[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#896942: marked as done (jessie-pu: package xerces-c/3.1.1-5.1+deb8u3)

Your message dated Sat, 23 Jun 2018 12:32:13 +0100
with message-id <1529753533.11744.69.camel@adam-barratt.org.uk>
and subject line Closing bugs for requests included in the EoL jessie point release
has caused the Debian Bug report #896942,
regarding jessie-pu: package xerces-c/3.1.1-5.1+deb8u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
896942: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896942
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

I would like to update xerces-c in a future point release.  This update
will fix one issue:

  * Fix CVE-2017-12627: Alberto Garcia, Francisco Oca and Suleman Ali of
    Offensive Research discovered that the Xerces-C XML parser mishandles
    certain kinds of external DTD references, resulting in dereference of a
    NULL pointer while processing the path to the DTD. The bug allows for a
    denial of service attack in applications that allow DTD processing and do
    not prevent external DTD usage, and could conceivably result in remote code
    execution.

The CVE was deemed by the security team to not be critical enough for a
DSA, but they suggested that it might be included in a point release.

This issue has been fixed in unstable, and I have attached a debdiff
that reflects the desired changes.

Regards,
Bill


-- System Information:
Debian Release: 9.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru xerces-c-3.1.1/debian/changelog xerces-c-3.1.1/debian/changelog
--- xerces-c-3.1.1/debian/changelog	2016-06-29 10:47:44.000000000 -0400
+++ xerces-c-3.1.1/debian/changelog	2018-04-26 00:28:32.000000000 -0400
@@ -1,3 +1,15 @@
+xerces-c (3.1.1-5.1+deb8u4) jessie; urgency=medium
+
+  * Fix CVE-2017-12627: Alberto Garcia, Francisco Oca and Suleman Ali of
+    Offensive Research discovered that the Xerces-C XML parser mishandles
+    certain kinds of external DTD references, resulting in dereference of a
+    NULL pointer while processing the path to the DTD. The bug allows for a
+    denial of service attack in applications that allow DTD processing and do
+    not prevent external DTD usage, and could conceivably result in remote code
+    execution.
+
+ -- William Blough <devel@blough.us>  Thu, 26 Apr 2018 00:28:32 -0400
+
 xerces-c (3.1.1-5.1+deb8u3) jessie-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru xerces-c-3.1.1/debian/patches/CVE-2017-12627.patch xerces-c-3.1.1/debian/patches/CVE-2017-12627.patch
--- xerces-c-3.1.1/debian/patches/CVE-2017-12627.patch	1969-12-31 19:00:00.000000000 -0500
+++ xerces-c-3.1.1/debian/patches/CVE-2017-12627.patch	2018-04-26 00:28:32.000000000 -0400
@@ -0,0 +1,26 @@
+From: Markus Koschany <apo@debian.org>
+Date: Thu, 29 Mar 2018 20:58:48 +0200
+Subject: CVE-2017-12627
+
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1819998
+Upstream-Advisory: https://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt
+---
+ src/xercesc/util/PlatformUtils.cpp | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/xercesc/util/PlatformUtils.cpp b/src/xercesc/util/PlatformUtils.cpp
+index eee1dc5..39c71ac 100644
+--- a/src/xercesc/util/PlatformUtils.cpp
++++ b/src/xercesc/util/PlatformUtils.cpp
+@@ -920,7 +920,10 @@ XMLCh* XMLPlatformUtils::weavePaths(const XMLCh* const    basePath
+ 
+     XMLString::subString(tmpBuf, basePath, 0, (basePtr - basePath + 1), manager);
+     tmpBuf[basePtr - basePath + 1] = 0;
+-    XMLString::catString(tmpBuf, relativePath);
++    if (relativePath)
++    {
++        XMLString::catString(tmpBuf, relativePath);
++    }
+ 
+     removeDotSlash(tmpBuf, manager);
+ 
diff -Nru xerces-c-3.1.1/debian/patches/series xerces-c-3.1.1/debian/patches/series
--- xerces-c-3.1.1/debian/patches/series	2016-06-29 10:47:44.000000000 -0400
+++ xerces-c-3.1.1/debian/patches/series	2018-04-26 00:28:32.000000000 -0400
@@ -4,3 +4,4 @@
 CVE-2016-2099.patch
 CVE-2016-4463.patch
 disable-DTD-processing-through-envvariable.patch
+CVE-2017-12627.patch

--- End Message ---
--- Begin Message --- 
Version: 8.11

Hi,

The updates referenced by these bugs were included in today's EoL point
release for jessie (8.11).

Regards,

Adam

--- End Message ---
Reply to: