[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1061473: bookworm-pu: package tinyxml/2.6.2-6+deb12u1

Control: tags -1 - moreinfo

On Mon, 29 Jan 2024 at 21:55:37 +0000, Adam D. Barratt wrote:
> 
> On Thu, 2024-01-25 at 04:45 +0100, Guilhem Moulin wrote:
>> Fix CVE-2023-34194: Reachable assertion (and application exit) via a
>> crafted XML document with a '\0' located after whitespace.
>
> +  * Fix CVE-2023-34194 / CVE-2023-40462: Reachable assertion (and
> application
>
> As far as I can tell from the Security Tracker, CVE-2023-40462
> specifically refers to TinyXML's use in software that isn't in Debian.
> Does it make sense to mention it in the changelog?

That CVE was assigned to TinyXML until
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e507c932b999df48f808969c00f07a638e3357b ,
see also https://bugs.debian.org/1059315 .

But fair enough, new debiff attached :-)

-- 
Guilhem.

diffstat for tinyxml-2.6.2 tinyxml-2.6.2

 changelog                    |    9 +++++++++
 patches/CVE-2023-34194.patch |   27 +++++++++++++++++++++++++++
 patches/series               |    1 +
 3 files changed, 37 insertions(+)

diff -Nru tinyxml-2.6.2/debian/changelog tinyxml-2.6.2/debian/changelog
--- tinyxml-2.6.2/debian/changelog	2021-12-12 23:53:05.000000000 +0100
+++ tinyxml-2.6.2/debian/changelog	2024-01-25 04:27:36.000000000 +0100
@@ -1,3 +1,12 @@
+tinyxml (2.6.2-6+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2023-34194: Reachable assertion (and application exit) via a
+    crafted XML document with a '\0' located after whitespace.
+    (Closes: #1059315)
+
+ -- Guilhem Moulin <guilhem@debian.org>  Thu, 25 Jan 2024 04:27:36 +0100
+
 tinyxml (2.6.2-6) unstable; urgency=medium
 
   * Import fix for CVE-2021-42260.
diff -Nru tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch
--- tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch	1970-01-01 01:00:00.000000000 +0100
+++ tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch	2024-01-25 04:27:36.000000000 +0100
@@ -0,0 +1,27 @@
+From: Guilhem Moulin <guilhem@debian.org>
+Date: Sat, 30 Dec 2023 14:15:54 +0100
+Subject: Avoid reachable assertion via crafted XML document with a '\0'
+ located after whitespace
+
+Bug: https://www.forescout.com/resources/sierra21-vulnerabilities
+Bug-Debian: https://bugs.debian.org/1059315
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-34194
+---
+ tinyxmlparser.cpp | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/tinyxmlparser.cpp b/tinyxmlparser.cpp
+index 8aa0dfa..1601962 100644
+--- a/tinyxmlparser.cpp
++++ b/tinyxmlparser.cpp
+@@ -1606,6 +1606,10 @@ const char* TiXmlDeclaration::Parse( const char* p, TiXmlParsingData* data, TiXm
+ 		}
+ 
+ 		p = SkipWhiteSpace( p, _encoding );
++		if ( !p || !*p )
++		{
++			break;
++		}
+ 		if ( StringEqual( p, "version", true, _encoding ) )
+ 		{
+ 			TiXmlAttribute attrib;
diff -Nru tinyxml-2.6.2/debian/patches/series tinyxml-2.6.2/debian/patches/series
--- tinyxml-2.6.2/debian/patches/series	2021-12-12 23:48:07.000000000 +0100
+++ tinyxml-2.6.2/debian/patches/series	2024-01-25 04:27:36.000000000 +0100
@@ -1,3 +1,4 @@
 enforce-use-stl.patch
 entity-encoding.patch
 CVE-2021-42260.patch
+CVE-2023-34194.patch

Attachment: signature.asc
Description: PGP signature

Reply to: