> the Debian LTS team would like to fix the security issues which are > currently open in the Squeeze version of xmltooling: > https://security-tracker.debian.org/tracker/CVE-2015-0851
Hi, I published patched packages at http://apt.niif.hu/CVE-2015-0851/, now for squeeze as well. Being no DD, I can't really do more, please pick up from here. $ debdiff xmltooling_1.3.3-2.dsc xmltooling_1.3.3-2+deb6u1.dsc diff -u xmltooling-1.3.3/debian/changelog xmltooling-1.3.3/debian/changelog --- xmltooling-1.3.3/debian/changelog +++ xmltooling-1.3.3/debian/changelog @@ -1,3 +1,10 @@ +xmltooling (1.3.3-2+deb6u1) squeeze-lts; urgency=high + + * Apply security fix from 1.5.5 for CVE-2015-0851 DoS (Closes: #793855): + Shibboleth SP software crashes on well-formed but invalid XML + + -- Ferenc Wagner <[email protected]> Mon, 03 Aug 2015 13:25:11 +0200 + xmltooling (1.3.3-2) unstable; urgency=low * Force source format 1.0 for now since it makes backporting easier. only in patch2: unchanged: --- xmltooling-1.3.3.orig/xmltooling/base.h +++ xmltooling-1.3.3/xmltooling/base.h @@ -683,7 +683,16 @@ XMLCh* m_##proper; \ public: \ pair<bool,int> get##proper() const { \ - return make_pair((m_##proper!=NULL),(m_##proper!=NULL ? xercesc::XMLString::parseInt(m_##proper): 0)); \ + if (m_##proper) { \ + try { \ + return std::make_pair(true, xercesc::XMLString::parseInt(m_##proper)); \ + } \ + catch (...) { \ + return std::make_pair(true, 0); \ + } \ + } else { \ + return std::make_pair(false, 0); \ + } \ } \ void set##proper(const XMLCh* proper) { \ m_##proper = prepareForAssignment(m_##proper,proper); \ @@ -1237,7 +1246,16 @@ #define DECL_INTEGER_CONTENT(proper) \ XMLTOOLING_DOXYGEN(Returns proper in integer form after a NULL indicator.) \ std::pair<bool,int> get##proper() const { \ - return std::make_pair((getTextContent()!=NULL), (getTextContent()!=NULL ? xercesc::XMLString::parseInt(getTextContent()) : 0)); \ + if (getTextContent()) { \ + try { \ + return std::make_pair(true, xercesc::XMLString::parseInt(getTextContent())); \ + } \ + catch (...) { \ + return std::make_pair(true, 0); \ + } \ + } else { \ + return std::make_pair(false, 0); \ + } \ } \ XMLTOOLING_DOXYGEN(Sets proper.) \ void set##proper(int proper) { \ I checked that opensaml2-2.3-2+squeeze1 builds against it (this rebuild is needed to fix the security problem, the xmltooling upload is not enough), but did no further testing. -- Regards, Feri. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
