From owner-dev-commits-ports-branches@freebsd.org Sun May 23 14:36:14 2021 Return-Path: Delivered-To: dev-commits-ports-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 661AC6491D3; Sun, 23 May 2021 14:36:14 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Fp2vy2LGtz3Q9f; Sun, 23 May 2021 14:36:14 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3217C18D71; Sun, 23 May 2021 14:36:14 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 14NEaE6l018394; Sun, 23 May 2021 14:36:14 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 14NEaEti018393; Sun, 23 May 2021 14:36:14 GMT (envelope-from git) Date: Sun, 23 May 2021 14:36:14 GMT Message-Id: <202105231436.14NEaEti018393@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org From: "Tobias C. Berner" Subject: git: d1aa619eee6b - 2021Q2 - textproc/libxml2: add upstream fix for CVE-2021-3541 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: tcberner X-Git-Repository: ports X-Git-Refname: refs/heads/2021Q2 X-Git-Reftype: branch X-Git-Commit: d1aa619eee6b57face171474c3166f4112447f26 Auto-Submitted: auto-generated X-BeenThere: dev-commits-ports-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the quarterly branches of the FreeBSD ports repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 May 2021 14:36:14 -0000 The branch 2021Q2 has been updated by tcberner: URL: https://cgit.FreeBSD.org/ports/commit/?id=d1aa619eee6b57face171474c3166f4112447f26 commit d1aa619eee6b57face171474c3166f4112447f26 Author: Yasuhiro Kimura AuthorDate: 2021-05-23 14:27:31 +0000 Commit: Tobias C. Berner CommitDate: 2021-05-23 14:35:28 +0000 textproc/libxml2: add upstream fix for CVE-2021-3541 This is relapted to parameter entities expansion and following the line of the billion laugh attack. Somehow in that path the counting of parameters was missed and the normal algorithm based on entities "density" was useless. PR: 256094 Obtained from: https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e Security: CVE-2021-3541 (cherry picked from commit 83889bd6875d128b44342dd3cd58fe6027b98542) --- textproc/libxml2/Makefile | 2 +- textproc/libxml2/files/patch-CVE-2021-3541 | 67 ++++++++++++++++++++++++++++++ 2 files changed, 68 insertions(+), 1 deletion(-) diff --git a/textproc/libxml2/Makefile b/textproc/libxml2/Makefile index 8feafcd98017..6efe166d3b7d 100644 --- a/textproc/libxml2/Makefile +++ b/textproc/libxml2/Makefile @@ -2,7 +2,7 @@ PORTNAME= libxml2 DISTVERSION= 2.9.10 -PORTREVISION?= 3 +PORTREVISION?= 4 CATEGORIES?= textproc gnome MASTER_SITES= http://xmlsoft.org/sources/ DIST_SUBDIR= gnome2 diff --git a/textproc/libxml2/files/patch-CVE-2021-3541 b/textproc/libxml2/files/patch-CVE-2021-3541 new file mode 100644 index 000000000000..3ba64fa1d967 --- /dev/null +++ b/textproc/libxml2/files/patch-CVE-2021-3541 @@ -0,0 +1,67 @@ +From 8598060bacada41a0eb09d95c97744ff4e428f8e Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Thu, 13 May 2021 14:55:12 +0200 +Subject: [PATCH] Patch for security issue CVE-2021-3541 + +This is relapted to parameter entities expansion and following +the line of the billion laugh attack. Somehow in that path the +counting of parameters was missed and the normal algorithm based +on entities "density" was useless. +--- + parser.c | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git parser.c parser.c +index f5e5e169..c9312fa4 100644 +--- parser.c ++++ parser.c +@@ -140,6 +140,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + xmlEntityPtr ent, size_t replacement) + { + size_t consumed = 0; ++ int i; + + if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE)) + return (0); +@@ -177,6 +178,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + rep = NULL; + } + } ++ ++ /* ++ * Prevent entity exponential check, not just replacement while ++ * parsing the DTD ++ * The check is potentially costly so do that only once in a thousand ++ */ ++ if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) && ++ (ctxt->nbentities % 1024 == 0)) { ++ for (i = 0;i < ctxt->inputNr;i++) { ++ consumed += ctxt->inputTab[i]->consumed + ++ (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base); ++ } ++ if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) { ++ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); ++ ctxt->instate = XML_PARSER_EOF; ++ return (1); ++ } ++ consumed = 0; ++ } ++ ++ ++ + if (replacement != 0) { + if (replacement < XML_MAX_TEXT_LENGTH) + return(0); +@@ -7963,6 +7986,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) + xmlChar start[4]; + xmlCharEncoding enc; + ++ if (xmlParserEntityCheck(ctxt, 0, entity, 0)) ++ return; ++ + if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && + ((ctxt->options & XML_PARSE_NOENT) == 0) && + ((ctxt->options & XML_PARSE_DTDVALID) == 0) && +-- +2.31.1 +