Your message dated Thu, 09 Jul 2020 18:32:27 +0000
with message-id <[email protected]>
and subject line Bug#922984: fixed in xml-security-c 1.7.3-4+deb9u3
has caused the Debian Bug report #922984,
regarding xml-security-c: ECDSA XML signature generation segmentation fault
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
922984: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922984
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: xml-security-c
Version: 1.7.2-2
Severity: important
Tags: patch
User: [email protected]
Usertags: origin-ubuntu disco ubuntu-patch
Dear Maintainer,
We found a bug in Apache Santuario C, related to ECDSA signature
generation, few years ego. We provide the fix to the Apache team, and
Scott Cantor kindly accepted the fix in the project. How ever the fix
was introduced in series 2.x of the the library.
The fix we provide was for the version 1.7.x (xml-security-c17) found in
Ubuntu 14.04 and looks like Ubuntu 18.04 is still including a version
from series 1.7.x. The commit with the fix for the bug can be found here:
http://svn.apache.org/viewvc/santuario/xml-security-cpp/trunk/xsec/utils/XSECSafeBuffer.cpp?r1=1806212&r2=1807280&diff_format=h
In Ubuntu, the attached patch was applied to achieve the following:
* debian/patches/99-xsecsafebuffer.patch: Fix undefined behavior in
XSECSafeBuffer that affect ECDSA signature generation. This fix was
introduced in serie 2.x, but it was not backported to serie 1.7.x.
Thanks for considering the patch.
-- System Information:
Debian Release: jessie/sid
APT prefers trusty-updates
APT policy: (500, 'trusty-updates'), (500, 'trusty-security'), (500,
'trusty'), (100, 'trusty-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.4.0-130-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru xml-security-c-1.7.2/debian/changelog xml-security-c-1.7.2/debian/changelog
diff -Nru xml-security-c-1.7.2/debian/control xml-security-c-1.7.2/debian/control
--- xml-security-c-1.7.2/debian/control 2013-07-11 08:03:26.000000000 +0200
+++ xml-security-c-1.7.2/debian/control 2019-02-22 16:40:59.000000000 +0100
@@ -5,7 +5,7 @@
Uploaders: Russ Allbery <[email protected]>
Build-Depends: debhelper (>= 9), dh-autoreconf, libssl-dev (>= 1.0.1),
libxerces-c-dev, pkg-config
-Standards-Version: 3.9.4
+Standards-Version: 3.9.5
Homepage: http://santuario.apache.org/cindex.html
Vcs-Git: git://anonscm.debian.org/pkg-shibboleth/xml-security-c.git
Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-shibboleth/xml-security-c.git
diff -Nru xml-security-c-1.7.2/debian/patches/99-xsecsafebuffer.patch xml-security-c-1.7.2/debian/patches/99-xsecsafebuffer.patch
--- xml-security-c-1.7.2/debian/patches/99-xsecsafebuffer.patch 1970-01-01 01:00:00.000000000 +0100
+++ xml-security-c-1.7.2/debian/patches/99-xsecsafebuffer.patch 2019-02-22 15:24:54.000000000 +0100
@@ -0,0 +1,16 @@
+## Description: add some description
+## Origin/Author: add some origin or author
+## Bug: bug URL
+Index: xml-security-c-1.7.2/xsec/utils/XSECSafeBuffer.cpp
+===================================================================
+--- xml-security-c-1.7.2.orig/xsec/utils/XSECSafeBuffer.cpp 2019-02-22 15:16:17.000000000 +0100
++++ xml-security-c-1.7.2/xsec/utils/XSECSafeBuffer.cpp 2019-02-22 15:18:04.000000000 +0100
+@@ -639,7 +639,7 @@
+
+ assert (t != NULL);
+
+- len += XMLString::stringLen(t);
++ len += XMLString::stringLen(t) * size_XMLCh;
+ len += (xsecsize_t) (2 * size_XMLCh);
+
+ checkAndExpand(len);
diff -Nru xml-security-c-1.7.2/debian/patches/series xml-security-c-1.7.2/debian/patches/series
--- xml-security-c-1.7.2/debian/patches/series 2013-07-11 08:03:42.000000000 +0200
+++ xml-security-c-1.7.2/debian/patches/series 2019-02-22 15:15:54.000000000 +0100
@@ -1 +1,2 @@
debian-changes
+99-xsecsafebuffer.patch
--- End Message ---
--- Begin Message ---
Source: xml-security-c
Source-Version: 1.7.3-4+deb9u3
Done: =?utf-8?q?Ferenc_W=C3=A1gner?= <[email protected]>
We believe that the bug you reported is fixed in the latest version of
xml-security-c, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ferenc Wágner <[email protected]> (supplier of updated xml-security-c package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 04 Jul 2020 12:47:24 +0200
Source: xml-security-c
Binary: libxml-security-c17v5 libxml-security-c-dev xml-security-c-utils
Architecture: source
Version: 1.7.3-4+deb9u3
Distribution: stretch
Urgency: medium
Maintainer: Debian Shib Team <[email protected]>
Changed-By: Ferenc Wágner <[email protected]>
Description:
libxml-security-c-dev - C++ library for XML Digital Signatures (development)
libxml-security-c17v5 - C++ library for XML Digital Signatures (runtime)
xml-security-c-utils - C++ library for XML Digital Signatures (utilities)
Closes: 922984
Changes:
xml-security-c (1.7.3-4+deb9u3) stretch; urgency=medium
.
* [02c3993] New patch: Fix a length bug in concat method.
Thanks to Scott Cantor (Closes: #922984)
Checksums-Sha1:
bdb1164a9fa1331ce637f779dd7cc1daa9f033e8 2336 xml-security-c_1.7.3-4+deb9u3.dsc
4e6ea1c6d7697ca22fe6f77f457efa8b99211729 44896
xml-security-c_1.7.3-4+deb9u3.debian.tar.xz
94c37f2c53764a12e5f9eb8b74a2362994b2fa59 8290
xml-security-c_1.7.3-4+deb9u3_amd64.buildinfo
Checksums-Sha256:
10e57b421db82e352db8de16e69ea94b2edee499e6291496c23dbfbafe55db0a 2336
xml-security-c_1.7.3-4+deb9u3.dsc
da5023bc8e81923b88c1263c88f8fc3235bf629b96af7f9500cf19ec63eeb1be 44896
xml-security-c_1.7.3-4+deb9u3.debian.tar.xz
40b70bc02aa00eb7d3264fdfc633ec1bc2fdc3f85f2a94535b615958401fc796 8290
xml-security-c_1.7.3-4+deb9u3_amd64.buildinfo
Files:
3aaf4262907855048e780d3e08ba35ad 2336 libs extra
xml-security-c_1.7.3-4+deb9u3.dsc
63c03054b15aa1b554c6d8219bf7d31d 44896 libs extra
xml-security-c_1.7.3-4+deb9u3.debian.tar.xz
0fc3675437b4da34d9b51859f9bf703c 8290 libs extra
xml-security-c_1.7.3-4+deb9u3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAl8AX0YACgkQOsj3Fkd+
2yM7oQ//cu6Ph/6sUNQMsrcEfhEyUvO6FMy3I8pUHFOgUJZGykLZB/6tZ+MlezDZ
6Gd57sZS6o7hmScu81hDJBppZ5CgXLUPjOrZ6d4Wr+8Dq1uzRnFXAQm6A/ovWCi0
Ae4Wue9IuDRqesWIa2zk+ZIV2P6vrGl6YUAjd2Q+VI9zB/dP+ULxlYYa1xrreU9l
rXrCYYJhBo5tYOIhOl3Itc7AmA60ZiLw61Dwb0j7ngPaPjC6Rfk/dyiTcORxbTJs
trGr8TEvtkBJdzb6vvcEIMjuCe2sGq2HmEQZL2nHyq3n/ppI0v8ruNnIWl/zsILy
4Plvxk/Hqle+JPAtnoMPr0apirGKx6+MgRTOJ8qhzSkKnUE08QcM6sdp51+BPOBg
7S4vMTzkjLtfK+rlY4xc6Qg4+nc64RkDy6WdponpLENZ+bAluomLgVFsLveFIwNG
NCTY2gnFGKihHWbnWv1ytD3aiaG/6OAmDQD3vV12YQ4565lvVRD5K/xZQkiZ3GYn
WQhZTPmHbn/nXmf9bmYitrNG79eHe4unr7I+8y9D+cuwNvsm8MneV/lPASEpYgrV
WlKhbOPvXGdlP1oEvlL/aBqDYCB4VIxfwwYqcSny3jlTuXbyUcK2Ndo0l3syFxd1
CzCxSylVzlJeEYXhTweH6WbvSSp+EuPVIdt0ra12+fOlfLnyf6c=
=Yi+P
-----END PGP SIGNATURE-----
--- End Message ---
