[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#924577: marked as done (unblock: xmltooling/3.0.4-1)



Your message dated Thu, 14 Mar 2019 16:07:59 +0000
with message-id <E1h4Stj-0005mN-5j@respighi.debian.org>
and subject line unblock xmltooling
has caused the Debian Bug report #924577,
regarding unblock: xmltooling/3.0.4-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
924577: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924577
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package xmltooling

Dear Release Team,

The #924346 security issue was fixed in stretch a couple of days ago by
backporting the fix from the new upstream security release: 3.0.4.
Beyond the unauthenticated remote DoS patch, this new upstream release
consists of two other bugfixes: an interoperability issue with the
Expect header (https://issues.shibboleth.net/jira/browse/CPPXT-144) and
an incorrect C++ code usage pattern invoking undefined behavior via
boost::bind (https://issues.shibboleth.net/jira/browse/SSPCPP-847).
I think buster would be better with these included, so I ask for your
permission to to upload 3.0.4-1 to unstable with a future unblock.
Urgency is set to high below because of the security issue, but I'm not
sure about that, please advise.  If this isn't acceptable at all, I'll
cherry pick the security fix, upload 3.0.3-2 and open an unblock request
for that.

Thanks,
Feri.

diff -Nru xmltooling-3.0.3/configure xmltooling-3.0.4/configure
--- xmltooling-3.0.3/configure	2018-10-12 20:28:11.000000000 +0200
+++ xmltooling-3.0.4/configure	2019-03-08 15:45:41.000000000 +0100
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for xmltooling 3.0.3.
+# Generated by GNU Autoconf 2.69 for xmltooling 3.0.4.
 #
 # Report bugs to <https://issues.shibboleth.net/>.
 #
@@ -590,8 +590,8 @@
 # Identity of this package.
 PACKAGE_NAME='xmltooling'
 PACKAGE_TARNAME='xmltooling'
-PACKAGE_VERSION='3.0.3'
-PACKAGE_STRING='xmltooling 3.0.3'
+PACKAGE_VERSION='3.0.4'
+PACKAGE_STRING='xmltooling 3.0.4'
 PACKAGE_BUGREPORT='https://issues.shibboleth.net/'
 PACKAGE_URL=''
 
@@ -1449,7 +1449,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures xmltooling 3.0.3 to adapt to many kinds of systems.
+\`configure' configures xmltooling 3.0.4 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1519,7 +1519,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of xmltooling 3.0.3:";;
+     short | recursive ) echo "Configuration of xmltooling 3.0.4:";;
    esac
   cat <<\_ACEOF
 
@@ -1687,7 +1687,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-xmltooling configure 3.0.3
+xmltooling configure 3.0.4
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2422,7 +2422,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by xmltooling $as_me 3.0.3, which was
+It was created by xmltooling $as_me 3.0.4, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3287,7 +3287,7 @@
 
 # Define the identity of the package.
  PACKAGE='xmltooling'
- VERSION='3.0.3'
+ VERSION='3.0.4'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -21853,7 +21853,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by xmltooling $as_me 3.0.3, which was
+This file was extended by xmltooling $as_me 3.0.4, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -21919,7 +21919,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-xmltooling config.status 3.0.3
+xmltooling config.status 3.0.4
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff -Nru xmltooling-3.0.3/configure.ac xmltooling-3.0.4/configure.ac
--- xmltooling-3.0.3/configure.ac	2018-10-12 20:23:43.000000000 +0200
+++ xmltooling-3.0.4/configure.ac	2019-03-08 15:44:44.000000000 +0100
@@ -1,6 +1,6 @@
 # Process this file with autoreconf
 AC_PREREQ([2.50])
-AC_INIT([xmltooling],[3.0.3],[https://issues.shibboleth.net/],[xmltooling])
+AC_INIT([xmltooling],[3.0.4],[https://issues.shibboleth.net/],[xmltooling])
 AC_CONFIG_SRCDIR(xmltooling)
 AC_CONFIG_AUX_DIR(build-aux)
 AC_CONFIG_MACRO_DIR(m4)
diff -Nru xmltooling-3.0.3/config_win32.h xmltooling-3.0.4/config_win32.h
--- xmltooling-3.0.3/config_win32.h	2018-10-11 22:32:28.000000000 +0200
+++ xmltooling-3.0.4/config_win32.h	2019-03-08 15:44:44.000000000 +0100
@@ -106,13 +106,13 @@
 #define PACKAGE_NAME "xmltooling"
 
 /* Define to the full name and version of this package. */
-#define PACKAGE_STRING "xmltooling 3.0.3"
+#define PACKAGE_STRING "xmltooling 3.0.4"
 
 /* Define to the one symbol short name of this package. */
 #define PACKAGE_TARNAME "xmltooling"
 
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "3.0.3"
+#define PACKAGE_VERSION "3.0.4"
 
 /* Define to the necessary symbol if this constant uses a non-standard name on
    your system. */
@@ -125,7 +125,7 @@
 /* #undef TM_IN_SYS_TIME */
 
 /* Version number of package */
-#define VERSION "3.0.3"
+#define VERSION "3.0.4"
 
 /* Define if you wish to disable XML-Security-dependent features. */
 /* #undef XMLTOOLING_NO_XMLSEC */
diff -Nru xmltooling-3.0.3/debian/changelog xmltooling-3.0.4/debian/changelog
--- xmltooling-3.0.3/debian/changelog	2018-12-24 10:51:09.000000000 +0100
+++ xmltooling-3.0.4/debian/changelog	2019-03-14 14:58:36.000000000 +0100
@@ -1,3 +1,22 @@
+xmltooling (3.0.4-1) unstable; urgency=high
+
+  * [f185b26] New upstream security release: 3.0.4
+    DSA-4407-1, CVE-2019-9628: uncaught exception on malformed XML
+    declaration.
+    Invalid data in the XML declaration causes an exception of a type
+    that was not handled properly in the parser class and propagates an
+    unexpected exception type.
+    This generally manifests as a crash in the calling code, which in the
+    Service Provider software's case is usually the shibd daemon process,
+    but can be Apache in some cases. Note that the crash occurs prior to
+    evaluation of a message's authenticity, so can be exploited by an
+    untrusted attacker.
+    https://shibboleth.net/community/advisories/secadv_20190311.txt
+    https://issues.shibboleth.net/jira/browse/CPPXT-143
+    Thanks to Scott Cantor (Closes: #924346)
+
+ -- Ferenc Wágner <wferi@debian.org>  Thu, 14 Mar 2019 14:58:36 +0100
+
 xmltooling (3.0.3-1) unstable; urgency=medium
 
   [ Ferenc Wágner ]
diff -Nru xmltooling-3.0.3/xmltooling/Makefile.am xmltooling-3.0.4/xmltooling/Makefile.am
--- xmltooling-3.0.3/xmltooling/Makefile.am	2018-11-09 16:42:30.000000000 +0100
+++ xmltooling-3.0.4/xmltooling/Makefile.am	2019-03-08 15:44:44.000000000 +0100
@@ -229,7 +229,7 @@
 	$(PTHREAD_LIBS) \
 	$(dlopen_LIBS)
 
-AM_LDFLAGS = -version-info 8:3:0
+AM_LDFLAGS = -version-info 8:4:0
 
 libxmltooling_lite_la_SOURCES = \
 	${common_sources}
diff -Nru xmltooling-3.0.3/xmltooling/Makefile.in xmltooling-3.0.4/xmltooling/Makefile.in
--- xmltooling-3.0.3/xmltooling/Makefile.in	2018-11-09 16:42:35.000000000 +0100
+++ xmltooling-3.0.4/xmltooling/Makefile.in	2019-03-08 15:45:41.000000000 +0100
@@ -913,7 +913,7 @@
 	$(PTHREAD_LIBS) \
 	$(dlopen_LIBS)
 
-AM_LDFLAGS = -version-info 8:3:0
+AM_LDFLAGS = -version-info 8:4:0
 libxmltooling_lite_la_SOURCES = \
 	${common_sources}
 
diff -Nru xmltooling-3.0.3/xmltooling/soap/impl/CURLSOAPTransport.cpp xmltooling-3.0.4/xmltooling/soap/impl/CURLSOAPTransport.cpp
--- xmltooling-3.0.3/xmltooling/soap/impl/CURLSOAPTransport.cpp	2018-10-12 19:33:58.000000000 +0200
+++ xmltooling-3.0.4/xmltooling/soap/impl/CURLSOAPTransport.cpp	2019-03-08 15:44:44.000000000 +0100
@@ -90,7 +90,8 @@
             curl_easy_setopt(m_handle,CURLOPT_USERPWD,0);
             curl_easy_setopt(m_handle,CURLOPT_SSL_VERIFYHOST,2);
             curl_easy_setopt(m_handle,CURLOPT_HEADERDATA,this);
-            m_headers=curl_slist_append(m_headers,"Content-Type: text/xml");
+            m_headers = curl_slist_append(m_headers, "Content-Type: text/xml");
+            m_headers = curl_slist_append(m_headers, "Expect:");
         }
 
         virtual ~CURLSOAPTransport() {
diff -Nru xmltooling-3.0.3/xmltooling/util/CurlURLInputStream.cpp xmltooling-3.0.4/xmltooling/util/CurlURLInputStream.cpp
--- xmltooling-3.0.3/xmltooling/util/CurlURLInputStream.cpp	2018-07-10 03:00:14.000000000 +0200
+++ xmltooling-3.0.4/xmltooling/util/CurlURLInputStream.cpp	2019-03-08 15:44:44.000000000 +0100
@@ -305,6 +305,8 @@
         " libcurl/" + LIBCURL_VERSION + ' ' + OPENSSL_VERSION_TEXT;
     fHeaders = curl_slist_append(fHeaders, ua.c_str());
 
+    fHeaders = curl_slist_append(fHeaders, "Expect:");
+
     // Add User-Agent and cache headers.
     curl_easy_setopt(fEasy, CURLOPT_HTTPHEADER, fHeaders);
 
diff -Nru xmltooling-3.0.3/xmltooling/util/ParserPool.cpp xmltooling-3.0.4/xmltooling/util/ParserPool.cpp
--- xmltooling-3.0.3/xmltooling/util/ParserPool.cpp	2018-07-10 03:00:14.000000000 +0200
+++ xmltooling-3.0.4/xmltooling/util/ParserPool.cpp	2019-03-08 15:44:44.000000000 +0100
@@ -148,14 +148,28 @@
         checkinBuilder(janitor.release());
         return doc;
     }
-    catch (XMLException& ex) {
+    catch (const DOMException& ex) {
+        parser->getDomConfig()->setParameter(XMLUni::fgDOMErrorHandler, (void*)nullptr);
+        parser->getDomConfig()->setParameter(XMLUni::fgXercesUserAdoptsDOMDocument, true);
+        checkinBuilder(janitor.release());
+        auto_ptr_char temp(ex.getMessage());
+        throw XMLParserException(string("DOM error during parsing: ") + (temp.get() ? temp.get() : "no message"));
+    }
+    catch (const SAXException& ex) {
+        parser->getDomConfig()->setParameter(XMLUni::fgDOMErrorHandler, (void*)nullptr);
+        parser->getDomConfig()->setParameter(XMLUni::fgXercesUserAdoptsDOMDocument, true);
+        checkinBuilder(janitor.release());
+        auto_ptr_char temp(ex.getMessage());
+        throw XMLParserException(string("SAX error during parsing: ") + (temp.get() ? temp.get() : "no message"));
+    }
+    catch (const XMLException& ex) {
         parser->getDomConfig()->setParameter(XMLUni::fgDOMErrorHandler, (void*)nullptr);
         parser->getDomConfig()->setParameter(XMLUni::fgXercesUserAdoptsDOMDocument, true);
         checkinBuilder(janitor.release());
         auto_ptr_char temp(ex.getMessage());
         throw XMLParserException(string("Xerces error during parsing: ") + (temp.get() ? temp.get() : "no message"));
     }
-    catch (XMLToolingException&) {
+    catch (const XMLToolingException&) {
         parser->getDomConfig()->setParameter(XMLUni::fgDOMErrorHandler, (void*)nullptr);
         parser->getDomConfig()->setParameter(XMLUni::fgXercesUserAdoptsDOMDocument, true);
         checkinBuilder(janitor.release());
@@ -220,8 +234,11 @@
     trim(temp);
     vector<string> catpaths;
     split(catpaths, temp, is_any_of(PATH_SEPARATOR_STR), algorithm::token_compress_on);
-    static bool (ParserPool::* lc)(const char*) = &ParserPool::loadCatalog;
-    for_each(catpaths.begin(), catpaths.end(), boost::bind(lc, this, boost::bind(&string::c_str, _1)));
+
+    for (vector<string>::const_iterator i = catpaths.begin(); i != catpaths.end(); ++i) {
+        loadCatalog(i->c_str());
+    }
+
     return !catpaths.empty();
 }
 
diff -Nru xmltooling-3.0.3/xmltooling/version.h xmltooling-3.0.4/xmltooling/version.h
--- xmltooling-3.0.3/xmltooling/version.h	2018-10-11 22:31:05.000000000 +0200
+++ xmltooling-3.0.4/xmltooling/version.h	2019-03-08 15:44:44.000000000 +0100
@@ -44,7 +44,7 @@
 
 #define XMLTOOLING_VERSION_MAJOR 3
 #define XMLTOOLING_VERSION_MINOR 0
-#define XMLTOOLING_VERSION_REVISION 3
+#define XMLTOOLING_VERSION_REVISION 4
 
 /** DO NOT MODIFY BELOW THIS LINE */
 
diff -Nru xmltooling-3.0.3/xmltooling/xmltooling.rc xmltooling-3.0.4/xmltooling/xmltooling.rc
--- xmltooling-3.0.3/xmltooling/xmltooling.rc	2018-10-11 22:31:36.000000000 +0200
+++ xmltooling-3.0.4/xmltooling/xmltooling.rc	2019-03-08 15:44:44.000000000 +0100
@@ -28,8 +28,8 @@
 //
 
 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 3,0,3,0
- PRODUCTVERSION 3,0,0,0
+ FILEVERSION 3,0,4,0
+ PRODUCTVERSION 3,0,1,0
  FILEFLAGSMASK 0x3fL
 #ifdef _DEBUG
  FILEFLAGS 0x1L
@@ -51,7 +51,7 @@
 #else
             VALUE "FileDescription", "OpenSAML XMLTooling Library\0"
 #endif
-            VALUE "FileVersion", "3, 0, 3, 0\0"
+            VALUE "FileVersion", "3, 0, 4, 0\0"
 #ifdef XMLTOOLING_LITE
 #ifdef _DEBUG
             VALUE "InternalName", "xmltooling-lite3_0D\0"
@@ -65,7 +65,7 @@
             VALUE "InternalName", "xmltooling3_0\0"
 #endif
 #endif
-            VALUE "LegalCopyright", "Copyright � 2018 UCAID\0"
+            VALUE "LegalCopyright", "Copyright 2019 UCAID\0"
             VALUE "LegalTrademarks", "\0"
 #ifdef XMLTOOLING_LITE
 #ifdef _DEBUG
@@ -81,8 +81,8 @@
 #endif
 #endif
             VALUE "PrivateBuild", "\0"
-            VALUE "ProductName", "OpenSAML 3.0.0\0"
-            VALUE "ProductVersion", "3, 0, 0, 0\0"
+            VALUE "ProductName", "OpenSAML 3.0.1\0"
+            VALUE "ProductVersion", "3, 0, 1, 0\0"
             VALUE "SpecialBuild", "\0"
         END
     END

unblock xmltooling/3.0.4-1

--- End Message ---
--- Begin Message ---
Unblocked.

--- End Message ---

Reply to: