Bug#903088: stretch-pu: package xapian-core/1.4.3-2

Olly Betts Thu, 05 Jul 2018 15:21:16 -0700

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu


This proposed update fixes CVE-2018-0499, an incomplete HTML escaping
bug in xapian-core.

I've discussed with the security-team and they proposed fixing this via
the imminent stretch point release.

The Debian bug is https://bugs.debian.org/902886 which has severity
important and is already fixed in unstable by version 1.4.6-1.

The patch was in an upstream release and vulnerability disclosure 4 days
ago and has been in unstable for 3 days now, without any problems
reported to the BTS or to upstream.

A source debdiff of the proposed update xapian-core 1.4.3-2+deb9u1 is
attached.  I've already uploaded this (in line with the updated SPU
workflow).

Cheers,
    Olly

diff -Nru xapian-core-1.4.3/debian/changelog xapian-core-1.4.3/debian/changelog
--- xapian-core-1.4.3/debian/changelog  2017-04-06 06:48:18.000000000 +1200
+++ xapian-core-1.4.3/debian/changelog  2018-07-06 09:52:48.000000000 +1200
@@ -1,3 +1,10 @@
+xapian-core (1.4.3-2+deb9u1) stretch; urgency=medium
+
+  * Fix MSet::snippet() to escape HTML in all cases (CVE-2018-499).
+    New patch: cve-2018-0499-mset-snippet-escaping.patch (Closes: #902886)
+
+ -- Olly Betts <o...@survex.com>  Fri, 06 Jul 2018 09:52:48 +1200
+
 xapian-core (1.4.3-2) unstable; urgency=medium
 
   * Fix incorrect results for unweighted AND with certain subqueries (new
diff -Nru 
xapian-core-1.4.3/debian/patches/cve-2018-0499-mset-snippet-escaping.patch 
xapian-core-1.4.3/debian/patches/cve-2018-0499-mset-snippet-escaping.patch
--- xapian-core-1.4.3/debian/patches/cve-2018-0499-mset-snippet-escaping.patch  
1970-01-01 12:00:00.000000000 +1200
+++ xapian-core-1.4.3/debian/patches/cve-2018-0499-mset-snippet-escaping.patch  
2018-07-06 09:52:24.000000000 +1200
@@ -0,0 +1,110 @@
+Description: Fix incomplete HTML escaping in MSet::snippet()
+ Characters <, > and & were escaped in some cases, but not all - this patch
+ adds escaping in the missing cases.  This issue has been allocated
+ CVE-2018-0499.
+Author: Olly Betts <o...@survex.com>
+Bug-Debian: https://bugs.debian.org/902886
+Origin: upstream
+Last-Update: 2018-07-06
+
+--- a/queryparser/termgenerator_internal.cc
++++ b/queryparser/termgenerator_internal.cc
+@@ -432,6 +432,27 @@ SnipPipe::done()
+     }
+ }
+ 
++inline void
++append_escaping_xml(const char* p, const char* end, string& output)
++{
++    while (p != end) {
++      char ch = *p++;
++      switch (ch) {
++          case '&':
++              output += "&amp;";
++              break;
++          case '<':
++              output += "&lt;";
++              break;
++          case '>':
++              output += "&gt;";
++              break;
++          default:
++              output += ch;
++      }
++    }
++}
++
+ inline bool
+ SnipPipe::drain(const string & input,
+               const string & hi_start,
+@@ -465,7 +486,7 @@ SnipPipe::drain(const string & input,
+ 
+       if (punc) {
+           // Include end of sentence punctuation.
+-          output.append(input.data() + best_end, i.raw());
++          append_escaping_xml(input.data() + best_end, i.raw(), output);
+       } else {
+           // Append "..." or equivalent if this doesn't seem to be the start
+           // of a sentence.
+@@ -523,8 +544,7 @@ SnipPipe::drain(const string & input,
+       while (i != Utf8Iterator()) {
+           unsigned ch = *i;
+           if (Unicode::is_wordchar(ch)) {
+-              const char * p = input.data() + best_begin;
+-              output.append(p, i.raw() - p);
++              append_escaping_xml(input.data() + best_begin, i.raw(), output);
+               best_begin = i.raw() - input.data();
+               break;
+           }
+@@ -537,22 +557,9 @@ SnipPipe::drain(const string & input,
+       if (phrase_len) output += hi_start;
+     }
+ 
+-    while (best_begin != word.term_end) {
+-      char ch = input[best_begin++];
+-      switch (ch) {
+-          case '&':
+-              output += "&amp;";
+-              break;
+-          case '<':
+-              output += "&lt;";
+-              break;
+-          case '>':
+-              output += "&gt;";
+-              break;
+-          default:
+-              output += ch;
+-      }
+-    }
++    const char* p = input.data();
++    append_escaping_xml(p + best_begin, p + word.term_end, output);
++    best_begin = word.term_end;
+ 
+     if (phrase_len && --phrase_len == 0) output += hi_end;
+ 
+--- a/tests/api_snippets.cc
++++ b/tests/api_snippets.cc
+@@ -313,3 +313,23 @@ DEFINE_TESTCASE(snippet_empty, backend) {
+ 
+     return true;
+ }
++
++/// Check snippets escape HTML/XML suitably.
++DEFINE_TESTCASE(snippet_html_escape, backend) {
++    Xapian::Enquire enquire(get_database("apitest_simpledata"));
++    enquire.set_query(Xapian::Query("foo"));
++
++    Xapian::MSet mset = enquire.get_mset(0, 0);
++
++    Xapian::Stem stem;
++
++    const char *input = "#include <foo.h> to use libfoo";
++    TEST_STRINGS_EQUAL(mset.snippet(input, 12, stem),
++                     "...&lt;<b>foo</b>.h&gt; to...");
++
++    input = "&foo takes the address of foo";
++    TEST_STRINGS_EQUAL(mset.snippet(input, strlen(input), stem),
++                     "&amp;<b>foo</b> takes the address of <b>foo</b>");
++
++    return true;
++}
diff -Nru xapian-core-1.4.3/debian/patches/series 
xapian-core-1.4.3/debian/patches/series
--- xapian-core-1.4.3/debian/patches/series     2017-04-06 06:48:13.000000000 
+1200
+++ xapian-core-1.4.3/debian/patches/series     2018-07-06 09:47:57.000000000 
+1200
@@ -1 +1,2 @@
 fix-unweighted-and.patch
+cve-2018-0499-mset-snippet-escaping.patch

signature.asc
Description: PGP signature

Bug#903088: stretch-pu: package xapian-core/1.4.3-2

Reply via email to