Bug#896940: stretch-pu: package xerces-c/3.1.4+debian-2
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
I would like to update xerces-c in a future point release. This update
will fix two issues:
* Fix CVE-2017-12627: Alberto Garcia, Francisco Oca and Suleman Ali of
Offensive Research discovered that the Xerces-C XML parser mishandles
certain kinds of external DTD references, resulting in dereference of a
NULL pointer while processing the path to the DTD. The bug allows for a
denial of service attack in applications that allow DTD processing and do
not prevent external DTD usage, and could conceivably result in remote code
execution.
* Fix a regression that forced gcc to use SSE2, even on platforms that do not
support it (e.g., i386). This caused program crashes due to invalid CPU
instructions.
The CVE was deemed by the security team to not be critical enough for a
DSA, but they suggested that it might be included in a point release.
Both of these issues have been fixed in unstable, and I have attached a
debdiff that reflects the desired changes.
Regards,
Bill
-- System Information:
Debian Release: 9.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru xerces-c-3.1.4+debian/debian/changelog xerces-c-3.1.4+debian/debian/changelog
--- xerces-c-3.1.4+debian/debian/changelog 2016-12-16 06:52:57.000000000 -0500
+++ xerces-c-3.1.4+debian/debian/changelog 2018-04-26 00:35:59.000000000 -0400
@@ -1,3 +1,18 @@
+xerces-c (3.1.4+debian-2+deb9u1) stretch; urgency=medium
+
+ * Fix CVE-2017-12627: Alberto Garcia, Francisco Oca and Suleman Ali of
+ Offensive Research discovered that the Xerces-C XML parser mishandles
+ certain kinds of external DTD references, resulting in dereference of a
+ NULL pointer while processing the path to the DTD. The bug allows for a
+ denial of service attack in applications that allow DTD processing and do
+ not prevent external DTD usage, and could conceivably result in remote code
+ execution.
+ * Fix a regression that forced gcc to use SSE2, even on platforms that do not
+ support it (e.g., i386). This caused program crashes due to invalid CPU
+ instructions.
+
+ -- William Blough <devel@blough.us> Thu, 26 Apr 2018 00:35:59 -0400
+
xerces-c (3.1.4+debian-2) unstable; urgency=medium
* Fix AC_LANG_SOURCE warnings.
diff -Nru xerces-c-3.1.4+debian/debian/patches/CVE-2017-12627.patch xerces-c-3.1.4+debian/debian/patches/CVE-2017-12627.patch
--- xerces-c-3.1.4+debian/debian/patches/CVE-2017-12627.patch 1969-12-31 19:00:00.000000000 -0500
+++ xerces-c-3.1.4+debian/debian/patches/CVE-2017-12627.patch 2018-04-26 00:35:59.000000000 -0400
@@ -0,0 +1,26 @@
+From: Markus Koschany <apo@debian.org>
+Date: Thu, 29 Mar 2018 20:58:48 +0200
+Subject: CVE-2017-12627
+
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1819998
+Upstream-Advisory: https://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt
+---
+ src/xercesc/util/PlatformUtils.cpp | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/xercesc/util/PlatformUtils.cpp b/src/xercesc/util/PlatformUtils.cpp
+index eee1dc5..39c71ac 100644
+--- a/src/xercesc/util/PlatformUtils.cpp
++++ b/src/xercesc/util/PlatformUtils.cpp
+@@ -920,7 +920,10 @@ XMLCh* XMLPlatformUtils::weavePaths(const XMLCh* const basePath
+
+ XMLString::subString(tmpBuf, basePath, 0, (basePtr - basePath + 1), manager);
+ tmpBuf[basePtr - basePath + 1] = 0;
+- XMLString::catString(tmpBuf, relativePath);
++ if (relativePath)
++ {
++ XMLString::catString(tmpBuf, relativePath);
++ }
+
+ removeDotSlash(tmpBuf, manager);
+
diff -Nru xerces-c-3.1.4+debian/debian/patches/series xerces-c-3.1.4+debian/debian/patches/series
--- xerces-c-3.1.4+debian/debian/patches/series 2016-12-16 06:52:57.000000000 -0500
+++ xerces-c-3.1.4+debian/debian/patches/series 2018-04-26 00:35:59.000000000 -0400
@@ -1,3 +1,4 @@
psviwriter_strrchr_fix
fix_fprintf_warnings.diff
fix_ac_lang_source_warnings
+CVE-2017-12627.patch
diff -Nru xerces-c-3.1.4+debian/debian/rules xerces-c-3.1.4+debian/debian/rules
--- xerces-c-3.1.4+debian/debian/rules 2016-12-16 06:52:57.000000000 -0500
+++ xerces-c-3.1.4+debian/debian/rules 2018-04-26 00:35:59.000000000 -0400
@@ -15,7 +15,10 @@
dh $@ --with autoreconf
override_dh_auto_configure:
- dh_auto_configure -- --disable-pretty-make --enable-netaccessor-curl
+ dh_auto_configure -- --disable-pretty-make --enable-netaccessor-curl --disable-sse2
+ # Note: This disables explicit passing of -msse2 to gcc. It does not
+ # actually disable sse2 extensions for platforms such as x86_64
+ # (amd64) which enable sse2 extensions by default.
override_dh_compress:
dh_compress -plibxerces-c-dev -Xexamples
Reply to: