Bug#1061472: marked as done (bullseye-pu: package tinyxml/2.6.2-4+deb11u2)

To: Jonathan Wiltshire <jmw@coccia.debian.org>
Subject: Bug#1061472: marked as done (bullseye-pu: package tinyxml/2.6.2-4+deb11u2)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 10 Feb 2024 13:07:50 +0000
Message-id: <[🔎] handler.1061472.D1061472.1707570180676630.ackdone@bugs.debian.org>
Reply-to: 1061472@bugs.debian.org
References: <E1rYn0U-002xtB-Pv@coccia.debian.org> <ZbHZDGVANduiCwyM@debian.org>

Your message dated Sat, 10 Feb 2024 13:02:58 +0000
with message-id <E1rYn0U-002xtB-Pv@coccia.debian.org>
and subject line Released with 11.9
has caused the Debian Bug report #1061472,
regarding bullseye-pu: package tinyxml/2.6.2-4+deb11u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1061472: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061472
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: bullseye-pu: package tinyxml/2.6.2-4+deb11u2
From: Guilhem Moulin <guilhem@debian.org>
Date: Thu, 25 Jan 2024 04:44:12 +0100
Message-id: <ZbHZDGVANduiCwyM@debian.org>

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: tinyxml@packages.debian.org
Control: affects -1 + src:tinyxml

[ Reason ]

Fix CVE-2023-34194: Reachable assertion (and application exit) via a
crafted XML document with a '\0' located after whitespace.

The issue has been fixed in buster LTS as well as sid (via NMU).  The
security team argued it didn't warrant a DSA, and suggested to go via
s-pu instead.

[ Impact ]

Buster users will regress when upgrading to bullseye.

[ Tests ]

The vulnerability report came with POCs which was checked against.

[ Risks ]

The patch is trivial but tinyxml appears to be abandoned upstream so I
wrote it myself.

[ Checklist ]

  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in oldstable
  [x] the issue is verified as fixed in unstable

[ Changes ]

Fix CVE-2023-34194: Reachable assertion (and application exit) via a
crafted XML document with a '\0' located after whitespace.

-- 
Guilhem.

diffstat for tinyxml-2.6.2 tinyxml-2.6.2

 changelog                    |    9 +++++++++
 patches/CVE-2023-34194.patch |   27 +++++++++++++++++++++++++++
 patches/series               |    1 +
 3 files changed, 37 insertions(+)

diff -Nru tinyxml-2.6.2/debian/changelog tinyxml-2.6.2/debian/changelog
--- tinyxml-2.6.2/debian/changelog	2022-10-20 16:32:51.000000000 +0200
+++ tinyxml-2.6.2/debian/changelog	2024-01-25 04:12:05.000000000 +0100
@@ -1,3 +1,12 @@
+tinyxml (2.6.2-4+deb11u2) bullseye; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2023-34194 / CVE-2023-40462: Reachable assertion (and application
+    exit) via a crafted XML document with a '\0' located after whitespace.
+    (Closes: #1059315)
+
+ -- Guilhem Moulin <guilhem@debian.org>  Thu, 25 Jan 2024 04:12:05 +0100
+
 tinyxml (2.6.2-4+deb11u1) bullseye; urgency=medium
 
   * Import fix for CVE-2021-42260.
diff -Nru tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch
--- tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch	1970-01-01 01:00:00.000000000 +0100
+++ tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch	2024-01-25 04:12:05.000000000 +0100
@@ -0,0 +1,27 @@
+From: Guilhem Moulin <guilhem@debian.org>
+Date: Sat, 30 Dec 2023 14:15:54 +0100
+Subject: Avoid reachable assertion via crafted XML document with a '\0'
+ located after whitespace
+
+Bug: https://www.forescout.com/resources/sierra21-vulnerabilities
+Bug-Debian: https://bugs.debian.org/1059315
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-34194
+---
+ tinyxmlparser.cpp | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/tinyxmlparser.cpp b/tinyxmlparser.cpp
+index 8aa0dfa..1601962 100644
+--- a/tinyxmlparser.cpp
++++ b/tinyxmlparser.cpp
+@@ -1606,6 +1606,10 @@ const char* TiXmlDeclaration::Parse( const char* p, TiXmlParsingData* data, TiXm
+ 		}
+ 
+ 		p = SkipWhiteSpace( p, _encoding );
++		if ( !p || !*p )
++		{
++			break;
++		}
+ 		if ( StringEqual( p, "version", true, _encoding ) )
+ 		{
+ 			TiXmlAttribute attrib;
diff -Nru tinyxml-2.6.2/debian/patches/series tinyxml-2.6.2/debian/patches/series
--- tinyxml-2.6.2/debian/patches/series	2022-10-20 16:32:49.000000000 +0200
+++ tinyxml-2.6.2/debian/patches/series	2024-01-25 04:12:05.000000000 +0100
@@ -1,3 +1,4 @@
 enforce-use-stl.patch
 entity-encoding.patch
 CVE-2021-42260.patch
+CVE-2023-34194.patch

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

To: 1061472-done@bugs.debian.org

Subject: Released with 11.9

From: Jonathan Wiltshire <jmw@coccia.debian.org>

Date: Sat, 10 Feb 2024 13:02:58 +0000

Message-id: <E1rYn0U-002xtB-Pv@coccia.debian.org>
Version: 11.9

The upload requested in this bug has been released as part of 11.9.
--- End Message ---

Reply to:

Prev by Date: Bug#1061471: marked as done (bullseye-pu: package xerces-c/3.2.3+debian-3+deb11u1)
Next by Date: Bug#1061556: marked as done (bullseye-pu: package dropbear/2020.81-3+deb11u1)
Previous by thread: Bug#1061471: marked as done (bullseye-pu: package xerces-c/3.2.3+debian-3+deb11u1)
Next by thread: Bug#1061556: marked as done (bullseye-pu: package dropbear/2020.81-3+deb11u1)
Index(es):
- Date
- Thread