Hi,
This is regarding the security issue on Xerces-C++ which was reported by
CERT-FI.
http://www.cert.fi/en/reports/2009/vulnerability2009085.html
I have received a test case from CERT-FI which contains the sample xml
file with the faulty line which can cause a crash. I have been able to
reproduce the segmentation fault on Xerces 2.7.0. However we are using
Xerces 2.6.0 within our Web Server product. Hence tried the same steps
to reproduce it in 2.6.0 but instead of the crash I could see the
following error message printed. This was the same error message I got
after patching 2.7.0 as well.
bash-3.00$ ./SAXPrint ./xerces-crash.xml
<?xml version="1.0" encoding="LATIN1"?>
Fatal Error at file
/iws_share/vinu/xerces/2.6.0/solaris/xerces-c-src_2_6_0/bin/
xerces-crash.xml, line 2, char 65564
Message: Expected an element name
Is this vulnerability applicable to 2.6.0 or not ? Without it being
reproduced if we have to change the xerces in our product, it would mean
a lot of effort of patching and rebuilding 2.6.0 on all platforms. Hence
I kindly request someone to provide their expert comment on this.
Note: Due to security reasons I cannot attach the test case. Please
email your PGP key and I can send you the test case.
Thanks,
Vinu
Alberto Massari wrote:
Hi Vinu,
the security report has the link to the SVN change, that you can apply
to the version of Xerces you are using.
Alberto
Vinutha Nagaraju wrote:
Hi,
We are using Xerces 2.6.0 within our product and we have recently
read about the following security issue with Xerces.
http://www.cert.fi/en/reports/2009/vulnerability2009085.html
We would like to know in which Version of Xerces is the fix available ?
Can we request this to be ported to 2.x series too. Because moving
from 2.x to next major release would mean lot of changes at our
product end which is under sustaining phase. Appreciate if this
request could be accommodated. I am hoping this would eventually help
other users of xerces with similar request.
Thanks,
Vinu
