File libxml2-CVE-2021-3541.patch of Package libxml2

Overview Repositories Revisions Requests Users Attributes Meta

File libxml2-CVE-2021-3541.patch of Package libxml2 (Revision 54a83e08e2a9836da5002d16adc26349)

Currently displaying revision 54a83e08e2a9836da5002d16adc26349 , Show latest

From 8598060bacada41a0eb09d95c97744ff4e428f8e Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Thu, 13 May 2021 14:55:12 +0200
Subject: [PATCH] Patch for security issue CVE-2021-3541

This is relapted to parameter entities expansion and following
the line of the billion laugh attack. Somehow in that path the
counting of parameters was missed and the normal algorithm based
on entities "density" was useless.
---
 parser.c | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

Index: libxml2-2.9.4/parser.c
===================================================================
--- libxml2-2.9.4.orig/parser.c
+++ libxml2-2.9.4/parser.c
@@ -127,6 +127,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ct
                      xmlEntityPtr ent, size_t replacement)
 {
     size_t consumed = 0;
+    int i;
 
     if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE))
         return (0);
@@ -167,6 +168,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ct
 	    rep = NULL;
 	}
     }
+
+    /*
+     * Prevent entity exponential check, not just replacement while
+     * parsing the DTD
+     * The check is potentially costly so do that only once in a thousand
+     */
+    if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) &&
+        (ctxt->nbentities % 1024 == 0)) {
+	for (i = 0;i < ctxt->inputNr;i++) {
+	    consumed += ctxt->inputTab[i]->consumed +
+	               (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base);
+	}
+	if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) {
+	    xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
+	    ctxt->instate = XML_PARSER_EOF;
+	    return (1);
+	}
+	consumed = 0;
+    }
+
+
+
     if (replacement != 0) {
 	if (replacement < XML_MAX_TEXT_LENGTH)
 	    return(0);
@@ -8158,6 +8181,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctx
 	    if (xmlPushInput(ctxt, input) < 0)
 		return;
 	} else {
+       if (xmlParserEntityCheck(ctxt, 0, entity, 0))
+           return;
+
 	    if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
 	        ((ctxt->options & XML_PARSE_NOENT) == 0) &&
 		((ctxt->options & XML_PARSE_DTDVALID) == 0) &&

Places

File libxml2-CVE-2021-3541.patch of Package libxml2 (Revision 54a83e08e2a9836da5002d16adc26349)

Places