!58 fix CVE-2021-3541

From: @angela7 Reviewed-by: @openeuler-basic Signed-off-by: @openeuler-basic
2021-06-04 10:26:31 +08:00 · 2021-06-04 10:26:31 +08:00 · fd5f98f48e
commit fd5f98f48e
parent 528f67c714 a66e512517
2 changed files with 76 additions and 2 deletions
--- a/CVE-2021-3541.patch
+++ b/CVE-2021-3541.patch
@ -0,0 +1,67 @@
 From 8598060bacada41a0eb09d95c97744ff4e428f8e Mon Sep 17 00:00:00 2001
 From: Daniel Veillard <veillard@redhat.com>
 Date: Thu, 13 May 2021 14:55:12 +0200
 Subject: [PATCH] Patch for security issue CVE-2021-3541
 This is relapted to parameter entities expansion and following
 the line of the billion laugh attack. Somehow in that path the
 counting of parameters was missed and the normal algorithm based
 on entities "density" was useless.
 ---
 parser.c | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 diff --git a/parser.c b/parser.c
 index f5e5e169..c9312fa4 100644
 --- a/parser.c
 +++ b/parser.c
@@ -140,6 +140,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
                      xmlEntityPtr ent, size_t replacement)
 {
     size_t consumed = 0;
 +    int i;
     if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE))
         return (0);
@@ -177,6 +178,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
 	    rep = NULL;
 	}
     }
 +
 +    /*
 +     * Prevent entity exponential check, not just replacement while
 +     * parsing the DTD
 +     * The check is potentially costly so do that only once in a thousand
 +     */
 +    if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) &&
 +        (ctxt->nbentities % 1024 == 0)) {
 +	for (i = 0;i < ctxt->inputNr;i++) {
 +	    consumed += ctxt->inputTab[i]->consumed +
 +	               (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base);
 +	}
 +	if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) {
 +	    xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
 +	    ctxt->instate = XML_PARSER_EOF;
 +	    return (1);
 +	}
 +	consumed = 0;
 +    }
 +
 +
 +
     if (replacement != 0) {
 	if (replacement < XML_MAX_TEXT_LENGTH)
 	    return(0);
@@ -7963,6 +7986,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
             xmlChar start[4];
             xmlCharEncoding enc;
 +	    if (xmlParserEntityCheck(ctxt, 0, entity, 0))
 +	        return;
 +
 	    if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
 	        ((ctxt->options & XML_PARSE_NOENT) == 0) &&
 		((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
 -- 
 GitLab
--- a/libxml2.spec
+++ b/libxml2.spec
@ -1,7 +1,7 @@
 Summary: Library providing XML and HTML support
 Name: libxml2
 Version: 2.9.10
-Release: 14
+Release: 15
 License: MIT
 Group: Development/Libraries
 Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
@ -83,6 +83,7 @@ Patch71: Fix-quadratic-behavior-when-looking-up-xml-attribute.patch
 Patch72: Fix-use-after-free-with-xmllint-html-push.patch
 Patch73: Fix-xmlGetNodePath-with-invalid-node-types.patch
 Patch74: Stop-checking-attributes-for-UTF-8-validity.patch
 Patch75: CVE-2021-3541.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 BuildRequires: python3-devel
@ -243,6 +244,12 @@ rm -fr %{buildroot}
 %changelog
 * Wed Jun 2 2021 guoxiaoqi <guoxiaoqi2@huawei.com> - 2.9.10-15
 - Type:CVE
 - ID:CVE-2021-3541
 - SUG:NA
 - DESC:fix CVE-2021-3541
 * Sat May 29 2021 zoulin <zoulin13@huawei.com> - 2.9.10-14
 - Type:bugfix
 - ID:NA
@ -262,7 +269,7 @@ rm -fr %{buildroot}
 * Fri May 28 2021 guoxiaoqi <guoxiaoqi2@huawei.com> - 2.9.10-13
 - Type:CVE
- ID:CVE-2021-3537, CVE-2021-3517
+- ID:CVE-2021-3517, CVE-2021-3518
 - SUG:NA
 - DESC:fix CVE-2021-3517 and CVE-2021-3518