn Barber) - Move current position before possible calling of ctxt->sax->characters (Yulin Li) - Fix parse failure when 4-byte character in UTF-16 BE is split across a chunk (David Kilzer) - Patch to forbid epsilon-reduction of final states (Arne Becker) - Avoid segfault at exit when using custom memory functions (Mike Dalessio) ### Tests, code quality, fuzzing - Remove .travis.yml - Make xmlFuzzReadString return a zero size in error case - Fix unused function warning in testapi.c - Update NewsML DTD in test suite - Add more checks for malloc failures in xmllint.c - Avoid potential integer overflow in xmlstring.c - Run CI tests with UBSan implicit-conversion checks - Fix casting of line numbers in SAX2.c - Fix integer conversion warnings in hash.c - Add explicit casts in runtest.c - Fix integer conversion warning in xmlIconvWrapper - Add suffix to unsigned constant in xmlmemory.c - Add explicit casts in testchar.c - Fix integer conversion warnings in xmlstring.c - Add explicit cast in xmlURIUnescapeString - Remove unused variable in xmlCharEncOutFunc (David King) ### Build system, portability - Remove xmlwin32version.h - Fix fuzzer test with VPATH build - Support custom prefix when installing Python module - Remove Makefile.win - Remove CVS and SVN-related code - Port python 3.x module to Windows and improve distutils (Chun-wei Fan) - Correctly install the HTML examples into their subdirectory (Mattia Rizzolo) - Refactor the settings of $docdir (Mattia Rizzolo) - Remove unused configure checks (Ben Boeckel) - python/Makefile.am: use *_LIBADD, not *_LDFLAGS for LIBS (Sam James) - Fix check for libtool in autogen.sh - Use version in configure.ac for CMake (Timothy Lyanguzov) - Add CMake alias targets for embedded projects (Markus Rickert) ### Documentation - Remove SVN keyword anchors - Rework README - Remove README.cvs-commits - Remove old ChangeLog - Update hyperlinks - Remove README.docs - Remove MAINTAINERS - Remove xmltutorial.pdf - Upload documentation to GitLab pages - Document how to escape XML_CATALOG_FILES - Fix libxml2.doap - Update URL for libxml++ C++ binding (Kjell Ahlstedt) - Generate devhelp2 index file (Emmanuele Bassi) - Mention XML_CATALOG_FILES is space-separated (Jan Tojnar) - Add documentaiton for xmllint exit code 10 (Rainer Canavan) - Fix some validation errors in the FAQ (David King) - Add instructions on how to use CMake to compile libxml (Markus Rickert) Thanks to all contributors! Nick ___ xml mailing list, project page http://xmlsoft.org/ xml@gnome.org https://mail.gnome.org/mailman/listinfo/xml
