Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
This proposed update fixes CVE-2018-0499, an incomplete HTML escaping
bug in xapian-core.
I've discussed with the security-team and they proposed fixing this via
the imminent stretch point release.
The Debian bug is https://bugs.debian.org/902886 which has severity
important and is already fixed in unstable by version 1.4.6-1.
The patch was in an upstream release and vulnerability disclosure 4 days
ago and has been in unstable for 3 days now, without any problems
reported to the BTS or to upstream.
A source debdiff of the proposed update xapian-core 1.4.3-2+deb9u1 is
attached. I've already uploaded this (in line with the updated SPU
workflow).
Cheers,
Olly
diff -Nru xapian-core-1.4.3/debian/changelog xapian-core-1.4.3/debian/changelog
--- xapian-core-1.4.3/debian/changelog 2017-04-06 06:48:18.000000000 +1200
+++ xapian-core-1.4.3/debian/changelog 2018-07-06 09:52:48.000000000 +1200
@@ -1,3 +1,10 @@
+xapian-core (1.4.3-2+deb9u1) stretch; urgency=medium
+
+ * Fix MSet::snippet() to escape HTML in all cases (CVE-2018-499).
+ New patch: cve-2018-0499-mset-snippet-escaping.patch (Closes: #902886)
+
+ -- Olly Betts <olly@survex.com> Fri, 06 Jul 2018 09:52:48 +1200
+
xapian-core (1.4.3-2) unstable; urgency=medium
* Fix incorrect results for unweighted AND with certain subqueries (new
diff -Nru xapian-core-1.4.3/debian/patches/cve-2018-0499-mset-snippet-escaping.patch xapian-core-1.4.3/debian/patches/cve-2018-0499-mset-snippet-escaping.patch
--- xapian-core-1.4.3/debian/patches/cve-2018-0499-mset-snippet-escaping.patch 1970-01-01 12:00:00.000000000 +1200
+++ xapian-core-1.4.3/debian/patches/cve-2018-0499-mset-snippet-escaping.patch 2018-07-06 09:52:24.000000000 +1200
@@ -0,0 +1,110 @@
+Description: Fix incomplete HTML escaping in MSet::snippet()
+ Characters <, > and & were escaped in some cases, but not all - this patch
+ adds escaping in the missing cases. This issue has been allocated
+ CVE-2018-0499.
+Author: Olly Betts <olly@survex.com>
+Bug-Debian: https://bugs.debian.org/902886
+Origin: upstream
+Last-Update: 2018-07-06
+
+--- a/queryparser/termgenerator_internal.cc
++++ b/queryparser/termgenerator_internal.cc
+@@ -432,6 +432,27 @@ SnipPipe::done()
+ }
+ }
+
++inline void
++append_escaping_xml(const char* p, const char* end, string& output)
++{
++ while (p != end) {
++ char ch = *p++;
++ switch (ch) {
++ case '&':
++ output += "&";
++ break;
++ case '<':
++ output += "<";
++ break;
++ case '>':
++ output += ">";
++ break;
++ default:
++ output += ch;
++ }
++ }
++}
++
+ inline bool
+ SnipPipe::drain(const string & input,
+ const string & hi_start,
+@@ -465,7 +486,7 @@ SnipPipe::drain(const string & input,
+
+ if (punc) {
+ // Include end of sentence punctuation.
+- output.append(input.data() + best_end, i.raw());
++ append_escaping_xml(input.data() + best_end, i.raw(), output);
+ } else {
+ // Append "..." or equivalent if this doesn't seem to be the start
+ // of a sentence.
+@@ -523,8 +544,7 @@ SnipPipe::drain(const string & input,
+ while (i != Utf8Iterator()) {
+ unsigned ch = *i;
+ if (Unicode::is_wordchar(ch)) {
+- const char * p = input.data() + best_begin;
+- output.append(p, i.raw() - p);
++ append_escaping_xml(input.data() + best_begin, i.raw(), output);
+ best_begin = i.raw() - input.data();
+ break;
+ }
+@@ -537,22 +557,9 @@ SnipPipe::drain(const string & input,
+ if (phrase_len) output += hi_start;
+ }
+
+- while (best_begin != word.term_end) {
+- char ch = input[best_begin++];
+- switch (ch) {
+- case '&':
+- output += "&";
+- break;
+- case '<':
+- output += "<";
+- break;
+- case '>':
+- output += ">";
+- break;
+- default:
+- output += ch;
+- }
+- }
++ const char* p = input.data();
++ append_escaping_xml(p + best_begin, p + word.term_end, output);
++ best_begin = word.term_end;
+
+ if (phrase_len && --phrase_len == 0) output += hi_end;
+
+--- a/tests/api_snippets.cc
++++ b/tests/api_snippets.cc
+@@ -313,3 +313,23 @@ DEFINE_TESTCASE(snippet_empty, backend) {
+
+ return true;
+ }
++
++/// Check snippets escape HTML/XML suitably.
++DEFINE_TESTCASE(snippet_html_escape, backend) {
++ Xapian::Enquire enquire(get_database("apitest_simpledata"));
++ enquire.set_query(Xapian::Query("foo"));
++
++ Xapian::MSet mset = enquire.get_mset(0, 0);
++
++ Xapian::Stem stem;
++
++ const char *input = "#include <foo.h> to use libfoo";
++ TEST_STRINGS_EQUAL(mset.snippet(input, 12, stem),
++ "...<<b>foo</b>.h> to...");
++
++ input = "&foo takes the address of foo";
++ TEST_STRINGS_EQUAL(mset.snippet(input, strlen(input), stem),
++ "&<b>foo</b> takes the address of <b>foo</b>");
++
++ return true;
++}
diff -Nru xapian-core-1.4.3/debian/patches/series xapian-core-1.4.3/debian/patches/series
--- xapian-core-1.4.3/debian/patches/series 2017-04-06 06:48:13.000000000 +1200
+++ xapian-core-1.4.3/debian/patches/series 2018-07-06 09:47:57.000000000 +1200
@@ -1 +1,2 @@
fix-unweighted-and.patch
+cve-2018-0499-mset-snippet-escaping.patch
Attachment:
signature.asc
Description: PGP signature