diff -pruN 1.2-4/debian/changelog 1.2-4ubuntu1/debian/changelog --- 1.2-4/debian/changelog 2017-08-10 12:06:20.000000000 +0000 +++ 1.2-4ubuntu1/debian/changelog 2022-07-15 13:32:03.000000000 +0000 @@ -1,3 +1,24 @@ +libxmltok (1.2-4ubuntu1) kinetic; urgency=medium + + * SECURITY UPDATE: Incomplete validation of encoding + - debian/patches/CVE-2022-25235-1.patch: remove the unused macro + UTF8_GET_NAMING from xmltok/xmltok.c. + - debian/patches/CVE-2022-25235-2.patch: add verification calls to + IS_INVALID_CHAR() in CHECK_NAME_CASE, CHECK_NMSTRT_CASE and + prologTok methods. + - debian/patches/CVE-2022-25235-3.patch: add comments to BT_LEAD + cases in xmltok/xmltok_impl.c. + - CVE-2022-25235 + * SECURITY UPDATE: Namespace-separator insertions + - debian/patches/CVE-2022-25236-1.patch: add a validation for + nameSpaceSeparator in addBinding() in xmlparse/xmlparse.c. + - debian/patches/CVE-2022-25236-2.patch: add a new method + is_rfc3986_uri_char() to the previous validation in addBinding() + in xmlparse/xmlparse.c. + - CVE-2022-25236 + + -- Rodrigo Figueiredo Zaiden Fri, 15 Jul 2022 10:32:03 -0300 + libxmltok (1.2-4) unstable; urgency=medium * Team upload. diff -pruN 1.2-4/debian/control 1.2-4ubuntu1/debian/control --- 1.2-4/debian/control 2017-08-10 12:02:58.000000000 +0000 +++ 1.2-4ubuntu1/debian/control 2022-07-15 13:32:03.000000000 +0000 @@ -1,7 +1,8 @@ Source: libxmltok Section: libs Priority: optional -Maintainer: Debian XML/SGML Group +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian XML/SGML Group Uploaders: Ardo van Rangelrooij Homepage: http://www.jclark.com/xml/expat.html Standards-Version: 4.0.1 diff -pruN 1.2-4/debian/patches/CVE-2022-25235-1.patch 1.2-4ubuntu1/debian/patches/CVE-2022-25235-1.patch --- 1.2-4/debian/patches/CVE-2022-25235-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.2-4ubuntu1/debian/patches/CVE-2022-25235-1.patch 2022-07-15 13:32:03.000000000 +0000 @@ -0,0 +1,30 @@ +[Ubuntu note: Backport of the following patch from upstream, with a change +in the file path from expat/lib/xmltok.c to xmltok/xmltok.c, and in the +code style of the code changed, to match the current code baseline. +-- Rodrigo Figueiredo Zaiden] + +From ee2a5b50e7d1940ba8745715b62ceb9efd3a96da Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Tue, 8 Feb 2022 17:37:14 +0100 +Subject: [PATCH 1/5] lib: Drop unused macro UTF8_GET_NAMING + +--- + expat/lib/xmltok.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- libxmltok-1.2.orig/xmltok/xmltok.c ++++ libxmltok-1.2/xmltok/xmltok.c +@@ -54,13 +54,6 @@ We need 8 bits to index into pages, 3 bi + + ((((byte)[2]) >> 5) & 1)] \ + & (1 << (((byte)[2]) & 0x1F))) + +-#define UTF8_GET_NAMING(pages, p, n) \ +- ((n) == 2 \ +- ? UTF8_GET_NAMING2(pages, (const unsigned char *)(p)) \ +- : ((n) == 3 \ +- ? UTF8_GET_NAMING3(pages, (const unsigned char *)(p)) \ +- : 0)) +- + #define UTF8_INVALID3(p) \ + ((*p) == 0xED \ + ? (((p)[1] & 0x20) != 0) \ diff -pruN 1.2-4/debian/patches/CVE-2022-25235-2.patch 1.2-4ubuntu1/debian/patches/CVE-2022-25235-2.patch --- 1.2-4/debian/patches/CVE-2022-25235-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.2-4ubuntu1/debian/patches/CVE-2022-25235-2.patch 2022-07-15 13:32:03.000000000 +0000 @@ -0,0 +1,45 @@ +[Ubuntu note: Backport of the following patch from upstream, with a change +in the file path from expat/lib/xmltok_impl.c to xmltok/xmltok_impl.c, and +in the code style of the code changed, to match the current code baseline. +-- Rodrigo Figueiredo Zaiden] + +From 3f0a0cb644438d4d8e3294cd0b1245d0edb0c6c6 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Tue, 8 Feb 2022 04:32:20 +0100 +Subject: [PATCH 2/5] lib: Add missing validation of encoding (CVE-2022-25235) + +--- + expat/lib/xmltok_impl.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- libxmltok-1.2.orig/xmltok/xmltok_impl.c ++++ libxmltok-1.2/xmltok/xmltok_impl.c +@@ -32,7 +32,7 @@ See the file copying.txt for copying per + case BT_LEAD ## n: \ + if (end - ptr < n) \ + return XML_TOK_PARTIAL_CHAR; \ +- if (!IS_NAME_CHAR(enc, ptr, n)) { \ ++ if (IS_INVALID_CHAR(enc, ptr, n) || !IS_NAME_CHAR(enc, ptr, n)) { \ + *nextTokPtr = ptr; \ + return XML_TOK_INVALID; \ + } \ +@@ -60,7 +60,7 @@ See the file copying.txt for copying per + case BT_LEAD ## n: \ + if (end - ptr < n) \ + return XML_TOK_PARTIAL_CHAR; \ +- if (!IS_NMSTRT_CHAR(enc, ptr, n)) { \ ++ if (IS_INVALID_CHAR(enc, ptr, n) || !IS_NMSTRT_CHAR(enc, ptr, n)) { \ + *nextTokPtr = ptr; \ + return XML_TOK_INVALID; \ + } \ +@@ -1090,6 +1090,10 @@ int PREFIX(prologTok)(const ENCODING *en + case BT_LEAD ## n: \ + if (end - ptr < n) \ + return XML_TOK_PARTIAL_CHAR; \ ++ if (IS_INVALID_CHAR(enc, ptr, n)) { \ ++ *nextTokPtr = ptr; \ ++ return XML_TOK_INVALID; \ ++ } \ + if (IS_NMSTRT_CHAR(enc, ptr, n)) { \ + ptr += n; \ + tok = XML_TOK_NAME; \ diff -pruN 1.2-4/debian/patches/CVE-2022-25235-3.patch 1.2-4ubuntu1/debian/patches/CVE-2022-25235-3.patch --- 1.2-4/debian/patches/CVE-2022-25235-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.2-4ubuntu1/debian/patches/CVE-2022-25235-3.patch 2022-07-15 13:32:03.000000000 +0000 @@ -0,0 +1,62 @@ +[Ubuntu note: Backport of the following patch from upstream, with a change +in the file path from expat/lib/xmltok_impl.c to xmltok/xmltok_impl.c, and +in the code style of the code changed, to match the current code baseline. +-- Rodrigo Figueiredo Zaiden] + +From c85a3025e7a1be086dc34e7559fbc543914d047f Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Wed, 9 Feb 2022 01:00:38 +0100 +Subject: [PATCH 3/5] lib: Add comments to BT_LEAD* cases where encoding has + already been validated + +--- + expat/lib/xmltok_impl.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- libxmltok-1.2.orig/xmltok/xmltok_impl.c ++++ libxmltok-1.2/xmltok/xmltok_impl.c +@@ -1207,7 +1207,7 @@ int PREFIX(attributeValueTok)(const ENCO + while (ptr != end) { + switch (BYTE_TYPE(enc, ptr)) { + #define LEAD_CASE(n) \ +- case BT_LEAD ## n: ptr += n; break; ++ case BT_LEAD ## n: ptr += n; break; /* NOTE: The encoding has already been validated. */ + LEAD_CASE(2) LEAD_CASE(3) LEAD_CASE(4) + #undef LEAD_CASE + case BT_AMP: +@@ -1265,7 +1265,7 @@ int PREFIX(entityValueTok)(const ENCODIN + while (ptr != end) { + switch (BYTE_TYPE(enc, ptr)) { + #define LEAD_CASE(n) \ +- case BT_LEAD ## n: ptr += n; break; ++ case BT_LEAD ## n: ptr += n; break; /* NOTE: The encoding has already been validated. */ + LEAD_CASE(2) LEAD_CASE(3) LEAD_CASE(4) + #undef LEAD_CASE + case BT_AMP: +@@ -1440,7 +1440,7 @@ int PREFIX(getAtts)(const ENCODING *enc, + state = inName; \ + } + #define LEAD_CASE(n) \ +- case BT_LEAD ## n: START_NAME ptr += (n - MINBPC(enc)); break; ++ case BT_LEAD ## n: START_NAME ptr += (n - MINBPC(enc)); break; /* NOTE: The encoding has already been validated. */ + LEAD_CASE(2) LEAD_CASE(3) LEAD_CASE(4) + #undef LEAD_CASE + case BT_NONASCII: +@@ -1690,7 +1690,7 @@ int PREFIX(nameLength)(const ENCODING *e + for (;;) { + switch (BYTE_TYPE(enc, ptr)) { + #define LEAD_CASE(n) \ +- case BT_LEAD ## n: ptr += n; break; ++ case BT_LEAD ## n: ptr += n; break; /* NOTE: The encoding has already been validated. */ + LEAD_CASE(2) LEAD_CASE(3) LEAD_CASE(4) + #undef LEAD_CASE + case BT_NONASCII: +@@ -1736,7 +1736,7 @@ void PREFIX(updatePosition)(const ENCODI + switch (BYTE_TYPE(enc, ptr)) { + #define LEAD_CASE(n) \ + case BT_LEAD ## n: \ +- ptr += n; \ ++ ptr += n; /* NOTE: The encoding has already been validated. */ \ + break; + LEAD_CASE(2) LEAD_CASE(3) LEAD_CASE(4) + #undef LEAD_CASE diff -pruN 1.2-4/debian/patches/CVE-2022-25236-1.patch 1.2-4ubuntu1/debian/patches/CVE-2022-25236-1.patch --- 1.2-4/debian/patches/CVE-2022-25236-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.2-4ubuntu1/debian/patches/CVE-2022-25236-1.patch 2022-07-15 13:32:03.000000000 +0000 @@ -0,0 +1,39 @@ +[Ubuntu note: Backport of the following patch from upstream, with a change +in the file path from expat/lib/xmlparse.c to xmlparse/xmlparse.c, and in +the code style/variables of the code changed, to match the current code +baseline. +-- Rodrigo Figueiredo Zaiden] + +From a2fe525e660badd64b6c557c2b1ec26ddc07f6e4 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Sat, 12 Feb 2022 01:09:29 +0100 +Subject: [PATCH 2/4] lib: Protect against malicious namespace declarations + (CVE-2022-25236) + +--- + expat/lib/xmlparse.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- libxmltok-1.2.orig/xmlparse/xmlparse.c ++++ libxmltok-1.2/xmlparse/xmlparse.c +@@ -1830,8 +1830,18 @@ int addBinding(XML_Parser parser, PREFIX + { + BINDING *b; + int len; +- for (len = 0; uri[len]; len++) +- ; ++ for (len = 0; uri[len]; len++) { ++ // NOTE: While Expat does not validate namespace URIs against RFC 3986, ++ // we have to at least make sure that the XML processor on top of ++ // Expat (that is splitting tag names by namespace separator into ++ // 2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused ++ // by an attacker putting additional namespace separator characters ++ // into namespace declarations. That would be ambiguous and not to ++ // be expected. ++ if (ns && (uri[len] == namespaceSeparator)) { ++ return XML_ERROR_SYNTAX; ++ } ++ } + if (namespaceSeparator) + len++; + if (freeBindingList) { diff -pruN 1.2-4/debian/patches/CVE-2022-25236-2.patch 1.2-4ubuntu1/debian/patches/CVE-2022-25236-2.patch --- 1.2-4/debian/patches/CVE-2022-25236-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.2-4ubuntu1/debian/patches/CVE-2022-25236-2.patch 2022-07-15 13:32:03.000000000 +0000 @@ -0,0 +1,171 @@ +[Ubuntu note: Backport of the following patch from upstream, with a change +in the file path from expat/lib/xmlparse.c to xmlparse/xmlparse.c, and in +the code style/variables of the code changed, to match the current code +baseline. +-- Rodrigo Figueiredo Zaiden] + +From 2ba6c76fca21397959145e18c5ef376201209020 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Sun, 27 Feb 2022 16:58:08 +0100 +Subject: [PATCH] lib: Relax fix to CVE-2022-25236 with regard to RFC 3986 URI + characters + +--- + expat/lib/xmlparse.c | 139 ++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 131 insertions(+), 8 deletions(-) + +--- libxmltok-1.2.orig/xmlparse/xmlparse.c ++++ libxmltok-1.2/xmlparse/xmlparse.c +@@ -1826,20 +1826,143 @@ static enum XML_Error storeAtts(XML_Pars + } + + static ++int is_rfc3986_uri_char(XML_Char candidate) { ++ // For the RFC 3986 ANBF grammar see ++ // https://datatracker.ietf.org/doc/html/rfc3986#appendix-A ++ ++ switch (candidate) { ++ // From rule "ALPHA" (uppercase half) ++ case 'A': ++ case 'B': ++ case 'C': ++ case 'D': ++ case 'E': ++ case 'F': ++ case 'G': ++ case 'H': ++ case 'I': ++ case 'J': ++ case 'K': ++ case 'L': ++ case 'M': ++ case 'N': ++ case 'O': ++ case 'P': ++ case 'Q': ++ case 'R': ++ case 'S': ++ case 'T': ++ case 'U': ++ case 'V': ++ case 'W': ++ case 'X': ++ case 'Y': ++ case 'Z': ++ ++ // From rule "ALPHA" (lowercase half) ++ case 'a': ++ case 'b': ++ case 'c': ++ case 'd': ++ case 'e': ++ case 'f': ++ case 'g': ++ case 'h': ++ case 'i': ++ case 'j': ++ case 'k': ++ case 'l': ++ case 'm': ++ case 'n': ++ case 'o': ++ case 'p': ++ case 'q': ++ case 'r': ++ case 's': ++ case 't': ++ case 'u': ++ case 'v': ++ case 'w': ++ case 'x': ++ case 'y': ++ case 'z': ++ ++ // From rule "DIGIT" ++ case '0': ++ case '1': ++ case '2': ++ case '3': ++ case '4': ++ case '5': ++ case '6': ++ case '7': ++ case '8': ++ case '9': ++ ++ // From rule "pct-encoded" ++ case '%': ++ ++ // From rule "unreserved" ++ case '-': ++ case '.': ++ case '_': ++ case '~': ++ ++ // From rule "gen-delims" ++ case ':': ++ case '/': ++ case '?': ++ case '#': ++ case '[': ++ case ']': ++ case '@': ++ ++ // From rule "sub-delims" ++ case '!': ++ case '$': ++ case '&': ++ case '\'': ++ case '(': ++ case ')': ++ case '*': ++ case '+': ++ case ',': ++ case ';': ++ case '=': ++ return 1; ++ ++ default: ++ return 0; ++ } ++} ++ ++static + int addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId, const XML_Char *uri, BINDING **bindingsPtr) + { + BINDING *b; + int len; + for (len = 0; uri[len]; len++) { +- // NOTE: While Expat does not validate namespace URIs against RFC 3986, +- // we have to at least make sure that the XML processor on top of +- // Expat (that is splitting tag names by namespace separator into +- // 2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused +- // by an attacker putting additional namespace separator characters +- // into namespace declarations. That would be ambiguous and not to +- // be expected. +- if (ns && (uri[len] == namespaceSeparator)) { +- return XML_ERROR_SYNTAX; ++ // NOTE: While Expat does not validate namespace URIs against RFC 3986 ++ // today (and is not REQUIRED to do so with regard to the XML 1.0 ++ // namespaces specification) we have to at least make sure, that ++ // the application on top of Expat (that is likely splitting expanded ++ // element names ("qualified names") of form ++ // "[uri sep] local [sep prefix] '\0'" back into 1, 2 or 3 pieces ++ // in its element handler code) cannot be confused by an attacker ++ // putting additional namespace separator characters into namespace ++ // declarations. That would be ambiguous and not to be expected. ++ // ++ // While the HTML API docs of function XML_ParserCreateNS have been ++ // advising against use of a namespace separator character that can ++ // appear in a URI for >20 years now, some widespread applications ++ // are using URI characters (':' (colon) in particular) for a ++ // namespace separator, in practice. To keep these applications ++ // functional, we only reject namespaces URIs containing the ++ // application-chosen namespace separator if the chosen separator ++ // is a non-URI character with regard to RFC 3986. ++ if (ns && (uri[len] == namespaceSeparator) ++ && ! is_rfc3986_uri_char(uri[len])) { ++ return XML_ERROR_SYNTAX; + } + } + if (namespaceSeparator) diff -pruN 1.2-4/debian/patches/series 1.2-4ubuntu1/debian/patches/series --- 1.2-4/debian/patches/series 2017-08-10 11:53:42.000000000 +0000 +++ 1.2-4ubuntu1/debian/patches/series 2022-07-15 13:32:03.000000000 +0000 @@ -1 +1,6 @@ debian-changes.patch +CVE-2022-25235-1.patch +CVE-2022-25235-2.patch +CVE-2022-25235-3.patch +CVE-2022-25236-1.patch +CVE-2022-25236-2.patch