diff -Nru libxml2-2.9.1+dfsg1/debian/changelog libxml2-2.9.1+dfsg1/debian/changelog --- libxml2-2.9.1+dfsg1/debian/changelog 2014-06-06 17:29:09.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/changelog 2014-10-16 19:30:49.000000000 +0000 @@ -1,3 +1,20 @@ +libxml2 (2.9.1+dfsg1-3ubuntu4.4) trusty-security; urgency=medium + + * SECURITY UPDATE: denial of service via entity expansion + - debian/patches/CVE-2014-3660.patch: added additional tests to + parser.c. + - CVE-2014-3660 + + -- Marc Deslauriers Thu, 16 Oct 2014 15:30:49 -0400 + +libxml2 (2.9.1+dfsg1-3ubuntu4.3) trusty-security; urgency=medium + + * SECURITY REGRESSION: more xmllint regressions (LP: #1321869) + - debian/patches/lp1321869.patch: use upstream commit which includes + additional regression fixes to parser.c. + + -- Marc Deslauriers Fri, 13 Jun 2014 08:33:28 -0400 + libxml2 (2.9.1+dfsg1-3ubuntu4.2) trusty-security; urgency=medium * SECURITY REGRESSION: xmllint no longer loads entities with --postvalid diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2014-3660.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2014-3660.patch --- libxml2-2.9.1+dfsg1/debian/patches/CVE-2014-3660.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2014-3660.patch 2014-10-16 19:30:43.000000000 +0000 @@ -0,0 +1,139 @@ +From be2a7edaf289c5da74a4f9ed3a0b6c733e775230 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Thu, 16 Oct 2014 13:59:47 +0800 +Subject: Fix for CVE-2014-3660 + +Issues related to the billion laugh entity expansion which happened to +escape the initial set of fixes + +Index: libxml2-2.9.1+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.1+dfsg1.orig/parser.c 2014-10-16 15:30:40.885274343 -0400 ++++ libxml2-2.9.1+dfsg1/parser.c 2014-10-16 15:30:40.881274311 -0400 +@@ -130,6 +130,29 @@ + return (0); + if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) + return (1); ++ ++ /* ++ * This may look absurd but is needed to detect ++ * entities problems ++ */ ++ if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) && ++ (ent->content != NULL) && (ent->checked == 0)) { ++ unsigned long oldnbent = ctxt->nbentities; ++ xmlChar *rep; ++ ++ ent->checked = 1; ++ ++ rep = xmlStringDecodeEntities(ctxt, ent->content, ++ XML_SUBSTITUTE_REF, 0, 0, 0); ++ ++ ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; ++ if (rep != NULL) { ++ if (xmlStrchr(rep, '<')) ++ ent->checked |= 1; ++ xmlFree(rep); ++ rep = NULL; ++ } ++ } + if (replacement != 0) { + if (replacement < XML_MAX_TEXT_LENGTH) + return(0); +@@ -189,9 +212,12 @@ + return (0); + } else { + /* +- * strange we got no data for checking just return ++ * strange we got no data for checking + */ +- return (0); ++ if (((ctxt->lastError.code != XML_ERR_UNDECLARED_ENTITY) && ++ (ctxt->lastError.code != XML_WAR_UNDECLARED_ENTITY)) || ++ (ctxt->nbentities <= 10000)) ++ return (0); + } + xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); + return (1); +@@ -2584,6 +2610,7 @@ + name, NULL); + ctxt->valid = 0; + } ++ xmlParserEntityCheck(ctxt, 0, NULL, 0); + } else if (ctxt->input->free != deallocblankswrapper) { + input = xmlNewBlanksWrapperInputStream(ctxt, entity); + if (xmlPushInput(ctxt, input) < 0) +@@ -2754,6 +2781,7 @@ + if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) || + (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR)) + goto int_error; ++ xmlParserEntityCheck(ctxt, 0, ent, 0); + if (ent != NULL) + ctxt->nbentities += ent->checked / 2; + if ((ent != NULL) && +@@ -2805,6 +2833,7 @@ + ent = xmlParseStringPEReference(ctxt, &str); + if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) + goto int_error; ++ xmlParserEntityCheck(ctxt, 0, ent, 0); + if (ent != NULL) + ctxt->nbentities += ent->checked / 2; + if (ent != NULL) { +@@ -7307,6 +7336,7 @@ + (ret != XML_WAR_UNDECLARED_ENTITY)) { + xmlFatalErrMsgStr(ctxt, XML_ERR_UNDECLARED_ENTITY, + "Entity '%s' failed to parse\n", ent->name); ++ xmlParserEntityCheck(ctxt, 0, ent, 0); + } else if (list != NULL) { + xmlFreeNodeList(list); + list = NULL; +@@ -7413,7 +7443,7 @@ + /* + * We are copying here, make sure there is no abuse + */ +- ctxt->sizeentcopy += ent->length; ++ ctxt->sizeentcopy += ent->length + 5; + if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) + return; + +@@ -7461,7 +7491,7 @@ + /* + * We are copying here, make sure there is no abuse + */ +- ctxt->sizeentcopy += ent->length; ++ ctxt->sizeentcopy += ent->length + 5; + if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) + return; + +@@ -7647,6 +7677,7 @@ + ctxt->sax->reference(ctxt->userData, name); + } + } ++ xmlParserEntityCheck(ctxt, 0, ent, 0); + ctxt->valid = 0; + } + +@@ -7840,6 +7871,7 @@ + "Entity '%s' not defined\n", + name); + } ++ xmlParserEntityCheck(ctxt, 0, ent, 0); + /* TODO ? check regressions ctxt->valid = 0; */ + } + +@@ -7999,6 +8031,7 @@ + name, NULL); + ctxt->valid = 0; + } ++ xmlParserEntityCheck(ctxt, 0, NULL, 0); + } else { + /* + * Internal checking in case the entity quest barfed +@@ -8238,6 +8271,7 @@ + name, NULL); + ctxt->valid = 0; + } ++ xmlParserEntityCheck(ctxt, 0, NULL, 0); + } else { + /* + * Internal checking in case the entity quest barfed diff -Nru libxml2-2.9.1+dfsg1/debian/patches/lp1321869.patch libxml2-2.9.1+dfsg1/debian/patches/lp1321869.patch --- libxml2-2.9.1+dfsg1/debian/patches/lp1321869.patch 2014-06-06 17:29:03.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/lp1321869.patch 2014-06-13 12:33:19.000000000 +0000 @@ -1,12 +1,18 @@ -Description: fix xmllint no longer loads entities with --postvalid -Origin: other, https://mail.gnome.org/archives/xml/2014-May/msg00003.html -Author: Alexey Neyman -Bug-Ubuntu: https://bugs.launchpad.net/bugs/1321869 +From dd8367da17c2948981a51e52c8a6beb445edf825 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Wed, 11 Jun 2014 16:54:32 +0800 +Subject: Fix regressions introduced by CVE-2014-0191 patch + +A number of issues have been raised after the fix, and this patch +tries to correct all of them, though most were related to +postvalidation. +https://bugzilla.gnome.org/show_bug.cgi?id=730290 +and other reports on list, off-list and on Red Hat bugzilla Index: libxml2-2.9.1+dfsg1/parser.c =================================================================== ---- libxml2-2.9.1+dfsg1.orig/parser.c 2014-06-06 12:48:59.000000000 -0400 -+++ libxml2-2.9.1+dfsg1/parser.c 2014-06-06 12:49:37.285598391 -0400 +--- libxml2-2.9.1+dfsg1.orig/parser.c 2014-06-13 07:26:26.378947533 -0400 ++++ libxml2-2.9.1+dfsg1/parser.c 2014-06-13 07:26:26.370947533 -0400 @@ -2595,8 +2595,8 @@ xmlCharEncoding enc; @@ -14,24 +20,36 @@ - * Note: external parsed entities will not be loaded, it is - * not required for a non-validating parser, unless the + * Note: external parameter entities will not be loaded, it -+ * isnot required for a non-validating parser, unless the ++ * is not required for a non-validating parser, unless the * option of validating, or substituting entities were * given. Doing so is far more secure as the parser will * only process data coming from the document entity by -@@ -2605,6 +2605,7 @@ +@@ -2605,6 +2605,9 @@ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && ((ctxt->options & XML_PARSE_NOENT) == 0) && ((ctxt->options & XML_PARSE_DTDVALID) == 0) && + ((ctxt->options & XML_PARSE_DTDLOAD) == 0) && ++ ((ctxt->options & XML_PARSE_DTDATTR) == 0) && ++ (ctxt->replaceEntities == 0) && (ctxt->validate == 0)) return; -@@ -12736,6 +12737,9 @@ +@@ -12609,6 +12612,9 @@ + return(NULL); + } + ++ /* We are loading a DTD */ ++ ctxt->options |= XML_PARSE_DTDLOAD; ++ + /* + * Set-up the SAX context + */ +@@ -12736,6 +12742,9 @@ return(NULL); } + /* We are loading a DTD */ -+ ctxt->options = XML_PARSE_DTDLOAD; ++ ctxt->options |= XML_PARSE_DTDLOAD; + /* * Set-up the SAX context diff -Nru libxml2-2.9.1+dfsg1/debian/patches/series libxml2-2.9.1+dfsg1/debian/patches/series --- libxml2-2.9.1+dfsg1/debian/patches/series 2014-06-06 17:29:03.000000000 +0000 +++ libxml2-2.9.1+dfsg1/debian/patches/series 2014-10-16 19:30:39.000000000 +0000 @@ -9,3 +9,4 @@ xmllint_pretty.patch CVE-2014-0191.patch lp1321869.patch +CVE-2014-3660.patch