git: d1aa619eee6b - 2021Q2 - textproc/libxml2: add upstream fix for CVE-2021-3541
Tobias C. Berner
tcberner at FreeBSD.org
Sun May 23 14:36:14 UTC 2021
The branch 2021Q2 has been updated by tcberner:
URL: https://cgit.FreeBSD.org/ports/commit/?id=d1aa619eee6b57face171474c3166f4112447f26
commit d1aa619eee6b57face171474c3166f4112447f26
Author: Yasuhiro Kimura <yasu at utahime.org>
AuthorDate: 2021-05-23 14:27:31 +0000
Commit: Tobias C. Berner <tcberner at FreeBSD.org>
CommitDate: 2021-05-23 14:35:28 +0000
textproc/libxml2: add upstream fix for CVE-2021-3541
This is relapted to parameter entities expansion and following
the line of the billion laugh attack. Somehow in that path the
counting of parameters was missed and the normal algorithm based
on entities "density" was useless.
PR: 256094
Obtained from: https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e
Security: CVE-2021-3541
(cherry picked from commit 83889bd6875d128b44342dd3cd58fe6027b98542)
---
textproc/libxml2/Makefile | 2 +-
textproc/libxml2/files/patch-CVE-2021-3541 | 67 ++++++++++++++++++++++++++++++
2 files changed, 68 insertions(+), 1 deletion(-)
diff --git a/textproc/libxml2/Makefile b/textproc/libxml2/Makefile
index 8feafcd98017..6efe166d3b7d 100644
--- a/textproc/libxml2/Makefile
+++ b/textproc/libxml2/Makefile
@@ -2,7 +2,7 @@
PORTNAME= libxml2
DISTVERSION= 2.9.10
-PORTREVISION?= 3
+PORTREVISION?= 4
CATEGORIES?= textproc gnome
MASTER_SITES= http://xmlsoft.org/sources/
DIST_SUBDIR= gnome2
diff --git a/textproc/libxml2/files/patch-CVE-2021-3541 b/textproc/libxml2/files/patch-CVE-2021-3541
new file mode 100644
index 000000000000..3ba64fa1d967
--- /dev/null
+++ b/textproc/libxml2/files/patch-CVE-2021-3541
@@ -0,0 +1,67 @@
+From 8598060bacada41a0eb09d95c97744ff4e428f8e Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard at redhat.com>
+Date: Thu, 13 May 2021 14:55:12 +0200
+Subject: [PATCH] Patch for security issue CVE-2021-3541
+
+This is relapted to parameter entities expansion and following
+the line of the billion laugh attack. Somehow in that path the
+counting of parameters was missed and the normal algorithm based
+on entities "density" was useless.
+---
+ parser.c | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+diff --git parser.c parser.c
+index f5e5e169..c9312fa4 100644
+--- parser.c
++++ parser.c
+@@ -140,6 +140,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+ xmlEntityPtr ent, size_t replacement)
+ {
+ size_t consumed = 0;
++ int i;
+
+ if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE))
+ return (0);
+@@ -177,6 +178,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+ rep = NULL;
+ }
+ }
++
++ /*
++ * Prevent entity exponential check, not just replacement while
++ * parsing the DTD
++ * The check is potentially costly so do that only once in a thousand
++ */
++ if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) &&
++ (ctxt->nbentities % 1024 == 0)) {
++ for (i = 0;i < ctxt->inputNr;i++) {
++ consumed += ctxt->inputTab[i]->consumed +
++ (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base);
++ }
++ if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) {
++ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
++ ctxt->instate = XML_PARSER_EOF;
++ return (1);
++ }
++ consumed = 0;
++ }
++
++
++
+ if (replacement != 0) {
+ if (replacement < XML_MAX_TEXT_LENGTH)
+ return(0);
+@@ -7963,6 +7986,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
+ xmlChar start[4];
+ xmlCharEncoding enc;
+
++ if (xmlParserEntityCheck(ctxt, 0, entity, 0))
++ return;
++
+ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
+ ((ctxt->options & XML_PARSE_NOENT) == 0) &&
+ ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
+--
+2.31.1
+
More information about the dev-commits-ports-all
mailing list