Package: release.debian.org Severity: normal Tags: bookworm User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: tinyxml@packages.debian.org Control: affects -1 + src:tinyxml [ Reason ] Fix CVE-2023-34194: Reachable assertion (and application exit) via a crafted XML document with a '\0' located after whitespace. The issue has been fixed in buster LTS as well as sid (via NMU). The security team argued it didn't warrant a DSA, and suggested to go via s-pu instead. [ Impact ] Buster users will regress when upgrading to bookworm. [ Tests ] The vulnerability report came with POCs which was checked against. [ Risks ] The patch is trivial but tinyxml appears to be abandoned upstream so I wrote it myself. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in stable [x] the issue is verified as fixed in unstable [ Changes ] Fix CVE-2023-34194: Reachable assertion (and application exit) via a crafted XML document with a '\0' located after whitespace. -- Guilhem.
diffstat for tinyxml-2.6.2 tinyxml-2.6.2
changelog | 9 +++++++++
patches/CVE-2023-34194.patch | 27 +++++++++++++++++++++++++++
patches/series | 1 +
3 files changed, 37 insertions(+)
diff -Nru tinyxml-2.6.2/debian/changelog tinyxml-2.6.2/debian/changelog
--- tinyxml-2.6.2/debian/changelog 2021-12-12 23:53:05.000000000 +0100
+++ tinyxml-2.6.2/debian/changelog 2024-01-25 04:27:36.000000000 +0100
@@ -1,3 +1,12 @@
+tinyxml (2.6.2-6+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix CVE-2023-34194 / CVE-2023-40462: Reachable assertion (and application
+ exit) via a crafted XML document with a '\0' located after whitespace.
+ (Closes: #1059315)
+
+ -- Guilhem Moulin <guilhem@debian.org> Thu, 25 Jan 2024 04:27:36 +0100
+
tinyxml (2.6.2-6) unstable; urgency=medium
* Import fix for CVE-2021-42260.
diff -Nru tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch
--- tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch 1970-01-01 01:00:00.000000000 +0100
+++ tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch 2024-01-25 04:27:36.000000000 +0100
@@ -0,0 +1,27 @@
+From: Guilhem Moulin <guilhem@debian.org>
+Date: Sat, 30 Dec 2023 14:15:54 +0100
+Subject: Avoid reachable assertion via crafted XML document with a '\0'
+ located after whitespace
+
+Bug: https://www.forescout.com/resources/sierra21-vulnerabilities
+Bug-Debian: https://bugs.debian.org/1059315
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-34194
+---
+ tinyxmlparser.cpp | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/tinyxmlparser.cpp b/tinyxmlparser.cpp
+index 8aa0dfa..1601962 100644
+--- a/tinyxmlparser.cpp
++++ b/tinyxmlparser.cpp
+@@ -1606,6 +1606,10 @@ const char* TiXmlDeclaration::Parse( const char* p, TiXmlParsingData* data, TiXm
+ }
+
+ p = SkipWhiteSpace( p, _encoding );
++ if ( !p || !*p )
++ {
++ break;
++ }
+ if ( StringEqual( p, "version", true, _encoding ) )
+ {
+ TiXmlAttribute attrib;
diff -Nru tinyxml-2.6.2/debian/patches/series tinyxml-2.6.2/debian/patches/series
--- tinyxml-2.6.2/debian/patches/series 2021-12-12 23:48:07.000000000 +0100
+++ tinyxml-2.6.2/debian/patches/series 2024-01-25 04:27:36.000000000 +0100
@@ -1,3 +1,4 @@
enforce-use-stl.patch
entity-encoding.patch
CVE-2021-42260.patch
+CVE-2023-34194.patch
Attachment:
signature.asc
Description: PGP signature