From ef0a5f66faa9483086c428858f68d7f4c28dbe17 Mon Sep 17 00:00:00 2001 From: yangkang <1515737100@qq.com> Date: Wed, 26 May 2021 16:44:39 +0800 Subject: [PATCH 1/2] fix CVE-2021-3537 --- backport-CVE-2021-3537.patch | 48 ++++++++++++++++++++++++++++++++++++ libxml2.spec | 10 +++++++- 2 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2021-3537.patch diff --git a/backport-CVE-2021-3537.patch b/backport-CVE-2021-3537.patch new file mode 100644 index 0000000..1da4354 --- /dev/null +++ b/backport-CVE-2021-3537.patch @@ -0,0 +1,48 @@ +From babe75030c7f64a37826bb3342317134568bef61 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 1 May 2021 16:53:33 +0200 +Subject: [PATCH] Propagate error in xmlParseElementChildrenContentDeclPriv + +Check return value of recursive calls to +xmlParseElementChildrenContentDeclPriv and return immediately in case +of errors. Otherwise, struct xmlElementContent could contain unexpected +null pointers, leading to a null deref when post-validating documents +which aren't well-formed and parsed in recovery mode. + +Fixes #243. + +Reference:https://github.com/GNOME/libxml2/commit/babe75030c7f64a37826bb3342317134568bef61 +Conflict:NA + +--- + parser.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/parser.c b/parser.c +index b42e604..73c27ed 100644 +--- a/parser.c ++++ b/parser.c +@@ -6208,6 +6208,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk, + SKIP_BLANKS; + cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, + depth + 1); ++ if (cur == NULL) ++ return(NULL); + SKIP_BLANKS; + GROW; + } else { +@@ -6341,6 +6343,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk, + SKIP_BLANKS; + last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, + depth + 1); ++ if (last == NULL) { ++ if (ret != NULL) ++ xmlFreeDocElementContent(ctxt->myDoc, ret); ++ return(NULL); ++ } + SKIP_BLANKS; + } else { + elem = xmlParseName(ctxt); +-- +1.8.3.1 + diff --git a/libxml2.spec b/libxml2.spec index a45f52b..8f046c2 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -1,7 +1,7 @@ Summary: Library providing XML and HTML support Name: libxml2 Version: 2.9.10 -Release: 12 +Release: 13 License: MIT Group: Development/Libraries Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz @@ -69,6 +69,8 @@ Patch58: backport-Fix-quadratic-runtime-in-HTML-push-parser-with-null-.patch Patch59: backport-Fix-infinite-loop-in-HTML-parser-introduced-with-rec.patch Patch60: backport-Fix-integer-overflow-in-xmlSchemaGetParticleTotalRan.patch +Patch61: backport-CVE-2021-3537.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildRequires: python2-devel BuildRequires: python3-devel @@ -260,6 +262,12 @@ rm -fr %{buildroot} %changelog +* Wed May 26 2021 yangkang - 2.9.10-13 +- Type:CVE +- ID:CVE-2021-3537 +- SUG:NA +- DESC:fix CVE-2021-3537 + * Tue Mar 2 2020 Lirui - 2.9.10-12 - fix problems detected by oss-fuzz test -- Gitee From 0e25679957c43b9982acdc432cb9fc11bf1106dc Mon Sep 17 00:00:00 2001 From: guoxiaoqi Date: Fri, 28 May 2021 11:40:32 +0800 Subject: [PATCH 2/2] fix CVE-2021-3517 and CVE-2021-3518 --- CVE-2021-3517.patch | 51 +++++++++++++++++++++++++++++++++++++++++++++ CVE-2021-3518.patch | 40 +++++++++++++++++++++++++++++++++++ libxml2.spec | 10 ++++++++- 3 files changed, 100 insertions(+), 1 deletion(-) create mode 100644 CVE-2021-3517.patch create mode 100644 CVE-2021-3518.patch diff --git a/CVE-2021-3517.patch b/CVE-2021-3517.patch new file mode 100644 index 0000000..e790ed9 --- /dev/null +++ b/CVE-2021-3517.patch @@ -0,0 +1,51 @@ +From bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2 Mon Sep 17 00:00:00 2001 +From: Joel Hockey +Date: Sun, 16 Aug 2020 17:19:35 -0700 +Subject: [PATCH] Validate UTF8 in xmlEncodeEntities + +Code is currently assuming UTF-8 without validating. Truncated UTF-8 +input can cause out-of-bounds array access. + +Adds further checks to partial fix in 50f06b3e. + +Fixes #178 + +Signed-off-by: guoxiaoqi +--- + entities.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/entities.c b/entities.c +index 37b99a5..1a8f86f 100644 +--- a/entities.c ++++ b/entities.c +@@ -704,11 +704,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) { + } else { + /* + * We assume we have UTF-8 input. ++ * It must match either: ++ * 110xxxxx 10xxxxxx ++ * 1110xxxx 10xxxxxx 10xxxxxx ++ * 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx ++ * That is: ++ * cur[0] is 11xxxxxx ++ * cur[1] is 10xxxxxx ++ * cur[2] is 10xxxxxx if cur[0] is 111xxxxx ++ * cur[3] is 10xxxxxx if cur[0] is 1111xxxx ++ * cur[0] is not 11111xxx + */ + char buf[11], *ptr; + int val = 0, l = 1; + +- if (*cur < 0xC0) { ++ if (((cur[0] & 0xC0) != 0xC0) || ++ ((cur[1] & 0xC0) != 0x80) || ++ (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) || ++ (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) || ++ (((cur[0] & 0xF8) == 0xF8))) { + xmlEntitiesErr(XML_CHECK_NOT_UTF8, + "xmlEncodeEntities: input not UTF-8"); + if (doc != NULL) +-- +1.8.3.1 + diff --git a/CVE-2021-3518.patch b/CVE-2021-3518.patch new file mode 100644 index 0000000..54f272c --- /dev/null +++ b/CVE-2021-3518.patch @@ -0,0 +1,40 @@ +From 1098c30a040e72a4654968547f415be4e4c40fe7 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 22 Apr 2021 19:26:28 +0200 +Subject: [PATCH] Fix user-after-free with `xmllint --xinclude --dropdtd` + +The --dropdtd option can leave dangling pointers in entity reference +nodes. Make sure to skip these nodes when processing XIncludes. + +This also avoids scanning entity declarations and even modifying +them inadvertently during XInclude processing. + +Move from a block list to an allow list approach to avoid descending +into other node types that can't contain elements. + +Fixes #237. + +Signed-off-by: guoxiaoqi +--- + xinclude.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/xinclude.c b/xinclude.c +index 1636caf..b2e6ea1 100644 +--- a/xinclude.c ++++ b/xinclude.c +@@ -2430,9 +2430,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree, + ctxt->incTotal++; + xmlXIncludePreProcessNode(ctxt, cur); + } else if ((cur->children != NULL) && +- (cur->children->type != XML_ENTITY_DECL) && +- (cur->children->type != XML_XINCLUDE_START) && +- (cur->children->type != XML_XINCLUDE_END)) { ++ ((cur->type == XML_DOCUMENT_NODE) || ++ (cur->type == XML_ELEMENT_NODE))) { + cur = cur->children; + continue; + } +-- +1.8.3.1 + diff --git a/libxml2.spec b/libxml2.spec index 8f046c2..97f69d5 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -1,7 +1,7 @@ Summary: Library providing XML and HTML support Name: libxml2 Version: 2.9.10 -Release: 13 +Release: 14 License: MIT Group: Development/Libraries Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz @@ -70,6 +70,8 @@ Patch59: backport-Fix-infinite-loop-in-HTML-parser-introduced-with-rec.patch Patch60: backport-Fix-integer-overflow-in-xmlSchemaGetParticleTotalRan.patch Patch61: backport-CVE-2021-3537.patch +Patch62: CVE-2021-3517.patch +Patch63: CVE-2021-3518.patch BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildRequires: python2-devel @@ -262,6 +264,12 @@ rm -fr %{buildroot} %changelog +* Fri May 28 2021 guoxiaoqi - 2.9.10-14 +- Type:CVE +- ID:CVE-2021-3537, CVE-2021-3517 +- SUG:NA +- DESC:fix CVE-2021-3517 and CVE-2021-3518 + * Wed May 26 2021 yangkang - 2.9.10-13 - Type:CVE - ID:CVE-2021-3537 -- Gitee