Your message dated Sat, 10 Feb 2024 13:11:21 +0000 with message-id <E1rYn8b-002yc4-Qn@coccia.debian.org> and subject line Released with 12.5 has caused the Debian Bug report #1061473, regarding bookworm-pu: package tinyxml/2.6.2-6+deb12u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1061473: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061473 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bookworm-pu: package tinyxml/2.6.2-6+deb12u1
- From: Guilhem Moulin <guilhem@debian.org>
- Date: Thu, 25 Jan 2024 04:45:55 +0100
- Message-id: <ZbHZc3-GKn4-ZkIT@debian.org>
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: tinyxml@packages.debian.org Control: affects -1 + src:tinyxml [ Reason ] Fix CVE-2023-34194: Reachable assertion (and application exit) via a crafted XML document with a '\0' located after whitespace. The issue has been fixed in buster LTS as well as sid (via NMU). The security team argued it didn't warrant a DSA, and suggested to go via s-pu instead. [ Impact ] Buster users will regress when upgrading to bookworm. [ Tests ] The vulnerability report came with POCs which was checked against. [ Risks ] The patch is trivial but tinyxml appears to be abandoned upstream so I wrote it myself. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in stable [x] the issue is verified as fixed in unstable [ Changes ] Fix CVE-2023-34194: Reachable assertion (and application exit) via a crafted XML document with a '\0' located after whitespace. -- Guilhem.diffstat for tinyxml-2.6.2 tinyxml-2.6.2 changelog | 9 +++++++++ patches/CVE-2023-34194.patch | 27 +++++++++++++++++++++++++++ patches/series | 1 + 3 files changed, 37 insertions(+) diff -Nru tinyxml-2.6.2/debian/changelog tinyxml-2.6.2/debian/changelog --- tinyxml-2.6.2/debian/changelog 2021-12-12 23:53:05.000000000 +0100 +++ tinyxml-2.6.2/debian/changelog 2024-01-25 04:27:36.000000000 +0100 @@ -1,3 +1,12 @@ +tinyxml (2.6.2-6+deb12u1) bookworm; urgency=medium + + * Non-maintainer upload. + * Fix CVE-2023-34194 / CVE-2023-40462: Reachable assertion (and application + exit) via a crafted XML document with a '\0' located after whitespace. + (Closes: #1059315) + + -- Guilhem Moulin <guilhem@debian.org> Thu, 25 Jan 2024 04:27:36 +0100 + tinyxml (2.6.2-6) unstable; urgency=medium * Import fix for CVE-2021-42260. diff -Nru tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch --- tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch 1970-01-01 01:00:00.000000000 +0100 +++ tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch 2024-01-25 04:27:36.000000000 +0100 @@ -0,0 +1,27 @@ +From: Guilhem Moulin <guilhem@debian.org> +Date: Sat, 30 Dec 2023 14:15:54 +0100 +Subject: Avoid reachable assertion via crafted XML document with a '\0' + located after whitespace + +Bug: https://www.forescout.com/resources/sierra21-vulnerabilities +Bug-Debian: https://bugs.debian.org/1059315 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-34194 +--- + tinyxmlparser.cpp | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tinyxmlparser.cpp b/tinyxmlparser.cpp +index 8aa0dfa..1601962 100644 +--- a/tinyxmlparser.cpp ++++ b/tinyxmlparser.cpp +@@ -1606,6 +1606,10 @@ const char* TiXmlDeclaration::Parse( const char* p, TiXmlParsingData* data, TiXm + } + + p = SkipWhiteSpace( p, _encoding ); ++ if ( !p || !*p ) ++ { ++ break; ++ } + if ( StringEqual( p, "version", true, _encoding ) ) + { + TiXmlAttribute attrib; diff -Nru tinyxml-2.6.2/debian/patches/series tinyxml-2.6.2/debian/patches/series --- tinyxml-2.6.2/debian/patches/series 2021-12-12 23:48:07.000000000 +0100 +++ tinyxml-2.6.2/debian/patches/series 2024-01-25 04:27:36.000000000 +0100 @@ -1,3 +1,4 @@ enforce-use-stl.patch entity-encoding.patch CVE-2021-42260.patch +CVE-2023-34194.patchAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 1061473-done@bugs.debian.org
- Subject: Released with 12.5
- From: Jonathan Wiltshire <jmw@coccia.debian.org>
- Date: Sat, 10 Feb 2024 13:11:21 +0000
- Message-id: <E1rYn8b-002yc4-Qn@coccia.debian.org>
Version: 12.5 The upload requested in this bug has been released as part of 12.5.
--- End Message ---