[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#950139: marked as done (buster-pu: package xmltooling/3.0.4-1)

Your message dated Sat, 08 Feb 2020 14:21:36 +0000
with message-id <cf1cb2f35981916a86b98b83609df15c95aa378b.camel@adam-barratt.org.uk>
and subject line Closing requests included in 10.3 point release
has caused the Debian Bug report #950139,
regarding buster-pu: package xmltooling/3.0.4-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
950139: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950139
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Dear Stable Release Team,

I'm looking for guidance first: I'd like to fix #950135 (libxmltooling8:
Race condition bug in new session cookie feature leads to SP crash) in
buster.  The actual upstream fix touches four lines:

diff --git a/xmltooling/security/impl/DataSealer.cpp b/xmltooling/security/impl/DataSealer.cpp
index c7ec7f9..aef85b7 100644
--- a/xmltooling/security/impl/DataSealer.cpp
+++ b/xmltooling/security/impl/DataSealer.cpp
@@ -156,8 +156,10 @@ string DataSealer::wrap(const char* s, time_t exp) const
 
     safeBuffer ciphertext;
     try {
+        // Keys are not threadsafe, use a clone to encrypt.
+        scoped_ptr<XSECCryptoKey> clonedKey(defaultKey.second->clone());
         scoped_ptr<XENCEncryptionMethod> method(XENCEncryptionMethod::create(env.get(), algorithm));
-        if (!handler->encryptToSafeBuffer(&tx, method.get(), defaultKey.second, dummydoc, ciphertext))
 {
+        if (!handler->encryptToSafeBuffer(&tx, method.get(), clonedKey.get(), dummydoc, ciphertext)) {
             throw XMLSecurityException("Data encryption failed.");
         }
     }
@@ -235,8 +237,10 @@ string DataSealer::unwrap(const char* s) const
     unsigned int len = 0;
     safeBuffer plaintext;
     try {
+        // Keys are not threadsafe, use a clone to decrypt.
+        scoped_ptr<XSECCryptoKey> clonedKey(requiredKey.second->clone());
         scoped_ptr<XENCEncryptionMethod> method(XENCEncryptionMethod::create(env.get(), algorithm));
-        len = handler->decryptToSafeBuffer(&tx, method.get(), requiredKey.second, dummydoc, plaintext)
;
+        len = handler->decryptToSafeBuffer(&tx, method.get(), clonedKey.get(), dummydoc, plaintext);
     }
     catch (const XSECException& ex) {
         auto_ptr_char msg(ex.getMsg());

Upstream cut a new release (3.0.5) for this fix specifically, but the
full diff between 3.0.4 and 3.0.5 is much longer due to changes in the
version number in several files, VC project files, generated Autotools
files, RPM spec file and Windows resource file.  Still not huge, and
most of that is entirely irrelevant for Debian.  But in the 3.0.5-1
upload I included some packaging changes (mainly autopkgtest and Salsa
CI, but also a no-effect upgrade to debhelper compat 12).  I guess you'd
rather not review all this in a stable update, right?  Then I'll add a
quilt patch and submit that, as you prefer.
-- 
Thanks,
Feri.

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.3

Hi,

Each of the uploads referred to by these bugs was included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: