Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Dear Stable Release Team, I'm looking for guidance first: I'd like to fix #950135 (libxmltooling8: Race condition bug in new session cookie feature leads to SP crash) in buster. The actual upstream fix touches four lines: diff --git a/xmltooling/security/impl/DataSealer.cpp b/xmltooling/security/impl/DataSealer.cpp index c7ec7f9..aef85b7 100644 --- a/xmltooling/security/impl/DataSealer.cpp +++ b/xmltooling/security/impl/DataSealer.cpp @@ -156,8 +156,10 @@ string DataSealer::wrap(const char* s, time_t exp) const safeBuffer ciphertext; try { + // Keys are not threadsafe, use a clone to encrypt. + scoped_ptr<XSECCryptoKey> clonedKey(defaultKey.second->clone()); scoped_ptr<XENCEncryptionMethod> method(XENCEncryptionMethod::create(env.get(), algorithm)); - if (!handler->encryptToSafeBuffer(&tx, method.get(), defaultKey.second, dummydoc, ciphertext)) { + if (!handler->encryptToSafeBuffer(&tx, method.get(), clonedKey.get(), dummydoc, ciphertext)) { throw XMLSecurityException("Data encryption failed."); } } @@ -235,8 +237,10 @@ string DataSealer::unwrap(const char* s) const unsigned int len = 0; safeBuffer plaintext; try { + // Keys are not threadsafe, use a clone to decrypt. + scoped_ptr<XSECCryptoKey> clonedKey(requiredKey.second->clone()); scoped_ptr<XENCEncryptionMethod> method(XENCEncryptionMethod::create(env.get(), algorithm)); - len = handler->decryptToSafeBuffer(&tx, method.get(), requiredKey.second, dummydoc, plaintext) ; + len = handler->decryptToSafeBuffer(&tx, method.get(), clonedKey.get(), dummydoc, plaintext); } catch (const XSECException& ex) { auto_ptr_char msg(ex.getMsg()); Upstream cut a new release (3.0.5) for this fix specifically, but the full diff between 3.0.4 and 3.0.5 is much longer due to changes in the version number in several files, VC project files, generated Autotools files, RPM spec file and Windows resource file. Still not huge, and most of that is entirely irrelevant for Debian. But in the 3.0.5-1 upload I included some packaging changes (mainly autopkgtest and Salsa CI, but also a no-effect upgrade to debhelper compat 12). I guess you'd rather not review all this in a stable update, right? Then I'll add a quilt patch and submit that, as you prefer. -- Thanks, Feri.