Bug#950139: buster-pu: package xmltooling/3.0.4-1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#950139: buster-pu: package xmltooling/3.0.4-1
From: Ferenc Wágner <wferi@debian.org>
Date: Wed, 29 Jan 2020 12:24:36 +0100
Message-id: <[🔎] 158029707684.20362.1079704718904604253.reportbug@lant.ki.iif.hu>
Reply-to: Ferenc Wágner <wferi@debian.org>, 950139@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Dear Stable Release Team,

I'm looking for guidance first: I'd like to fix #950135 (libxmltooling8:
Race condition bug in new session cookie feature leads to SP crash) in
buster.  The actual upstream fix touches four lines:

diff --git a/xmltooling/security/impl/DataSealer.cpp b/xmltooling/security/impl/DataSealer.cpp
index c7ec7f9..aef85b7 100644
--- a/xmltooling/security/impl/DataSealer.cpp
+++ b/xmltooling/security/impl/DataSealer.cpp
@@ -156,8 +156,10 @@ string DataSealer::wrap(const char* s, time_t exp) const
 
     safeBuffer ciphertext;
     try {
+        // Keys are not threadsafe, use a clone to encrypt.
+        scoped_ptr<XSECCryptoKey> clonedKey(defaultKey.second->clone());
         scoped_ptr<XENCEncryptionMethod> method(XENCEncryptionMethod::create(env.get(), algorithm));
-        if (!handler->encryptToSafeBuffer(&tx, method.get(), defaultKey.second, dummydoc, ciphertext))
 {
+        if (!handler->encryptToSafeBuffer(&tx, method.get(), clonedKey.get(), dummydoc, ciphertext)) {
             throw XMLSecurityException("Data encryption failed.");
         }
     }
@@ -235,8 +237,10 @@ string DataSealer::unwrap(const char* s) const
     unsigned int len = 0;
     safeBuffer plaintext;
     try {
+        // Keys are not threadsafe, use a clone to decrypt.
+        scoped_ptr<XSECCryptoKey> clonedKey(requiredKey.second->clone());
         scoped_ptr<XENCEncryptionMethod> method(XENCEncryptionMethod::create(env.get(), algorithm));
-        len = handler->decryptToSafeBuffer(&tx, method.get(), requiredKey.second, dummydoc, plaintext)
;
+        len = handler->decryptToSafeBuffer(&tx, method.get(), clonedKey.get(), dummydoc, plaintext);
     }
     catch (const XSECException& ex) {
         auto_ptr_char msg(ex.getMsg());

Upstream cut a new release (3.0.5) for this fix specifically, but the
full diff between 3.0.4 and 3.0.5 is much longer due to changes in the
version number in several files, VC project files, generated Autotools
files, RPM spec file and Windows resource file.  Still not huge, and
most of that is entirely irrelevant for Debian.  But in the 3.0.5-1
upload I included some packaging changes (mainly autopkgtest and Salsa
CI, but also a no-effect upgrade to debhelper compat 12).  I guess you'd
rather not review all this in a stable update, right?  Then I'll add a
quilt patch and submit that, as you prefer.
-- 
Thanks,
Feri.

Reply to:

Follow-Ups:
- Bug#950139: buster-pu: package xmltooling/3.0.4-1
  - From: wferi@niif.hu
- Processed: Re: Bug#950139: buster-pu: package xmltooling/3.0.4-1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: NEW changes in stable-new
Next by Date: Bug#950083: RM: koji/1.10.0-1+deb9u1
Previous by thread: Bug#945821: stretch-pu: package libofx/1:0.9.10-2+deb9u2
Next by thread: Bug#950139: buster-pu: package xmltooling/3.0.4-1
Index(es):
- Date
- Thread