Bug#1023105: bullseye-pu: package tinyxml/2.6.2-4+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
Fixing the no-dsa tagged CVE-2021-42260
[ Impact ]
DoS vulnerability
[ Tests ]
General testing of a few reverse-dependencies.
[ Risks ]
Targeted fix that has been sitting in bookworm, stretch and buster
for a while without any bug reports.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Fixes potential infinite loop in parser code.
diff -Nru tinyxml-2.6.2/debian/changelog tinyxml-2.6.2/debian/changelog
--- tinyxml-2.6.2/debian/changelog 2016-10-20 20:36:11.000000000 +0200
+++ tinyxml-2.6.2/debian/changelog 2022-10-20 16:32:51.000000000 +0200
@@ -1,3 +1,10 @@
+tinyxml (2.6.2-4+deb11u1) bullseye; urgency=medium
+
+ * Import fix for CVE-2021-42260.
+ - Add CVE-2021-42260.patch
+
+ -- Felix Geyer <fgeyer@debian.org> Thu, 20 Oct 2022 16:32:51 +0200
+
tinyxml (2.6.2-4) unstable; urgency=medium
[ Helmut Grohne ]
diff -Nru tinyxml-2.6.2/debian/patches/CVE-2021-42260.patch tinyxml-2.6.2/debian/patches/CVE-2021-42260.patch
--- tinyxml-2.6.2/debian/patches/CVE-2021-42260.patch 1970-01-01 01:00:00.000000000 +0100
+++ tinyxml-2.6.2/debian/patches/CVE-2021-42260.patch 2022-10-20 16:31:07.000000000 +0200
@@ -0,0 +1,23 @@
+Description: In stamp always advance the pointer if *p= 0xef
+ .
+ The current implementation only advanced if 0xef is followed
+ by two non-zero bytes. In case of malformed input (0xef should be
+ the start byte of a three byte character) this leads to an infinite
+ loop. (CVE-2021-42260)
+Origin: https://sourceforge.net/p/tinyxml/git/merge-requests/1/
+
+--- a/tinyxmlparser.cpp
++++ b/tinyxmlparser.cpp
+@@ -274,6 +274,12 @@ void TiXmlParsingData::Stamp( const char* now, TiXmlEncoding encoding )
+ else
+ { p +=3; ++col; } // A normal character.
+ }
++ else
++ {
++ // TIXML_UTF_LEAD_0 (239) is the start character of a 3 byte sequence, so
++ // there is something wrong here. Just advance the pointer to evade infinite loops
++ ++p;
++ }
+ }
+ else
+ {
diff -Nru tinyxml-2.6.2/debian/patches/series tinyxml-2.6.2/debian/patches/series
--- tinyxml-2.6.2/debian/patches/series 2011-05-19 10:42:07.000000000 +0200
+++ tinyxml-2.6.2/debian/patches/series 2022-10-20 16:32:49.000000000 +0200
@@ -1,2 +1,3 @@
enforce-use-stl.patch
entity-encoding.patch
+CVE-2021-42260.patch
Reply to: