Your message dated Sat, 08 Feb 2020 14:21:36 +0000 with message-id <cf1cb2f35981916a86b98b83609df15c95aa378b.camel@adam-barratt.org.uk> and subject line Closing requests included in 10.3 point release has caused the Debian Bug report #950139, regarding buster-pu: package xmltooling/3.0.4-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 950139: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950139 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package xmltooling/3.0.4-1
- From: Ferenc Wágner <wferi@debian.org>
- Date: Wed, 29 Jan 2020 12:24:36 +0100
- Message-id: <158029707684.20362.1079704718904604253.reportbug@lant.ki.iif.hu>
Package: release.debian.org Severity: normal Tags: buster User: release.debian.org@packages.debian.org Usertags: pu Dear Stable Release Team, I'm looking for guidance first: I'd like to fix #950135 (libxmltooling8: Race condition bug in new session cookie feature leads to SP crash) in buster. The actual upstream fix touches four lines: diff --git a/xmltooling/security/impl/DataSealer.cpp b/xmltooling/security/impl/DataSealer.cpp index c7ec7f9..aef85b7 100644 --- a/xmltooling/security/impl/DataSealer.cpp +++ b/xmltooling/security/impl/DataSealer.cpp @@ -156,8 +156,10 @@ string DataSealer::wrap(const char* s, time_t exp) const safeBuffer ciphertext; try { + // Keys are not threadsafe, use a clone to encrypt. + scoped_ptr<XSECCryptoKey> clonedKey(defaultKey.second->clone()); scoped_ptr<XENCEncryptionMethod> method(XENCEncryptionMethod::create(env.get(), algorithm)); - if (!handler->encryptToSafeBuffer(&tx, method.get(), defaultKey.second, dummydoc, ciphertext)) { + if (!handler->encryptToSafeBuffer(&tx, method.get(), clonedKey.get(), dummydoc, ciphertext)) { throw XMLSecurityException("Data encryption failed."); } } @@ -235,8 +237,10 @@ string DataSealer::unwrap(const char* s) const unsigned int len = 0; safeBuffer plaintext; try { + // Keys are not threadsafe, use a clone to decrypt. + scoped_ptr<XSECCryptoKey> clonedKey(requiredKey.second->clone()); scoped_ptr<XENCEncryptionMethod> method(XENCEncryptionMethod::create(env.get(), algorithm)); - len = handler->decryptToSafeBuffer(&tx, method.get(), requiredKey.second, dummydoc, plaintext) ; + len = handler->decryptToSafeBuffer(&tx, method.get(), clonedKey.get(), dummydoc, plaintext); } catch (const XSECException& ex) { auto_ptr_char msg(ex.getMsg()); Upstream cut a new release (3.0.5) for this fix specifically, but the full diff between 3.0.4 and 3.0.5 is much longer due to changes in the version number in several files, VC project files, generated Autotools files, RPM spec file and Windows resource file. Still not huge, and most of that is entirely irrelevant for Debian. But in the 3.0.5-1 upload I included some packaging changes (mainly autopkgtest and Salsa CI, but also a no-effect upgrade to debhelper compat 12). I guess you'd rather not review all this in a stable update, right? Then I'll add a quilt patch and submit that, as you prefer. -- Thanks, Feri.
--- End Message ---
--- Begin Message ---
- To: 939036-done@bugs.debian.org, 939802-done@bugs.debian.org, 940647-done@bugs.debian.org, 941365-done@bugs.debian.org, 941713-done@bugs.debian.org, 942575-done@bugs.debian.org, 944294-done@bugs.debian.org, 944348-done@bugs.debian.org, 944856-done@bugs.debian.org, 944865-done@bugs.debian.org, 945518-done@bugs.debian.org, 945845-done@bugs.debian.org, 945896-done@bugs.debian.org, 945925-done@bugs.debian.org, 945965-done@bugs.debian.org, 946032-done@bugs.debian.org, 946033-done@bugs.debian.org, 946083-done@bugs.debian.org, 946175-done@bugs.debian.org, 946184-done@bugs.debian.org, 946402-done@bugs.debian.org, 946557-done@bugs.debian.org, 946559-done@bugs.debian.org, 946651-done@bugs.debian.org, 946705-done@bugs.debian.org, 946819-done@bugs.debian.org, 946822-done@bugs.debian.org, 946831-done@bugs.debian.org, 946841-done@bugs.debian.org, 946864-done@bugs.debian.org, 946901-done@bugs.debian.org, 946960-done@bugs.debian.org, 947038-done@bugs.debian.org, 947125-done@bugs.debian.org, 947201-done@bugs.debian.org, 947254-done@bugs.debian.org, 947321-done@bugs.debian.org, 947331-done@bugs.debian.org, 947832-done@bugs.debian.org, 948104-done@bugs.debian.org, 948203-done@bugs.debian.org, 948205-done@bugs.debian.org, 948290-done@bugs.debian.org, 948363-done@bugs.debian.org, 948390-done@bugs.debian.org, 948400-done@bugs.debian.org, 948464-done@bugs.debian.org, 948472-done@bugs.debian.org, 948485-done@bugs.debian.org, 948544-done@bugs.debian.org, 948545-done@bugs.debian.org, 948550-done@bugs.debian.org, 948601-done@bugs.debian.org, 948609-done@bugs.debian.org, 948695-done@bugs.debian.org, 948796-done@bugs.debian.org, 948826-done@bugs.debian.org, 948850-done@bugs.debian.org, 948854-done@bugs.debian.org, 948857-done@bugs.debian.org, 948899-done@bugs.debian.org, 948904-done@bugs.debian.org, 948910-done@bugs.debian.org, 948979-done@bugs.debian.org, 948988-done@bugs.debian.org, 948991-done@bugs.debian.org, 949120-done@bugs.debian.org, 949121-done@bugs.debian.org, 949310-done@bugs.debian.org, 949541-done@bugs.debian.org, 949704-done@bugs.debian.org, 949728-done@bugs.debian.org, 949842-done@bugs.debian.org, 949852-done@bugs.debian.org, 949895-done@bugs.debian.org, 949898-done@bugs.debian.org, 949899-done@bugs.debian.org, 949904-done@bugs.debian.org, 949906-done@bugs.debian.org, 949908-done@bugs.debian.org, 949957-done@bugs.debian.org, 950018-done@bugs.debian.org, 950139-done@bugs.debian.org, 950166-done@bugs.debian.org, 950257-done@bugs.debian.org, 950272-done@bugs.debian.org, 950280-done@bugs.debian.org, 950369-done@bugs.debian.org, 950466-done@bugs.debian.org
- Subject: Closing requests included in 10.3 point release
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 08 Feb 2020 14:21:36 +0000
- Message-id: <cf1cb2f35981916a86b98b83609df15c95aa378b.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 10.3 Hi, Each of the uploads referred to by these bugs was included in today's stable point release. Regards, Adam
--- End Message ---