Re: freeze exception for xerces-c2 to fix security bug
Adeodato Simó <dato@net.com.org.es> wrote:
> * Jay Berkenbilt [Thu, 16 Oct 2008 14:47:37 -0400]:
>
>
>> I plan to upload a fix to RC security bug 502102 against xerces-c2 on
>> Sunday or earlier. It will be xerces-c2 version 2.8.0-4. This is
>> just a heads-up....
>
> Ok. (Hopefully the fix is not very invasive?)
The changes turn out to be very invasive. I'm recommending to the
security team that we not attempt to backport them. The upstream
change, made between the 2.8.0 and 3.0.0 release, changes 29 source
and header files, a Makefile.am, and 20 other files. It introduces
incompatible API changes (explicitly allowed between 2.x and 3.x).
I'm not sure how one would be able to backport this change while
keeping the API stable, let alone not introducing forbidden ABI
changes. It is a big, non-localized change that I would feel
uncomfortable trying to backport in spite of my extensive C and C++
experience. Even upstream took four iterations to fully implement a
proper fix. To cause a denial of service attack with this problem,
you'd have to force someone to parse a file against a schema with
particular characteristics. In my judgment, it's not worth trying to
address this problem. We'll see what the security team thinks.
In other words, you can consider this withdrawal of my request for an
upcoming freeze exception. I will contact the release team again if
the situation changes, but otherwise, you can disregard my previous
message.
If we do decide not to address this problem, what should I do about
the RC bug in the BTS? My inclination would be to post my analysis (a
more thorough version of which I sent to the security team), mark it
as "wontfix" and then close it.
--Jay
Reply to: