Bug#964244: stretch-pu: package xml-security-c/1.7.3-4+deb9u2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#964244: stretch-pu: package xml-security-c/1.7.3-4+deb9u2
From: Ferenc Wágner <wferi@debian.org>
Date: Sat, 04 Jul 2020 13:00:39 +0200
Message-id: <[🔎] 159386043916.23287.13758351958206986560.reportbug@lant.ki.iif.hu>
Reply-to: Ferenc Wágner <wferi@debian.org>, 964244@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Dear Stable Release Team,

There's an old bug reported against xml-security-c (#922984), which was fixed
in the 2.0 branch in buster but still lingers around in 1.7 in stretch.  I'm
ready to upload with the following debdiff:

$ debdiff xml-security-c_1.7.3-4+deb9u[23].dsc 
diff -Nru xml-security-c-1.7.3/debian/changelog xml-security-c-1.7.3/debian/changelog
--- xml-security-c-1.7.3/debian/changelog	2018-12-10 11:45:41.000000000 +0100
+++ xml-security-c-1.7.3/debian/changelog	2020-07-04 12:47:24.000000000 +0200
@@ -1,3 +1,10 @@
+xml-security-c (1.7.3-4+deb9u3) stretch; urgency=medium
+
+  * [02c3993] New patch: Fix a length bug in concat method.
+    Thanks to Scott Cantor (Closes: #922984 )
+
+ -- Ferenc Wágner <wferi@debian.org>  Sat, 04 Jul 2020 12:47:24 +0200
+
 xml-security-c (1.7.3-4+deb9u2) stretch; urgency=medium
 
   * [12dd825] New patches: DSA verification crashes OpenSSL on invalid
diff -Nru xml-security-c-1.7.3/debian/patches/Fix-a-length-bug-in-concat-method.patch xml-security-c-1.7.3/debian/patches/Fix-a-length-bug-in-concat-method.patch
--- xml-security-c-1.7.3/debian/patches/Fix-a-length-bug-in-concat-method.patch	1970-01-01 01:00:00.000000000 +0100
+++ xml-security-c-1.7.3/debian/patches/Fix-a-length-bug-in-concat-method.patch	2020-07-04 12:47:01.000000000 +0200
@@ -0,0 +1,24 @@
+From: Scott Cantor <scantor@apache.org>
+Date: Mon, 4 Sep 2017 18:41:41 +0000
+Subject: Fix a length bug in concat method.
+
+git-svn-id: https://svn.apache.org/repos/asf/santuario/xml-security-cpp/trunk@1807280 13f79535-47bb-0310-9956-ffa450edef68
+
+Closes: #922984
+---
+ xsec/utils/XSECSafeBuffer.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xsec/utils/XSECSafeBuffer.cpp b/xsec/utils/XSECSafeBuffer.cpp
+index 71ae9a0..6d0798b 100644
+--- a/xsec/utils/XSECSafeBuffer.cpp
++++ b/xsec/utils/XSECSafeBuffer.cpp
+@@ -639,7 +639,7 @@ void safeBuffer::sbXMLChCat(const char * str) {
+ 
+ 	assert (t != NULL);
+ 
+-	len += XMLString::stringLen(t);
++	len += XMLString::stringLen(t) * size_XMLCh;
+ 	len += (xsecsize_t) (2 * size_XMLCh);
+ 
+ 	checkAndExpand(len);
diff -Nru xml-security-c-1.7.3/debian/patches/series xml-security-c-1.7.3/debian/patches/series
--- xml-security-c-1.7.3/debian/patches/series	2018-12-10 11:45:41.000000000 +0100
+++ xml-security-c-1.7.3/debian/patches/series	2020-07-04 12:47:01.000000000 +0200
@@ -24,3 +24,4 @@
 Default-KeyInfo-resolver-doesn-t-check-for-empty-element-.patch
 SANTUARIO-496-DSA-verification-crashes-OpenSSL-on-invalid.patch
 SANTUARIO-496-Prevent-KeyInfoResolver-returning-NONE-keys.patch
+Fix-a-length-bug-in-concat-method.patch

Reply to:

Follow-Ups:
- Bug#964244: stretch-pu: package xml-security-c/1.7.3-4+deb9u2
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#964244: stretch-pu: package xml-security-c/1.7.3-4+deb9u2
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#964244: xml-security-c 1.7.3-4+deb9u3 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>
- Bug#964244: marked as done (stretch-pu: package xml-security-c/1.7.3-4+deb9u2)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: NEW changes in oldstable-new
Next by Date: NEW changes in stable-new
Previous by thread: Bug#961195: transition: glibc
Next by thread: Bug#964244: stretch-pu: package xml-security-c/1.7.3-4+deb9u2
Index(es):
- Date
- Thread