Bug#1023105: bullseye-pu: package tinyxml/2.6.2-4+deb11u1

Sun, 30 Oct 2022 02:33:14 -0700 

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu

[ Reason ]
Fixing the no-dsa tagged CVE-2021-42260

[ Impact ]
DoS vulnerability

[ Tests ]
General testing of a few reverse-dependencies.

[ Risks ]
Targeted fix that has been sitting in bookworm, stretch and buster
for a while without any bug reports.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Fixes potential infinite loop in parser code.
diff -Nru tinyxml-2.6.2/debian/changelog tinyxml-2.6.2/debian/changelog
--- tinyxml-2.6.2/debian/changelog      2016-10-20 20:36:11.000000000 +0200
+++ tinyxml-2.6.2/debian/changelog      2022-10-20 16:32:51.000000000 +0200
@@ -1,3 +1,10 @@
+tinyxml (2.6.2-4+deb11u1) bullseye; urgency=medium
+
+  * Import fix for CVE-2021-42260.
+    - Add CVE-2021-42260.patch
+
+ -- Felix Geyer <fge...@debian.org>  Thu, 20 Oct 2022 16:32:51 +0200
+
 tinyxml (2.6.2-4) unstable; urgency=medium
 
   [ Helmut Grohne ]
diff -Nru tinyxml-2.6.2/debian/patches/CVE-2021-42260.patch 
tinyxml-2.6.2/debian/patches/CVE-2021-42260.patch
--- tinyxml-2.6.2/debian/patches/CVE-2021-42260.patch   1970-01-01 
01:00:00.000000000 +0100
+++ tinyxml-2.6.2/debian/patches/CVE-2021-42260.patch   2022-10-20 
16:31:07.000000000 +0200
@@ -0,0 +1,23 @@
+Description: In stamp always advance the pointer if *p= 0xef
+ .
+ The current implementation only advanced if 0xef is followed
+ by two non-zero bytes. In case of malformed input (0xef should be
+ the start byte of a three byte character) this leads to an infinite
+ loop. (CVE-2021-42260)
+Origin: https://sourceforge.net/p/tinyxml/git/merge-requests/1/
+
+--- a/tinyxmlparser.cpp
++++ b/tinyxmlparser.cpp
+@@ -274,6 +274,12 @@ void TiXmlParsingData::Stamp( const char* now, 
TiXmlEncoding encoding )
+                                               else
+                                                       { p +=3; ++col; }       
// A normal character.
+                                       }
++                                      else
++                                      {
++                                              // TIXML_UTF_LEAD_0 (239) is 
the start character of a 3 byte sequence, so
++                                              // there is something wrong 
here. Just advance the pointer to evade infinite loops
++                                              ++p;
++                                      }
+                               }
+                               else
+                               {
diff -Nru tinyxml-2.6.2/debian/patches/series 
tinyxml-2.6.2/debian/patches/series
--- tinyxml-2.6.2/debian/patches/series 2011-05-19 10:42:07.000000000 +0200
+++ tinyxml-2.6.2/debian/patches/series 2022-10-20 16:32:49.000000000 +0200
@@ -1,2 +1,3 @@
 enforce-use-stl.patch
 entity-encoding.patch
+CVE-2021-42260.patch

Reply via email to