Bug#780986: unblock: xerces-c/3.1.1-5.1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Hi,
Please unblock package xerces-c, it fixes CVE-2015-0252, reported as
#780827 in the BTS:
> xerces-c (3.1.1-5.1) unstable; urgency=high
>
> * Non-maintainer upload.
> * Add CVE-2015-0252.patch patch.
> CVE-2015-0252: Apache Xerces-C XML parser crashes on malformed input.
> (Closes: #780827)
>
> -- Salvatore Bonaccorso <carnil@debian.org> Fri, 20 Mar 2015 19:40:31 +0100
We have already released as well a DSA for it as 3.1.1-3+deb7u1.
unblock xerces-c/3.1.1-5.1
Regards,
Salvatore
diff -Nru xerces-c-3.1.1/debian/changelog xerces-c-3.1.1/debian/changelog
--- xerces-c-3.1.1/debian/changelog 2014-01-08 21:48:52.000000000 +0100
+++ xerces-c-3.1.1/debian/changelog 2015-03-20 19:43:44.000000000 +0100
@@ -1,3 +1,12 @@
+xerces-c (3.1.1-5.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Add CVE-2015-0252.patch patch.
+ CVE-2015-0252: Apache Xerces-C XML parser crashes on malformed input.
+ (Closes: #780827)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Fri, 20 Mar 2015 19:40:31 +0100
+
xerces-c (3.1.1-5) unstable; urgency=medium
* Apply upstream patch for PATH_MAX to enable compilation on GNU hurd.
diff -Nru xerces-c-3.1.1/debian/patches/CVE-2015-0252.patch xerces-c-3.1.1/debian/patches/CVE-2015-0252.patch
--- xerces-c-3.1.1/debian/patches/CVE-2015-0252.patch 1970-01-01 01:00:00.000000000 +0100
+++ xerces-c-3.1.1/debian/patches/CVE-2015-0252.patch 2015-03-20 19:43:44.000000000 +0100
@@ -0,0 +1,66 @@
+Description: CVE-2015-0252: Apache Xerces-C XML Parser Crashes on Malformed Input
+ The Xerces-C XML parser mishandles certain kinds of malformed input
+ documents, resulting in a segmentation fault during a parse operation.
+Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1667870
+Bug-Debian: https://bugs.debian.org/780827
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2015-03-12
+Applied-Upstream: 3.1.2
+
+--- a/src/xercesc/internal/XMLReader.cpp
++++ b/src/xercesc/internal/XMLReader.cpp
+@@ -1460,6 +1460,17 @@ void XMLReader::doInitDecode()
+
+ while (fRawBufIndex < fRawBytesAvail)
+ {
++ // Security fix: make sure there are at least sizeof(UCS4Ch) bytes to consume.
++ if (fRawBufIndex + sizeof(UCS4Ch) > fRawBytesAvail) {
++ ThrowXMLwithMemMgr1
++ (
++ TranscodingException
++ , XMLExcepts::Reader_CouldNotDecodeFirstLine
++ , fSystemId
++ , fMemoryManager
++ );
++ }
++
+ // Get out the current 4 byte value and inc our raw buf index
+ UCS4Ch curVal = *asUCS++;
+ fRawBufIndex += sizeof(UCS4Ch);
+@@ -1619,6 +1630,17 @@ void XMLReader::doInitDecode()
+
+ while (fRawBufIndex < fRawBytesAvail)
+ {
++ // Security fix: make sure there are at least sizeof(UTF16Ch) bytes to consume.
++ if (fRawBufIndex + sizeof(UTF16Ch) > fRawBytesAvail) {
++ ThrowXMLwithMemMgr1
++ (
++ TranscodingException
++ , XMLExcepts::Reader_CouldNotDecodeFirstLine
++ , fSystemId
++ , fMemoryManager
++ );
++ }
++
+ // Get out the current 2 byte value
+ UTF16Ch curVal = *asUTF16++;
+ fRawBufIndex += sizeof(UTF16Ch);
+@@ -1708,6 +1730,17 @@ void XMLReader::doInitDecode()
+ //
+ void XMLReader::refreshRawBuffer()
+ {
++ // Security fix: make sure we don't underflow on the subtraction.
++ if (fRawBufIndex > fRawBytesAvail) {
++ ThrowXMLwithMemMgr1
++ (
++ RuntimeException
++ , XMLExcepts::Str_StartIndexPastEnd
++ , fSystemId
++ , fMemoryManager
++ );
++ }
++
+ //
+ // If there are any bytes left, move them down to the start. There
+ // should only ever be (max bytes per char - 1) at the most.
diff -Nru xerces-c-3.1.1/debian/patches/series xerces-c-3.1.1/debian/patches/series
--- xerces-c-3.1.1/debian/patches/series 2014-01-08 21:48:52.000000000 +0100
+++ xerces-c-3.1.1/debian/patches/series 2015-03-20 19:43:44.000000000 +0100
@@ -1 +1,2 @@
hurd-path-max.patch
+CVE-2015-0252.patch
Reply to: