Bug#780986: marked as done (unblock: xerces-c/3.1.1-5.1)

To: Niels Thykier <niels@thykier.net>
Subject: Bug#780986: marked as done (unblock: xerces-c/3.1.1-5.1)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sun, 22 Mar 2015 21:12:09 +0000
Message-id: <[🔎] handler.780986.D780986.142705857624748.ackdone@bugs.debian.org>
References: <550F2F86.5060903@thykier.net> <[🔎] 20150322202742.16570.82741.reportbug@eldamar.local>

Your message dated Sun, 22 Mar 2015 22:09:26 +0100
with message-id <550F2F86.5060903@thykier.net>
and subject line Re: Bug#780986: unblock: xerces-c/3.1.1-5.1
has caused the Debian Bug report #780986,
regarding unblock: xerces-c/3.1.1-5.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
780986: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780986
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: xerces-c/3.1.1-5.1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 22 Mar 2015 21:27:42 +0100
Message-id: <[🔎] 20150322202742.16570.82741.reportbug@eldamar.local>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi,

Please unblock package xerces-c, it fixes CVE-2015-0252, reported as
#780827 in the BTS:

> xerces-c (3.1.1-5.1) unstable; urgency=high
> 
>   * Non-maintainer upload.
>   * Add CVE-2015-0252.patch patch.
>     CVE-2015-0252: Apache Xerces-C XML parser crashes on malformed input.
>     (Closes: #780827)
> 
>  -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 20 Mar 2015 19:40:31 +0100

We have already released as well a DSA for it as 3.1.1-3+deb7u1.

unblock xerces-c/3.1.1-5.1

Regards,
Salvatore

diff -Nru xerces-c-3.1.1/debian/changelog xerces-c-3.1.1/debian/changelog
--- xerces-c-3.1.1/debian/changelog	2014-01-08 21:48:52.000000000 +0100
+++ xerces-c-3.1.1/debian/changelog	2015-03-20 19:43:44.000000000 +0100
@@ -1,3 +1,12 @@
+xerces-c (3.1.1-5.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Add CVE-2015-0252.patch patch.
+    CVE-2015-0252: Apache Xerces-C XML parser crashes on malformed input.
+    (Closes: #780827)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 20 Mar 2015 19:40:31 +0100
+
 xerces-c (3.1.1-5) unstable; urgency=medium
 
   * Apply upstream patch for PATH_MAX to enable compilation on GNU hurd.
diff -Nru xerces-c-3.1.1/debian/patches/CVE-2015-0252.patch xerces-c-3.1.1/debian/patches/CVE-2015-0252.patch
--- xerces-c-3.1.1/debian/patches/CVE-2015-0252.patch	1970-01-01 01:00:00.000000000 +0100
+++ xerces-c-3.1.1/debian/patches/CVE-2015-0252.patch	2015-03-20 19:43:44.000000000 +0100
@@ -0,0 +1,66 @@
+Description: CVE-2015-0252: Apache Xerces-C XML Parser Crashes on Malformed Input
+ The Xerces-C XML parser mishandles certain kinds of malformed input
+ documents, resulting in a segmentation fault during a parse operation.
+Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1667870
+Bug-Debian: https://bugs.debian.org/780827
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2015-03-12
+Applied-Upstream: 3.1.2
+
+--- a/src/xercesc/internal/XMLReader.cpp
++++ b/src/xercesc/internal/XMLReader.cpp
+@@ -1460,6 +1460,17 @@ void XMLReader::doInitDecode()
+ 
+             while (fRawBufIndex < fRawBytesAvail)
+             {
++                // Security fix: make sure there are at least sizeof(UCS4Ch) bytes to consume.
++                if (fRawBufIndex + sizeof(UCS4Ch) > fRawBytesAvail) {
++                    ThrowXMLwithMemMgr1
++                    (
++                        TranscodingException
++                        , XMLExcepts::Reader_CouldNotDecodeFirstLine
++                        , fSystemId
++                        , fMemoryManager
++                    );
++                }
++
+                 // Get out the current 4 byte value and inc our raw buf index
+                 UCS4Ch curVal = *asUCS++;
+                 fRawBufIndex += sizeof(UCS4Ch);
+@@ -1619,6 +1630,17 @@ void XMLReader::doInitDecode()
+ 
+             while (fRawBufIndex < fRawBytesAvail)
+             {
++                // Security fix: make sure there are at least sizeof(UTF16Ch) bytes to consume.
++                if (fRawBufIndex + sizeof(UTF16Ch) > fRawBytesAvail) {
++                    ThrowXMLwithMemMgr1
++                    (
++                        TranscodingException
++                        , XMLExcepts::Reader_CouldNotDecodeFirstLine
++                        , fSystemId
++                        , fMemoryManager
++                    );
++                }
++
+                 // Get out the current 2 byte value
+                 UTF16Ch curVal = *asUTF16++;
+                 fRawBufIndex += sizeof(UTF16Ch);
+@@ -1708,6 +1730,17 @@ void XMLReader::doInitDecode()
+ //
+ void XMLReader::refreshRawBuffer()
+ {
++    // Security fix: make sure we don't underflow on the subtraction.
++    if (fRawBufIndex > fRawBytesAvail) {
++        ThrowXMLwithMemMgr1
++        (
++            RuntimeException
++            , XMLExcepts::Str_StartIndexPastEnd
++            , fSystemId
++            , fMemoryManager
++        );
++    }
++
+     //
+     //  If there are any bytes left, move them down to the start. There
+     //  should only ever be (max bytes per char - 1) at the most.
diff -Nru xerces-c-3.1.1/debian/patches/series xerces-c-3.1.1/debian/patches/series
--- xerces-c-3.1.1/debian/patches/series	2014-01-08 21:48:52.000000000 +0100
+++ xerces-c-3.1.1/debian/patches/series	2015-03-20 19:43:44.000000000 +0100
@@ -1 +1,2 @@
 hurd-path-max.patch
+CVE-2015-0252.patch

--- End Message ---

--- Begin Message ---

To: Salvatore Bonaccorso <carnil@debian.org>, 780986-done@bugs.debian.org

Subject: Re: Bug#780986: unblock: xerces-c/3.1.1-5.1

From: Niels Thykier <niels@thykier.net>

Date: Sun, 22 Mar 2015 22:09:26 +0100

Message-id: <550F2F86.5060903@thykier.net>

In-reply-to: <[🔎] 20150322202742.16570.82741.reportbug@eldamar.local>

References: <[🔎] 20150322202742.16570.82741.reportbug@eldamar.local>
On 2015-03-22 21:27, Salvatore Bonaccorso wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Hi,
> 
> Please unblock package xerces-c, it fixes CVE-2015-0252, reported as
> #780827 in the BTS:
> 
>> xerces-c (3.1.1-5.1) unstable; urgency=high
>>
>>   * Non-maintainer upload.
>>   * Add CVE-2015-0252.patch patch.
>>     CVE-2015-0252: Apache Xerces-C XML parser crashes on malformed input.
>>     (Closes: #780827)
>>
>>  -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 20 Mar 2015 19:40:31 +0100
> 
> We have already released as well a DSA for it as 3.1.1-3+deb7u1.
> 
> unblock xerces-c/3.1.1-5.1
> 
> Regards,
> Salvatore
> 

Unblocked, thanks.

~Niels
--- End Message ---

Reply to:

References:
- Bug#780986: unblock: xerces-c/3.1.1-5.1
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Removal of docker.io from jessie
Next by Date: NEW changes in stable-new
Previous by thread: Bug#780986: unblock: xerces-c/3.1.1-5.1
Next by thread: Removal of docker.io from jessie
Index(es):
- Date
- Thread