Bug#896942: jessie-pu: package xerces-c/3.1.1-5.1+deb8u3
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
I would like to update xerces-c in a future point release. This update
will fix one issue:
* Fix CVE-2017-12627: Alberto Garcia, Francisco Oca and Suleman Ali of
Offensive Research discovered that the Xerces-C XML parser mishandles
certain kinds of external DTD references, resulting in dereference of a
NULL pointer while processing the path to the DTD. The bug allows for a
denial of service attack in applications that allow DTD processing and do
not prevent external DTD usage, and could conceivably result in remote code
execution.
The CVE was deemed by the security team to not be critical enough for a
DSA, but they suggested that it might be included in a point release.
This issue has been fixed in unstable, and I have attached a debdiff
that reflects the desired changes.
Regards,
Bill
-- System Information:
Debian Release: 9.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru xerces-c-3.1.1/debian/changelog xerces-c-3.1.1/debian/changelog
--- xerces-c-3.1.1/debian/changelog 2016-06-29 10:47:44.000000000 -0400
+++ xerces-c-3.1.1/debian/changelog 2018-04-26 00:28:32.000000000 -0400
@@ -1,3 +1,15 @@
+xerces-c (3.1.1-5.1+deb8u4) jessie; urgency=medium
+
+ * Fix CVE-2017-12627: Alberto Garcia, Francisco Oca and Suleman Ali of
+ Offensive Research discovered that the Xerces-C XML parser mishandles
+ certain kinds of external DTD references, resulting in dereference of a
+ NULL pointer while processing the path to the DTD. The bug allows for a
+ denial of service attack in applications that allow DTD processing and do
+ not prevent external DTD usage, and could conceivably result in remote code
+ execution.
+
+ -- William Blough <devel@blough.us> Thu, 26 Apr 2018 00:28:32 -0400
+
xerces-c (3.1.1-5.1+deb8u3) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru xerces-c-3.1.1/debian/patches/CVE-2017-12627.patch xerces-c-3.1.1/debian/patches/CVE-2017-12627.patch
--- xerces-c-3.1.1/debian/patches/CVE-2017-12627.patch 1969-12-31 19:00:00.000000000 -0500
+++ xerces-c-3.1.1/debian/patches/CVE-2017-12627.patch 2018-04-26 00:28:32.000000000 -0400
@@ -0,0 +1,26 @@
+From: Markus Koschany <apo@debian.org>
+Date: Thu, 29 Mar 2018 20:58:48 +0200
+Subject: CVE-2017-12627
+
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1819998
+Upstream-Advisory: https://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt
+---
+ src/xercesc/util/PlatformUtils.cpp | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/xercesc/util/PlatformUtils.cpp b/src/xercesc/util/PlatformUtils.cpp
+index eee1dc5..39c71ac 100644
+--- a/src/xercesc/util/PlatformUtils.cpp
++++ b/src/xercesc/util/PlatformUtils.cpp
+@@ -920,7 +920,10 @@ XMLCh* XMLPlatformUtils::weavePaths(const XMLCh* const basePath
+
+ XMLString::subString(tmpBuf, basePath, 0, (basePtr - basePath + 1), manager);
+ tmpBuf[basePtr - basePath + 1] = 0;
+- XMLString::catString(tmpBuf, relativePath);
++ if (relativePath)
++ {
++ XMLString::catString(tmpBuf, relativePath);
++ }
+
+ removeDotSlash(tmpBuf, manager);
+
diff -Nru xerces-c-3.1.1/debian/patches/series xerces-c-3.1.1/debian/patches/series
--- xerces-c-3.1.1/debian/patches/series 2016-06-29 10:47:44.000000000 -0400
+++ xerces-c-3.1.1/debian/patches/series 2018-04-26 00:28:32.000000000 -0400
@@ -4,3 +4,4 @@
CVE-2016-2099.patch
CVE-2016-4463.patch
disable-DTD-processing-through-envvariable.patch
+CVE-2017-12627.patch
Reply to: