On 11/11/09 19:50, Alberto Massari wrote:
The security issue is in the end a stack overflow, and it's in 2.6 as
well; some operating systems grow the stack on demand, and can handle
such a test case with only a performance impact. Did 2.7 fail on the
same system?
It was on the same system. I see that function where it has been fixed
has similar code in both 2.6.0 and 2.7.0 so, I tested with fresh
workspace without applying the patch and I am able to reproduce it now.
But if I try to reproduce it on a workspace which had the patch once and
later rebuild without the fix. I can't reproduce the bug. I think
something is missing as part of build. Sorry about this confusion.
Are the following build sequence correct?
1. export XERCESCROOT=`pwd`
2. export PATH=[compiler paths]
2. cd src/xercesc
3. ./runConfigure -p solaris -c cc -x CC
4. gmake
5. add the patch.
6. gmake distclean
7. repeat steps 3 and 4.
Thanks,
Vinu
Alberto
Vinutha Nagaraju wrote:
Hi,
This is regarding the security issue on Xerces-C++ which was reported
by CERT-FI.
http://www.cert.fi/en/reports/2009/vulnerability2009085.html
I have received a test case from CERT-FI which contains the sample xml
file with the faulty line which can cause a crash. I have been able to
reproduce the segmentation fault on Xerces 2.7.0. However we are using
Xerces 2.6.0 within our Web Server product. Hence tried the same steps
to reproduce it in 2.6.0 but instead of the crash I could see the
following error message printed. This was the same error message I got
after patching 2.7.0 as well.
bash-3.00$ ./SAXPrint ./xerces-crash.xml
<?xml version="1.0" encoding="LATIN1"?>
Fatal Error at file
/iws_share/vinu/xerces/2.6.0/solaris/xerces-c-src_2_6_0/bin/
xerces-crash.xml, line 2, char 65564
Message: Expected an element name
Is this vulnerability applicable to 2.6.0 or not ? Without it being
reproduced if we have to change the xerces in our product, it would
mean a lot of effort of patching and rebuilding 2.6.0 on all
platforms. Hence I kindly request someone to provide their expert
comment on this.
Note: Due to security reasons I cannot attach the test case. Please
email your PGP key and I can send you the test case.
Thanks,
Vinu
Alberto Massari wrote:
Hi Vinu,
the security report has the link to the SVN change, that you can
apply to the version of Xerces you are using.
Alberto
Vinutha Nagaraju wrote:
Hi,
We are using Xerces 2.6.0 within our product and we have recently
read about the following security issue with Xerces.
http://www.cert.fi/en/reports/2009/vulnerability2009085.html
We would like to know in which Version of Xerces is the fix available ?
Can we request this to be ported to 2.x series too. Because moving
from 2.x to next major release would mean lot of changes at our
product end which is under sustaining phase. Appreciate if this
request could be accommodated. I am hoping this would eventually
help other users of xerces with similar request.
Thanks,
Vinu
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
