diff -Nru libxml2-2.9.1+dfsg1/debian/changelog libxml2-2.9.1+dfsg1/debian/changelog --- libxml2-2.9.1+dfsg1/debian/changelog 2014-10-16 19:30:49.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/changelog 2015-11-13 13:58:39.000000000 +0000 @@ -1,3 +1,22 @@ +libxml2 (2.9.1+dfsg1-3ubuntu4.5) trusty-security; urgency=medium + + * SECURITY UPDATE: denial of service via XEE attack + - debian/patches/CVE-2015-1819.patch: enforce the reader to run in + constant memory in buf.c, include/libxml/tree.h, xmlreader.c. + - CVE-2015-1819 + * SECURITY UPDATE: denial of service via out-of-bounds read + - debian/patches/CVE-2015-7941.patch: stop parsing on entities + boundaries errors in parser.c. + - CVE-2015-7941 + * SECURITY UPDATE: overflow in conditional sections + - debian/patches/CVE-2015-7942.patch: properly check input in parser.c. + - CVE-2015-7942 + * SECURITY UPDATE: denial of service via crafted document with xz + - debian/patches/CVE-2015-8035.patch: check for error in xzlib.c. + - CVE-2015-8035 + + -- Marc Deslauriers Fri, 13 Nov 2015 08:58:16 -0500 + libxml2 (2.9.1+dfsg1-3ubuntu4.4) trusty-security; urgency=medium * SECURITY UPDATE: denial of service via entity expansion diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-1819.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-1819.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-1819.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-1819.patch 2015-11-13 13:57:29.000000000 +0000 @@ -0,0 +1,173 @@ +From 213f1fe0d76d30eaed6e5853057defc43e6df2c9 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Tue, 14 Apr 2015 17:41:48 +0800 +Subject: CVE-2015-1819 Enforce the reader to run in constant memory + +One of the operation on the reader could resolve entities +leading to the classic expansion issue. Make sure the +buffer used for xmlreader operation is bounded. +Introduce a new allocation type for the buffers for this effect. +--- + buf.c | 43 ++++++++++++++++++++++++++++++++++++++++++- + include/libxml/tree.h | 3 ++- + xmlreader.c | 20 +++++++++++++++++++- + 3 files changed, 63 insertions(+), 3 deletions(-) + +Index: libxml2-2.9.1+dfsg1/buf.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/buf.c 2015-11-13 08:57:26.800279755 -0500 ++++ libxml2-2.9.1+dfsg1/buf.c 2015-11-13 08:57:26.796279703 -0500 +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include /* for XML_MAX_TEXT_LENGTH */ + #include "buf.h" + + #define WITH_BUFFER_COMPAT +@@ -299,7 +300,8 @@ + if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) || + (scheme == XML_BUFFER_ALLOC_EXACT) || + (scheme == XML_BUFFER_ALLOC_HYBRID) || +- (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) { ++ (scheme == XML_BUFFER_ALLOC_IMMUTABLE) || ++ (scheme == XML_BUFFER_ALLOC_BOUNDED)) { + buf->alloc = scheme; + if (buf->buffer) + buf->buffer->alloc = scheme; +@@ -458,6 +460,18 @@ + size = buf->use + len + 100; + #endif + ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if ((buf->use + len >= XML_MAX_TEXT_LENGTH) || ++ (buf->size >= XML_MAX_TEXT_LENGTH)) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(0); ++ } ++ if (size >= XML_MAX_TEXT_LENGTH) ++ size = XML_MAX_TEXT_LENGTH; ++ } + if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) { + size_t start_buf = buf->content - buf->contentIO; + +@@ -739,6 +753,15 @@ + CHECK_COMPAT(buf) + + if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0); ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if (size >= XML_MAX_TEXT_LENGTH) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(0); ++ } ++ } + + /* Don't resize if we don't have to */ + if (size < buf->size) +@@ -867,6 +890,15 @@ + + needSize = buf->use + len + 2; + if (needSize > buf->size){ ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if (needSize >= XML_MAX_TEXT_LENGTH) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(-1); ++ } ++ } + if (!xmlBufResize(buf, needSize)){ + xmlBufMemoryError(buf, "growing buffer"); + return XML_ERR_NO_MEMORY; +@@ -938,6 +970,15 @@ + } + needSize = buf->use + len + 2; + if (needSize > buf->size){ ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if (needSize >= XML_MAX_TEXT_LENGTH) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(-1); ++ } ++ } + if (!xmlBufResize(buf, needSize)){ + xmlBufMemoryError(buf, "growing buffer"); + return XML_ERR_NO_MEMORY; +Index: libxml2-2.9.1+dfsg1/include/libxml/tree.h +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/include/libxml/tree.h 2015-11-13 08:57:26.800279755 -0500 ++++ libxml2-2.9.1+dfsg1/include/libxml/tree.h 2015-11-13 08:57:26.800279755 -0500 +@@ -76,7 +76,8 @@ + XML_BUFFER_ALLOC_EXACT, /* grow only to the minimal size */ + XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */ + XML_BUFFER_ALLOC_IO, /* special allocation scheme used for I/O */ +- XML_BUFFER_ALLOC_HYBRID /* exact up to a threshold, and doubleit thereafter */ ++ XML_BUFFER_ALLOC_HYBRID, /* exact up to a threshold, and doubleit thereafter */ ++ XML_BUFFER_ALLOC_BOUNDED /* limit the upper size of the buffer */ + } xmlBufferAllocationScheme; + + /** +Index: libxml2-2.9.1+dfsg1/xmlreader.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/xmlreader.c 2015-11-13 08:57:26.800279755 -0500 ++++ libxml2-2.9.1+dfsg1/xmlreader.c 2015-11-13 08:57:26.800279755 -0500 +@@ -2077,6 +2077,9 @@ + "xmlNewTextReader : malloc failed\n"); + return(NULL); + } ++ /* no operation on a reader should require a huge buffer */ ++ xmlBufSetAllocationScheme(ret->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); + ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); + if (ret->sax == NULL) { + xmlBufFree(ret->buffer); +@@ -3602,6 +3605,7 @@ + return(((xmlNsPtr) node)->href); + case XML_ATTRIBUTE_NODE:{ + xmlAttrPtr attr = (xmlAttrPtr) node; ++ const xmlChar *ret; + + if ((attr->children != NULL) && + (attr->children->type == XML_TEXT_NODE) && +@@ -3615,10 +3619,21 @@ + "xmlTextReaderSetup : malloc failed\n"); + return (NULL); + } ++ xmlBufSetAllocationScheme(reader->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); + } else + xmlBufEmpty(reader->buffer); + xmlBufGetNodeContent(reader->buffer, node); +- return(xmlBufContent(reader->buffer)); ++ ret = xmlBufContent(reader->buffer); ++ if (ret == NULL) { ++ /* error on the buffer best to reallocate */ ++ xmlBufFree(reader->buffer); ++ reader->buffer = xmlBufCreateSize(100); ++ xmlBufSetAllocationScheme(reader->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); ++ ret = BAD_CAST ""; ++ } ++ return(ret); + } + break; + } +@@ -5117,6 +5132,9 @@ + "xmlTextReaderSetup : malloc failed\n"); + return (-1); + } ++ /* no operation on a reader should require a huge buffer */ ++ xmlBufSetAllocationScheme(reader->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); + if (reader->sax == NULL) + reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); + if (reader->sax == NULL) { diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7941.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7941.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7941.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7941.patch 2015-11-13 13:57:41.000000000 +0000 @@ -0,0 +1,45 @@ +Description: fix denial of service via out-of-bounds read +Origin: upstream, https://git.gnome.org/browse/libxml2/commit/?id=a7dfab7411cbf545f359dd3157e5df1eb0e7ce31 +Origin: upstream, https://git.gnome.org/browse/libxml2/commit/?id=9b8512337d14c8ddf662fcb98b0135f225a1c489 +Bug: https://bugzilla.gnome.org/show_bug.cgi?id=744980 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783010 + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2015-11-13 08:57:39.460444801 -0500 ++++ libxml2-2.9.1+dfsg1/parser.c 2015-11-13 08:57:39.460444801 -0500 +@@ -5653,6 +5653,7 @@ + if (RAW != '>') { + xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED, + "xmlParseEntityDecl: entity %s not terminated\n", name); ++ xmlStopParser(ctxt); + } else { + if (input != ctxt->input) { + xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY, +@@ -6764,6 +6765,8 @@ + SKIP_BLANKS; + if (RAW != '[') { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); ++ xmlStopParser(ctxt); ++ return; + } else { + if (ctxt->input->id != id) { + xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, +@@ -6824,6 +6827,8 @@ + SKIP_BLANKS; + if (RAW != '[') { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); ++ xmlStopParser(ctxt); ++ return; + } else { + if (ctxt->input->id != id) { + xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, +@@ -6879,6 +6884,8 @@ + + } else { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL); ++ xmlStopParser(ctxt); ++ return; + } + + if (RAW == 0) diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7942.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7942.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7942.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-7942.patch 2015-11-13 13:57:49.000000000 +0000 @@ -0,0 +1,20 @@ +Description: fix overflow in conditional sections +Origin: upstream, https://git.gnome.org/browse/libxml2/commit/?id=bd0526e66a56e75a18da8c15c4750db8f801c52d +Origin: upstream, https://git.gnome.org/browse/libxml2/commit/?id=41ac9049a27f52e7a1f3b341f8714149fc88d450 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802827 + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2015-11-13 08:57:47.808553350 -0500 ++++ libxml2-2.9.1+dfsg1/parser.c 2015-11-13 08:57:47.800553246 -0500 +@@ -6899,7 +6899,9 @@ + "All markup of the conditional section is not in the same entity\n", + NULL, NULL); + } +- SKIP(3); ++ if ((ctxt-> instate != XML_PARSER_EOF) && ++ ((ctxt->input->cur + 3) <= ctxt->input->end)) ++ SKIP(3); + } + } + diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8035.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8035.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8035.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2015-8035.patch 2015-11-13 13:58:08.000000000 +0000 @@ -0,0 +1,28 @@ +From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Tue, 3 Nov 2015 15:31:25 +0800 +Subject: CVE-2015-8035 Fix XZ compression support loop + +For https://bugzilla.gnome.org/show_bug.cgi?id=757466 +DoS when parsing specially crafted XML document if XZ support +is compiled in (which wasn't the case for 2.9.2 and master since +Nov 2013, fixed in next commit !) +--- + xzlib.c | 4 ++++ + 1 file changed, 4 insertions(+) + +Index: libxml2-2.9.1+dfsg1/xzlib.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/xzlib.c 2015-11-13 08:58:06.384794119 -0500 ++++ libxml2-2.9.1+dfsg1/xzlib.c 2015-11-13 08:58:06.380794067 -0500 +@@ -538,6 +538,10 @@ + xz_error(state, LZMA_DATA_ERROR, "compressed data error"); + return -1; + } ++ if (ret == LZMA_PROG_ERROR) { ++ xz_error(state, LZMA_PROG_ERROR, "compression error"); ++ return -1; ++ } + } while (strm->avail_out && ret != LZMA_STREAM_END); + + /* update available output and crc check value */ diff -Nru libxml2-2.9.1+dfsg1/debian/patches/series libxml2-2.9.1+dfsg1/debian/patches/series --- libxml2-2.9.1+dfsg1/debian/patches/series 2014-10-16 19:30:39.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/series 2015-11-13 13:58:04.000000000 +0000 @@ -10,3 +10,7 @@ CVE-2014-0191.patch lp1321869.patch CVE-2014-3660.patch +CVE-2015-1819.patch +CVE-2015-7941.patch +CVE-2015-7942.patch +CVE-2015-8035.patch