Bug#1023105: bullseye-pu: package tinyxml/2.6.2-4+deb11u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1023105: bullseye-pu: package tinyxml/2.6.2-4+deb11u1
From: Felix Geyer <fgeyer@debian.org>
Date: Sun, 30 Oct 2022 10:31:36 +0100
Message-id: <[🔎] 528ff77c-53e2-6fa1-b635-1a4e762b9210@debian.org>
Reply-to: Felix Geyer <fgeyer@debian.org>, 1023105@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
Fixing the no-dsa tagged CVE-2021-42260

[ Impact ]
DoS vulnerability

[ Tests ]
General testing of a few reverse-dependencies.

[ Risks ]
Targeted fix that has been sitting in bookworm, stretch and buster
for a while without any bug reports.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Fixes potential infinite loop in parser code.

diff -Nru tinyxml-2.6.2/debian/changelog tinyxml-2.6.2/debian/changelog
--- tinyxml-2.6.2/debian/changelog	2016-10-20 20:36:11.000000000 +0200
+++ tinyxml-2.6.2/debian/changelog	2022-10-20 16:32:51.000000000 +0200
@@ -1,3 +1,10 @@
+tinyxml (2.6.2-4+deb11u1) bullseye; urgency=medium
+
+  * Import fix for CVE-2021-42260.
+    - Add CVE-2021-42260.patch
+
+ -- Felix Geyer <fgeyer@debian.org>  Thu, 20 Oct 2022 16:32:51 +0200
+
 tinyxml (2.6.2-4) unstable; urgency=medium
 
   [ Helmut Grohne ]
diff -Nru tinyxml-2.6.2/debian/patches/CVE-2021-42260.patch tinyxml-2.6.2/debian/patches/CVE-2021-42260.patch
--- tinyxml-2.6.2/debian/patches/CVE-2021-42260.patch	1970-01-01 01:00:00.000000000 +0100
+++ tinyxml-2.6.2/debian/patches/CVE-2021-42260.patch	2022-10-20 16:31:07.000000000 +0200
@@ -0,0 +1,23 @@
+Description: In stamp always advance the pointer if *p= 0xef
+ .
+ The current implementation only advanced if 0xef is followed
+ by two non-zero bytes. In case of malformed input (0xef should be
+ the start byte of a three byte character) this leads to an infinite
+ loop. (CVE-2021-42260)
+Origin: https://sourceforge.net/p/tinyxml/git/merge-requests/1/
+
+--- a/tinyxmlparser.cpp
++++ b/tinyxmlparser.cpp
+@@ -274,6 +274,12 @@ void TiXmlParsingData::Stamp( const char* now, TiXmlEncoding encoding )
+ 						else
+ 							{ p +=3; ++col; }	// A normal character.
+ 					}
++					else
++					{
++						// TIXML_UTF_LEAD_0 (239) is the start character of a 3 byte sequence, so
++						// there is something wrong here. Just advance the pointer to evade infinite loops
++						++p;
++					}
+ 				}
+ 				else
+ 				{
diff -Nru tinyxml-2.6.2/debian/patches/series tinyxml-2.6.2/debian/patches/series
--- tinyxml-2.6.2/debian/patches/series	2011-05-19 10:42:07.000000000 +0200
+++ tinyxml-2.6.2/debian/patches/series	2022-10-20 16:32:49.000000000 +0200
@@ -1,2 +1,3 @@
 enforce-use-stl.patch
 entity-encoding.patch
+CVE-2021-42260.patch

Reply to:

Prev by Date: Bug#1022003: transition: gssdp/gupnp 1.6: Status update + prepared to start
Next by Date: NEW changes in stable-new
Previous by thread: Processed: UPCOMING REMOVAL, also: New upstream release - new home, new repo layout
Next by thread: Bug#1023118: bullseye-pu: package distro-info-data/0.51+deb11u3
Index(es):
- Date
- Thread