subject:"Bug#896940\: stretch\-pu\: package xerces\-c\/3.1.4\+debian\-2"

Bug#896940: stretch-pu: package xerces-c/3.1.4+debian-2

2018-04-30 Thread Adam D. Barratt

Control: tags -1 + pending

On Sat, 2018-04-28 at 17:59 -0400, Bill Blough wrote:
> Uploaded.  Thanks!
> 

Flagged for acceptance.

Regards,

Adam

Bug#896940: stretch-pu: package xerces-c/3.1.4+debian-2

2018-04-28 Thread Bill Blough

Uploaded.  Thanks!

On Sat, Apr 28, 2018 at 08:30:02PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Thu, 2018-04-26 at 03:17 -0400, William Blough wrote:
> > I would like to update xerces-c in a future point release.  This
> > update
> > will fix two issues:
> > 
> >   * Fix CVE-2017-12627: Alberto Garcia, Francisco Oca and Suleman Ali
> > of
> > Offensive Research discovered that the Xerces-C XML parser
> > mishandles
> > certain kinds of external DTD references, resulting in
> > dereference of a
> > NULL pointer while processing the path to the DTD. The bug allows
> > for a
> > denial of service attack in applications that allow DTD
> > processing and do
> > not prevent external DTD usage, and could conceivably result in
> > remote code
> > execution.
> >   * Fix a regression that forced gcc to use SSE2, even on platforms
> > that do not
> > support it (e.g., i386).  This caused program crashes due to
> > invalid CPU
> > instructions.
> 
> Please go ahead.
> 
> Regards,
> 
> Adam

Bug#896940: stretch-pu: package xerces-c/3.1.4+debian-2

2018-04-28 Thread Adam D. Barratt

Control: tags -1 + confirmed

On Thu, 2018-04-26 at 03:17 -0400, William Blough wrote:
> I would like to update xerces-c in a future point release.  This
> update
> will fix two issues:
> 
>   * Fix CVE-2017-12627: Alberto Garcia, Francisco Oca and Suleman Ali
> of
> Offensive Research discovered that the Xerces-C XML parser
> mishandles
> certain kinds of external DTD references, resulting in
> dereference of a
> NULL pointer while processing the path to the DTD. The bug allows
> for a
> denial of service attack in applications that allow DTD
> processing and do
> not prevent external DTD usage, and could conceivably result in
> remote code
> execution.
>   * Fix a regression that forced gcc to use SSE2, even on platforms
> that do not
> support it (e.g., i386).  This caused program crashes due to
> invalid CPU
> instructions.

Please go ahead.

Regards,

Adam

Bug#896940: stretch-pu: package xerces-c/3.1.4+debian-2

2018-04-26 Thread William Blough

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

I would like to update xerces-c in a future point release.  This update
will fix two issues:

  * Fix CVE-2017-12627: Alberto Garcia, Francisco Oca and Suleman Ali of
Offensive Research discovered that the Xerces-C XML parser mishandles
certain kinds of external DTD references, resulting in dereference of a
NULL pointer while processing the path to the DTD. The bug allows for a
denial of service attack in applications that allow DTD processing and do
not prevent external DTD usage, and could conceivably result in remote code
execution.
  * Fix a regression that forced gcc to use SSE2, even on platforms that do not
support it (e.g., i386).  This caused program crashes due to invalid CPU
instructions.


The CVE was deemed by the security team to not be critical enough for a
DSA, but they suggested that it might be included in a point release.

Both of these issues have been fixed in unstable, and I have attached a
debdiff that reflects the desired changes.

Regards,
Bill

-- System Information:
Debian Release: 9.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru xerces-c-3.1.4+debian/debian/changelog 
xerces-c-3.1.4+debian/debian/changelog
--- xerces-c-3.1.4+debian/debian/changelog  2016-12-16 06:52:57.0 
-0500
+++ xerces-c-3.1.4+debian/debian/changelog  2018-04-26 00:35:59.0 
-0400
@@ -1,3 +1,18 @@
+xerces-c (3.1.4+debian-2+deb9u1) stretch; urgency=medium
+
+  * Fix CVE-2017-12627: Alberto Garcia, Francisco Oca and Suleman Ali of
+Offensive Research discovered that the Xerces-C XML parser mishandles
+certain kinds of external DTD references, resulting in dereference of a
+NULL pointer while processing the path to the DTD. The bug allows for a
+denial of service attack in applications that allow DTD processing and do
+not prevent external DTD usage, and could conceivably result in remote code
+execution.
+  * Fix a regression that forced gcc to use SSE2, even on platforms that do not
+support it (e.g., i386).  This caused program crashes due to invalid CPU
+instructions.
+
+ -- William Blough   Thu, 26 Apr 2018 00:35:59 -0400
+
 xerces-c (3.1.4+debian-2) unstable; urgency=medium
 
   * Fix AC_LANG_SOURCE warnings.
diff -Nru xerces-c-3.1.4+debian/debian/patches/CVE-2017-12627.patch 
xerces-c-3.1.4+debian/debian/patches/CVE-2017-12627.patch
--- xerces-c-3.1.4+debian/debian/patches/CVE-2017-12627.patch   1969-12-31 
19:00:00.0 -0500
+++ xerces-c-3.1.4+debian/debian/patches/CVE-2017-12627.patch   2018-04-26 
00:35:59.0 -0400
@@ -0,0 +1,26 @@
+From: Markus Koschany 
+Date: Thu, 29 Mar 2018 20:58:48 +0200
+Subject: CVE-2017-12627
+
+Origin: https://svn.apache.org/viewvc?view=revision=1819998
+Upstream-Advisory: https://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt
+---
+ src/xercesc/util/PlatformUtils.cpp | 5 -
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/xercesc/util/PlatformUtils.cpp 
b/src/xercesc/util/PlatformUtils.cpp
+index eee1dc5..39c71ac 100644
+--- a/src/xercesc/util/PlatformUtils.cpp
 b/src/xercesc/util/PlatformUtils.cpp
+@@ -920,7 +920,10 @@ XMLCh* XMLPlatformUtils::weavePaths(const XMLCh* const
basePath
+ 
+ XMLString::subString(tmpBuf, basePath, 0, (basePtr - basePath + 1), 
manager);
+ tmpBuf[basePtr - basePath + 1] = 0;
+-XMLString::catString(tmpBuf, relativePath);
++if (relativePath)
++{
++XMLString::catString(tmpBuf, relativePath);
++}
+ 
+ removeDotSlash(tmpBuf, manager);
+ 
diff -Nru xerces-c-3.1.4+debian/debian/patches/series 
xerces-c-3.1.4+debian/debian/patches/series
--- xerces-c-3.1.4+debian/debian/patches/series 2016-12-16 06:52:57.0 
-0500
+++ xerces-c-3.1.4+debian/debian/patches/series 2018-04-26 00:35:59.0 
-0400
@@ -1,3 +1,4 @@
 psviwriter_strrchr_fix
 fix_fprintf_warnings.diff
 fix_ac_lang_source_warnings
+CVE-2017-12627.patch
diff -Nru xerces-c-3.1.4+debian/debian/rules xerces-c-3.1.4+debian/debian/rules
--- xerces-c-3.1.4+debian/debian/rules  2016-12-16 06:52:57.0 -0500
+++ xerces-c-3.1.4+debian/debian/rules  2018-04-26 00:35:59.0 -0400
@@ -15,7 +15,10 @@
dh $@ --with autoreconf
 
 override_dh_auto_configure:
-   dh_auto_configure -- --disable-pretty-make --enable-netaccessor-curl
+   dh_auto_configure -- --disable-pretty-make --enable-netaccessor-curl 
--disable-sse2
+   # Note: This disables explicit passing of -msse2 to gcc.  It does not
+   # actually disable sse2

Bug#896940: stretch-pu: package xerces-c/3.1.4+debian-2

Bug#896940: stretch-pu: package xerces-c/3.1.4+debian-2

Bug#896940: stretch-pu: package xerces-c/3.1.4+debian-2

Bug#896940: stretch-pu: package xerces-c/3.1.4+debian-2

4 matches

Site Navigation

Mail list logo

Footer information