Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jspri...@debian.org
[ Reason ]
CVE-2021-37146 was published with a denial of service against
ros-ros-comm.
[ Impact ]
The impact is rather low as the ROS middleware has no authentication nor
security features implemented and should only be used behind a firewall.
Still would be good to get it fixed in stable.
[ Tests ]
The patch adds a unit test and I ran manual tests using the relay
command from the topic-tools package.
[ Risks ]
Except for one new method (nextTagData) I see the code as rather simple,
and the risk as low.
For nextTagData the difference is that it is more strict in parsing only
the next xml tag which should be fine in the defined domain. Also this
is part of the upstream releases and also in unstable since some time.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
The patches add three things:
- Null pointer checks in XmlRpc.
- Add and update unit tests for the new changes.
- A new nextTagData method. This is an improved version of the old
parseTag version. Both methods extract the data inside of a given xml
tag in a string. The old parseTag used find to search for the
requested tag. The new nextTagData only allows space characters in
front of the expected xml tag.
[ Other info ]
I kept the individual patches as upstream merged them, hope that is
fine.
>From 5f40cf6d70e063b1684651794cfb75aaca68bee3 Mon Sep 17 00:00:00 2001
From: Jochen Sprickerhof
Date: Wed, 20 Oct 2021 21:27:15 +0200
Subject: [PATCH] 1.15.9+ds1-7+deb11u1 (CVE-2021-37146)
---
debian/changelog | 6 +
.../0010-Fix-oversize-string-test.patch | 25 +
...fensive-checks-for-offset-being-NULL.patch | 45 ++
...-tests-for-XML-tag-utility-functions.patch | 653 ++
...13-Add-implementation-of-nextTagData.patch | 167 +
...h-structFromXml-to-using-nextTagData.patch | 31 +
debian/patches/series | 5 +
7 files changed, 932 insertions(+)
create mode 100644 debian/patches/0010-Fix-oversize-string-test.patch
create mode 100644
debian/patches/0011-Add-defensive-checks-for-offset-being-NULL.patch
create mode 100644
debian/patches/0012-Add-unit-tests-for-XML-tag-utility-functions.patch
create mode 100644 debian/patches/0013-Add-implementation-of-nextTagData.patch
create mode 100644
debian/patches/0014-Switch-structFromXml-to-using-nextTagData.patch
diff --git a/debian/changelog b/debian/changelog
index 057deda..a4d8cf2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+ros-ros-comm (1.15.9+ds1-7+deb11u1) bullseye; urgency=medium
+
+ * Add https://github.com/ros/ros_comm/pull/2185 (Fix CVE-2021-37146)
+
+ -- Jochen Sprickerhof Wed, 20 Oct 2021 21:28:10 +0200
+
ros-ros-comm (1.15.9+ds1-7) unstable; urgency=medium
* Fix Breaks+Replace
diff --git a/debian/patches/0010-Fix-oversize-string-test.patch
b/debian/patches/0010-Fix-oversize-string-test.patch
new file mode 100644
index 000..2c4d781
--- /dev/null
+++ b/debian/patches/0010-Fix-oversize-string-test.patch
@@ -0,0 +1,25 @@
+From: Chris Lalancette
+Date: Wed, 7 Jul 2021 14:34:14 +
+Subject: Fix oversize string test.
+
+It claims to be "well-formed", but the closing tag was wrong.
+Fix that here.
+
+Signed-off-by: Chris Lalancette
+---
+ utilities/xmlrpcpp/test/TestValues.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/utilities/xmlrpcpp/test/TestValues.cpp
b/utilities/xmlrpcpp/test/TestValues.cpp
+index ce51bce..3cd0ade 100644
+--- a/utilities/xmlrpcpp/test/TestValues.cpp
b/utilities/xmlrpcpp/test/TestValues.cpp
+@@ -214,7 +214,7 @@ TEST(XmlRpc, testOversizeString) {
+ try {
+ std::string xml = "";
+ xml += std::string(__INT_MAX__, 'a');
+-xml += "a";
++xml += "a";
+ int offset;
+
+ offset = 0;
diff --git
a/debian/patches/0011-Add-defensive-checks-for-offset-being-NULL.patch
b/debian/patches/0011-Add-defensive-checks-for-offset-being-NULL.patch
new file mode 100644
index 000..6426089
--- /dev/null
+++ b/debian/patches/0011-Add-defensive-checks-for-offset-being-NULL.patch
@@ -0,0 +1,45 @@
+From: Chris Lalancette
+Date: Wed, 7 Jul 2021 17:23:39 +
+Subject: Add defensive checks for offset being NULL.
+
+Signed-off-by: Chris Lalancette
+---
+ utilities/xmlrpcpp/src/XmlRpcUtil.cpp | 4
+ 1 file changed, 4 insertions(+)
+
+diff --git a/utilities/xmlrpcpp/src/XmlRpcUtil.cpp
b/utilities/xmlrpcpp/src/XmlRpcUtil.cpp
+index 111737a..c203a91 100644
+--- a/utilities/xmlrpcpp/src/XmlRpcUtil.cpp
b/utilities/xmlrpcpp/src/XmlRpcUtil.cpp
+@@ -108,6 +108,7 @@ void XmlRpcUtil::error(const char* fmt, ...)
+ std::string
+ XmlRpcUtil::parseTag(const char* tag, std::string
