Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package xmltooling

Dear Release Team,

The #924346 security issue was fixed in stretch a couple of days ago by
backporting the fix from the new upstream security release: 3.0.4.
Beyond the unauthenticated remote DoS patch, this new upstream release
consists of two other bugfixes: an interoperability issue with the
Expect header (https://issues.shibboleth.net/jira/browse/CPPXT-144) and
an incorrect C++ code usage pattern invoking undefined behavior via
boost::bind (https://issues.shibboleth.net/jira/browse/SSPCPP-847).
I think buster would be better with these included, so I ask for your
permission to to upload 3.0.4-1 to unstable with a future unblock.
Urgency is set to high below because of the security issue, but I'm not
sure about that, please advise.  If this isn't acceptable at all, I'll
cherry pick the security fix, upload 3.0.3-2 and open an unblock request
for that.

Thanks,
Feri.

diff -Nru xmltooling-3.0.3/configure xmltooling-3.0.4/configure
--- xmltooling-3.0.3/configure  2018-10-12 20:28:11.000000000 +0200
+++ xmltooling-3.0.4/configure  2019-03-08 15:45:41.000000000 +0100
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for xmltooling 3.0.3.
+# Generated by GNU Autoconf 2.69 for xmltooling 3.0.4.
 #
 # Report bugs to <https://issues.shibboleth.net/>.
 #
@@ -590,8 +590,8 @@
 # Identity of this package.
 PACKAGE_NAME='xmltooling'
 PACKAGE_TARNAME='xmltooling'
-PACKAGE_VERSION='3.0.3'
-PACKAGE_STRING='xmltooling 3.0.3'
+PACKAGE_VERSION='3.0.4'
+PACKAGE_STRING='xmltooling 3.0.4'
 PACKAGE_BUGREPORT='https://issues.shibboleth.net/'
 PACKAGE_URL=''
 
@@ -1449,7 +1449,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures xmltooling 3.0.3 to adapt to many kinds of systems.
+\`configure' configures xmltooling 3.0.4 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1519,7 +1519,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of xmltooling 3.0.3:";;
+     short | recursive ) echo "Configuration of xmltooling 3.0.4:";;
    esac
   cat <<\_ACEOF
 
@@ -1687,7 +1687,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-xmltooling configure 3.0.3
+xmltooling configure 3.0.4
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2422,7 +2422,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by xmltooling $as_me 3.0.3, which was
+It was created by xmltooling $as_me 3.0.4, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3287,7 +3287,7 @@
 
 # Define the identity of the package.
  PACKAGE='xmltooling'
- VERSION='3.0.3'
+ VERSION='3.0.4'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -21853,7 +21853,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by xmltooling $as_me 3.0.3, which was
+This file was extended by xmltooling $as_me 3.0.4, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -21919,7 +21919,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; 
s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-xmltooling config.status 3.0.3
+xmltooling config.status 3.0.4
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff -Nru xmltooling-3.0.3/configure.ac xmltooling-3.0.4/configure.ac
--- xmltooling-3.0.3/configure.ac       2018-10-12 20:23:43.000000000 +0200
+++ xmltooling-3.0.4/configure.ac       2019-03-08 15:44:44.000000000 +0100
@@ -1,6 +1,6 @@
 # Process this file with autoreconf
 AC_PREREQ([2.50])
-AC_INIT([xmltooling],[3.0.3],[https://issues.shibboleth.net/],[xmltooling])
+AC_INIT([xmltooling],[3.0.4],[https://issues.shibboleth.net/],[xmltooling])
 AC_CONFIG_SRCDIR(xmltooling)
 AC_CONFIG_AUX_DIR(build-aux)
 AC_CONFIG_MACRO_DIR(m4)
diff -Nru xmltooling-3.0.3/config_win32.h xmltooling-3.0.4/config_win32.h
--- xmltooling-3.0.3/config_win32.h     2018-10-11 22:32:28.000000000 +0200
+++ xmltooling-3.0.4/config_win32.h     2019-03-08 15:44:44.000000000 +0100
@@ -106,13 +106,13 @@
 #define PACKAGE_NAME "xmltooling"
 
 /* Define to the full name and version of this package. */
-#define PACKAGE_STRING "xmltooling 3.0.3"
+#define PACKAGE_STRING "xmltooling 3.0.4"
 
 /* Define to the one symbol short name of this package. */
 #define PACKAGE_TARNAME "xmltooling"
 
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "3.0.3"
+#define PACKAGE_VERSION "3.0.4"
 
 /* Define to the necessary symbol if this constant uses a non-standard name on
    your system. */
@@ -125,7 +125,7 @@
 /* #undef TM_IN_SYS_TIME */
 
 /* Version number of package */
-#define VERSION "3.0.3"
+#define VERSION "3.0.4"
 
 /* Define if you wish to disable XML-Security-dependent features. */
 /* #undef XMLTOOLING_NO_XMLSEC */
diff -Nru xmltooling-3.0.3/debian/changelog xmltooling-3.0.4/debian/changelog
--- xmltooling-3.0.3/debian/changelog   2018-12-24 10:51:09.000000000 +0100
+++ xmltooling-3.0.4/debian/changelog   2019-03-14 14:58:36.000000000 +0100
@@ -1,3 +1,22 @@
+xmltooling (3.0.4-1) unstable; urgency=high
+
+  * [f185b26] New upstream security release: 3.0.4
+    DSA-4407-1, CVE-2019-9628: uncaught exception on malformed XML
+    declaration.
+    Invalid data in the XML declaration causes an exception of a type
+    that was not handled properly in the parser class and propagates an
+    unexpected exception type.
+    This generally manifests as a crash in the calling code, which in the
+    Service Provider software's case is usually the shibd daemon process,
+    but can be Apache in some cases. Note that the crash occurs prior to
+    evaluation of a message's authenticity, so can be exploited by an
+    untrusted attacker.
+    https://shibboleth.net/community/advisories/secadv_20190311.txt
+    https://issues.shibboleth.net/jira/browse/CPPXT-143
+    Thanks to Scott Cantor (Closes: #924346)
+
+ -- Ferenc Wágner <wf...@debian.org>  Thu, 14 Mar 2019 14:58:36 +0100
+
 xmltooling (3.0.3-1) unstable; urgency=medium
 
   [ Ferenc Wágner ]
diff -Nru xmltooling-3.0.3/xmltooling/Makefile.am 
xmltooling-3.0.4/xmltooling/Makefile.am
--- xmltooling-3.0.3/xmltooling/Makefile.am     2018-11-09 16:42:30.000000000 
+0100
+++ xmltooling-3.0.4/xmltooling/Makefile.am     2019-03-08 15:44:44.000000000 
+0100
@@ -229,7 +229,7 @@
        $(PTHREAD_LIBS) \
        $(dlopen_LIBS)
 
-AM_LDFLAGS = -version-info 8:3:0
+AM_LDFLAGS = -version-info 8:4:0
 
 libxmltooling_lite_la_SOURCES = \
        ${common_sources}
diff -Nru xmltooling-3.0.3/xmltooling/Makefile.in 
xmltooling-3.0.4/xmltooling/Makefile.in
--- xmltooling-3.0.3/xmltooling/Makefile.in     2018-11-09 16:42:35.000000000 
+0100
+++ xmltooling-3.0.4/xmltooling/Makefile.in     2019-03-08 15:45:41.000000000 
+0100
@@ -913,7 +913,7 @@
        $(PTHREAD_LIBS) \
        $(dlopen_LIBS)
 
-AM_LDFLAGS = -version-info 8:3:0
+AM_LDFLAGS = -version-info 8:4:0
 libxmltooling_lite_la_SOURCES = \
        ${common_sources}
 
diff -Nru xmltooling-3.0.3/xmltooling/soap/impl/CURLSOAPTransport.cpp 
xmltooling-3.0.4/xmltooling/soap/impl/CURLSOAPTransport.cpp
--- xmltooling-3.0.3/xmltooling/soap/impl/CURLSOAPTransport.cpp 2018-10-12 
19:33:58.000000000 +0200
+++ xmltooling-3.0.4/xmltooling/soap/impl/CURLSOAPTransport.cpp 2019-03-08 
15:44:44.000000000 +0100
@@ -90,7 +90,8 @@
             curl_easy_setopt(m_handle,CURLOPT_USERPWD,0);
             curl_easy_setopt(m_handle,CURLOPT_SSL_VERIFYHOST,2);
             curl_easy_setopt(m_handle,CURLOPT_HEADERDATA,this);
-            m_headers=curl_slist_append(m_headers,"Content-Type: text/xml");
+            m_headers = curl_slist_append(m_headers, "Content-Type: text/xml");
+            m_headers = curl_slist_append(m_headers, "Expect:");
         }
 
         virtual ~CURLSOAPTransport() {
diff -Nru xmltooling-3.0.3/xmltooling/util/CurlURLInputStream.cpp 
xmltooling-3.0.4/xmltooling/util/CurlURLInputStream.cpp
--- xmltooling-3.0.3/xmltooling/util/CurlURLInputStream.cpp     2018-07-10 
03:00:14.000000000 +0200
+++ xmltooling-3.0.4/xmltooling/util/CurlURLInputStream.cpp     2019-03-08 
15:44:44.000000000 +0100
@@ -305,6 +305,8 @@
         " libcurl/" + LIBCURL_VERSION + ' ' + OPENSSL_VERSION_TEXT;
     fHeaders = curl_slist_append(fHeaders, ua.c_str());
 
+    fHeaders = curl_slist_append(fHeaders, "Expect:");
+
     // Add User-Agent and cache headers.
     curl_easy_setopt(fEasy, CURLOPT_HTTPHEADER, fHeaders);
 
diff -Nru xmltooling-3.0.3/xmltooling/util/ParserPool.cpp 
xmltooling-3.0.4/xmltooling/util/ParserPool.cpp
--- xmltooling-3.0.3/xmltooling/util/ParserPool.cpp     2018-07-10 
03:00:14.000000000 +0200
+++ xmltooling-3.0.4/xmltooling/util/ParserPool.cpp     2019-03-08 
15:44:44.000000000 +0100
@@ -148,14 +148,28 @@
         checkinBuilder(janitor.release());
         return doc;
     }
-    catch (XMLException& ex) {
+    catch (const DOMException& ex) {
+        parser->getDomConfig()->setParameter(XMLUni::fgDOMErrorHandler, 
(void*)nullptr);
+        
parser->getDomConfig()->setParameter(XMLUni::fgXercesUserAdoptsDOMDocument, 
true);
+        checkinBuilder(janitor.release());
+        auto_ptr_char temp(ex.getMessage());
+        throw XMLParserException(string("DOM error during parsing: ") + 
(temp.get() ? temp.get() : "no message"));
+    }
+    catch (const SAXException& ex) {
+        parser->getDomConfig()->setParameter(XMLUni::fgDOMErrorHandler, 
(void*)nullptr);
+        
parser->getDomConfig()->setParameter(XMLUni::fgXercesUserAdoptsDOMDocument, 
true);
+        checkinBuilder(janitor.release());
+        auto_ptr_char temp(ex.getMessage());
+        throw XMLParserException(string("SAX error during parsing: ") + 
(temp.get() ? temp.get() : "no message"));
+    }
+    catch (const XMLException& ex) {
         parser->getDomConfig()->setParameter(XMLUni::fgDOMErrorHandler, 
(void*)nullptr);
         
parser->getDomConfig()->setParameter(XMLUni::fgXercesUserAdoptsDOMDocument, 
true);
         checkinBuilder(janitor.release());
         auto_ptr_char temp(ex.getMessage());
         throw XMLParserException(string("Xerces error during parsing: ") + 
(temp.get() ? temp.get() : "no message"));
     }
-    catch (XMLToolingException&) {
+    catch (const XMLToolingException&) {
         parser->getDomConfig()->setParameter(XMLUni::fgDOMErrorHandler, 
(void*)nullptr);
         
parser->getDomConfig()->setParameter(XMLUni::fgXercesUserAdoptsDOMDocument, 
true);
         checkinBuilder(janitor.release());
@@ -220,8 +234,11 @@
     trim(temp);
     vector<string> catpaths;
     split(catpaths, temp, is_any_of(PATH_SEPARATOR_STR), 
algorithm::token_compress_on);
-    static bool (ParserPool::* lc)(const char*) = &ParserPool::loadCatalog;
-    for_each(catpaths.begin(), catpaths.end(), boost::bind(lc, this, 
boost::bind(&string::c_str, _1)));
+
+    for (vector<string>::const_iterator i = catpaths.begin(); i != 
catpaths.end(); ++i) {
+        loadCatalog(i->c_str());
+    }
+
     return !catpaths.empty();
 }
 
diff -Nru xmltooling-3.0.3/xmltooling/version.h 
xmltooling-3.0.4/xmltooling/version.h
--- xmltooling-3.0.3/xmltooling/version.h       2018-10-11 22:31:05.000000000 
+0200
+++ xmltooling-3.0.4/xmltooling/version.h       2019-03-08 15:44:44.000000000 
+0100
@@ -44,7 +44,7 @@
 
 #define XMLTOOLING_VERSION_MAJOR 3
 #define XMLTOOLING_VERSION_MINOR 0
-#define XMLTOOLING_VERSION_REVISION 3
+#define XMLTOOLING_VERSION_REVISION 4
 
 /** DO NOT MODIFY BELOW THIS LINE */
 
diff -Nru xmltooling-3.0.3/xmltooling/xmltooling.rc 
xmltooling-3.0.4/xmltooling/xmltooling.rc
--- xmltooling-3.0.3/xmltooling/xmltooling.rc   2018-10-11 22:31:36.000000000 
+0200
+++ xmltooling-3.0.4/xmltooling/xmltooling.rc   2019-03-08 15:44:44.000000000 
+0100
@@ -28,8 +28,8 @@
 //
 
 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 3,0,3,0
- PRODUCTVERSION 3,0,0,0
+ FILEVERSION 3,0,4,0
+ PRODUCTVERSION 3,0,1,0
  FILEFLAGSMASK 0x3fL
 #ifdef _DEBUG
  FILEFLAGS 0x1L
@@ -51,7 +51,7 @@
 #else
             VALUE "FileDescription", "OpenSAML XMLTooling Library\0"
 #endif
-            VALUE "FileVersion", "3, 0, 3, 0\0"
+            VALUE "FileVersion", "3, 0, 4, 0\0"
 #ifdef XMLTOOLING_LITE
 #ifdef _DEBUG
             VALUE "InternalName", "xmltooling-lite3_0D\0"
@@ -65,7 +65,7 @@
             VALUE "InternalName", "xmltooling3_0\0"
 #endif
 #endif
-            VALUE "LegalCopyright", "Copyright � 2018 UCAID\0"
+            VALUE "LegalCopyright", "Copyright 2019 UCAID\0"
             VALUE "LegalTrademarks", "\0"
 #ifdef XMLTOOLING_LITE
 #ifdef _DEBUG
@@ -81,8 +81,8 @@
 #endif
 #endif
             VALUE "PrivateBuild", "\0"
-            VALUE "ProductName", "OpenSAML 3.0.0\0"
-            VALUE "ProductVersion", "3, 0, 0, 0\0"
+            VALUE "ProductName", "OpenSAML 3.0.1\0"
+            VALUE "ProductVersion", "3, 0, 1, 0\0"
             VALUE "SpecialBuild", "\0"
         END
     END

unblock xmltooling/3.0.4-1

Reply via email to