Attachment #225187 for bug #256094

Lines 2-8 Link Here

(-)b/textproc/libxml2/Makefile (-1 / +1 lines)
2		2
3	PORTNAME= libxml2	3	PORTNAME= libxml2
4	DISTVERSION= 2.9.10	4	DISTVERSION= 2.9.10
5	PORTREVISION?= 3	5	PORTREVISION?= 4
6	CATEGORIES?= textproc gnome	6	CATEGORIES?= textproc gnome
7	MASTER_SITES= http://xmlsoft.org/sources/	7	MASTER_SITES= http://xmlsoft.org/sources/
8	DIST_SUBDIR= gnome2	8	DIST_SUBDIR= gnome2




From 8598060bacada41a0eb09d95c97744ff4e428f8e Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Thu, 13 May 2021 14:55:12 +0200
Subject: [PATCH] Patch for security issue CVE-2021-3541

This is relapted to parameter entities expansion and following
the line of the billion laugh attack. Somehow in that path the
counting of parameters was missed and the normal algorithm based
on entities "density" was useless.
---
 parser.c | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git parser.c parser.c
index f5e5e169..c9312fa4 100644
--- parser.c
+++ parser.c
@@ -140,6 +140,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
                      xmlEntityPtr ent, size_t replacement)
 {
     size_t consumed = 0;
+    int i;
 
     if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE))
         return (0);
@@ -177,6 +178,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
 	    rep = NULL;
 	}
     }
+
+    /*
+     * Prevent entity exponential check, not just replacement while
+     * parsing the DTD
+     * The check is potentially costly so do that only once in a thousand
+     */
+    if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) &&
+        (ctxt->nbentities % 1024 == 0)) {
+	for (i = 0;i < ctxt->inputNr;i++) {
+	    consumed += ctxt->inputTab[i]->consumed +
+	               (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base);
+	}
+	if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) {
+	    xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
+	    ctxt->instate = XML_PARSER_EOF;
+	    return (1);
+	}
+	consumed = 0;
+    }
+
+
+
     if (replacement != 0) {
 	if (replacement < XML_MAX_TEXT_LENGTH)
 	    return(0);
@@ -7963,6 +7986,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
             xmlChar start[4];
             xmlCharEncoding enc;
 
+	    if (xmlParserEntityCheck(ctxt, 0, entity, 0))
+	        return;
+
 	    if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
 	        ((ctxt->options & XML_PARSE_NOENT) == 0) &&
 		((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
-- 
2.31.1


Return to bug 256094

Added Link Here

(-)b/textproc/libxml2/files/patch-CVE-2021-3541 (-1 / +67 lines)
0	-	1	From 8598060bacada41a0eb09d95c97744ff4e428f8e Mon Sep 17 00:00:00 2001
		2	From: Daniel Veillard <veillard@redhat.com>
		3	Date: Thu, 13 May 2021 14:55:12 +0200
		4	Subject: [PATCH] Patch for security issue CVE-2021-3541
		5
		6	This is relapted to parameter entities expansion and following
		7	the line of the billion laugh attack. Somehow in that path the
		8	counting of parameters was missed and the normal algorithm based
		9	on entities "density" was useless.
		10	---
		11	parser.c \| 26 ++++++++++++++++++++++++++
		12	1 file changed, 26 insertions(+)
		13
		14	diff --git parser.c parser.c
		15	index f5e5e169..c9312fa4 100644
		16	--- parser.c
		17	+++ parser.c
		18	@@ -140,6 +140,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
		19	xmlEntityPtr ent, size_t replacement)
		20	{
		21	size_t consumed = 0;
		22	+ int i;
		23
		24	if ((ctxt == NULL) \|\| (ctxt->options & XML_PARSE_HUGE))
		25	return (0);
		26	@@ -177,6 +178,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
		27	rep = NULL;
		28	}
		29	}
		30	+
		31	+ /*
		32	+ * Prevent entity exponential check, not just replacement while
		33	+ * parsing the DTD
		34	+ * The check is potentially costly so do that only once in a thousand
		35	+ */
		36	+ if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) &&
		37	+ (ctxt->nbentities % 1024 == 0)) {
		38	+ for (i = 0;i < ctxt->inputNr;i++) {
		39	+ consumed += ctxt->inputTab[i]->consumed +
		40	+ (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base);
		41	+ }
		42	+ if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) {
		43	+ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
		44	+ ctxt->instate = XML_PARSER_EOF;
		45	+ return (1);
		46	+ }
		47	+ consumed = 0;
		48	+ }
		49	+
		50	+
		51	+
		52	if (replacement != 0) {
		53	if (replacement < XML_MAX_TEXT_LENGTH)
		54	return(0);
		55	@@ -7963,6 +7986,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
		56	xmlChar start[4];
		57	xmlCharEncoding enc;
		58
		59	+ if (xmlParserEntityCheck(ctxt, 0, entity, 0))
		60	+ return;
		61	+
		62	if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
		63	((ctxt->options & XML_PARSE_NOENT) == 0) &&
		64	((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
		65	--
66	2.31.1
67