fix CVE-2021-3541

2021-06-02 10:50:10 +08:00 · 2021-06-02 10:50:10 +08:00 · a66e512517
commit a66e512517
parent 528f67c714
2 changed files with 76 additions and 2 deletions
--- a/CVE-2021-3541.patch
+++ b/CVE-2021-3541.patch
@ -0,0 +1,67 @@
+From 8598060bacada41a0eb09d95c97744ff4e428f8e Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Thu, 13 May 2021 14:55:12 +0200
+Subject: [PATCH] Patch for security issue CVE-2021-3541
+
+This is relapted to parameter entities expansion and following
+the line of the billion laugh attack. Somehow in that path the
+counting of parameters was missed and the normal algorithm based
+on entities "density" was useless.
+---
+ parser.c | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index f5e5e169..c9312fa4 100644
+--- a/parser.c
+++ b/parser.c
+@@ -140,6 +140,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+                      xmlEntityPtr ent, size_t replacement)
+ {
+     size_t consumed = 0;
+    int i;
+ 
+     if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE))
+         return (0);
+@@ -177,6 +178,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+ 	    rep = NULL;
+ 	}
+     }
+
+    /*
+     * Prevent entity exponential check, not just replacement while
+     * parsing the DTD
+     * The check is potentially costly so do that only once in a thousand
+     */
+    if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) &&
+        (ctxt->nbentities % 1024 == 0)) {
+	for (i = 0;i < ctxt->inputNr;i++) {
+	    consumed += ctxt->inputTab[i]->consumed +
+	               (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base);
+	}
+	if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) {
+	    xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
+	    ctxt->instate = XML_PARSER_EOF;
+	    return (1);
+	}
+	consumed = 0;
+    }
+
+
+
+     if (replacement != 0) {
+ 	if (replacement < XML_MAX_TEXT_LENGTH)
+ 	    return(0);
+@@ -7963,6 +7986,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
+             xmlChar start[4];
+             xmlCharEncoding enc;
+ 
+	    if (xmlParserEntityCheck(ctxt, 0, entity, 0))
+	        return;
+
+ 	    if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
+ 	        ((ctxt->options & XML_PARSE_NOENT) == 0) &&
+ 		((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
+-- 
+GitLab
+
--- a/libxml2.spec
+++ b/libxml2.spec
@ -1,7 +1,7 @@
 Summary: Library providing XML and HTML support
 Name: libxml2
 Version: 2.9.10
-Release: 14
+Release: 15
 License: MIT
 Group: Development/Libraries
 Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
@ -83,6 +83,7 @@ Patch71: Fix-quadratic-behavior-when-looking-up-xml-attribute.patch
 Patch72: Fix-use-after-free-with-xmllint-html-push.patch
 Patch73: Fix-xmlGetNodePath-with-invalid-node-types.patch
 Patch74: Stop-checking-attributes-for-UTF-8-validity.patch
+Patch75: CVE-2021-3541.patch

 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 BuildRequires: python3-devel
@ -243,6 +244,12 @@ rm -fr %{buildroot}


 %changelog
+* Wed Jun 2 2021 guoxiaoqi <guoxiaoqi2@huawei.com> - 2.9.10-15
+- Type:CVE
+- ID:CVE-2021-3541
+- SUG:NA
+- DESC:fix CVE-2021-3541
+
 * Sat May 29 2021 zoulin <zoulin13@huawei.com> - 2.9.10-14
 - Type:bugfix
 - ID:NA
@ -262,7 +269,7 @@ rm -fr %{buildroot}

 * Fri May 28 2021 guoxiaoqi <guoxiaoqi2@huawei.com> - 2.9.10-13
 - Type:CVE
- ID:CVE-2021-3537, CVE-2021-3517
+- ID:CVE-2021-3517, CVE-2021-3518
 - SUG:NA
 - DESC:fix CVE-2021-3517 and CVE-2021-3518