Bug#896942: marked as done (jessie-pu: package xerces-c/3.1.1-5.1+deb8u3)

Debian Bug Tracking System Sat, 23 Jun 2018 04:39:39 -0700

Your message dated Sat, 23 Jun 2018 12:32:13 +0100
with message-id <[email protected]>
and subject line Closing bugs for requests included in the EoL jessie point 
release
has caused the Debian Bug report #896942,
regarding jessie-pu: package xerces-c/3.1.1-5.1+deb8u3
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
896942: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896942
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: jessie
User: [email protected]
Usertags: pu

I would like to update xerces-c in a future point release.  This update
will fix one issue:

  * Fix CVE-2017-12627: Alberto Garcia, Francisco Oca and Suleman Ali of
    Offensive Research discovered that the Xerces-C XML parser mishandles
    certain kinds of external DTD references, resulting in dereference of a
    NULL pointer while processing the path to the DTD. The bug allows for a
    denial of service attack in applications that allow DTD processing and do
    not prevent external DTD usage, and could conceivably result in remote code
    execution.

The CVE was deemed by the security team to not be critical enough for a
DSA, but they suggested that it might be included in a point release.

This issue has been fixed in unstable, and I have attached a debdiff
that reflects the desired changes.

Regards,
Bill


-- System Information:
Debian Release: 9.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru xerces-c-3.1.1/debian/changelog xerces-c-3.1.1/debian/changelog
--- xerces-c-3.1.1/debian/changelog     2016-06-29 10:47:44.000000000 -0400
+++ xerces-c-3.1.1/debian/changelog     2018-04-26 00:28:32.000000000 -0400
@@ -1,3 +1,15 @@
+xerces-c (3.1.1-5.1+deb8u4) jessie; urgency=medium
+
+  * Fix CVE-2017-12627: Alberto Garcia, Francisco Oca and Suleman Ali of
+    Offensive Research discovered that the Xerces-C XML parser mishandles
+    certain kinds of external DTD references, resulting in dereference of a
+    NULL pointer while processing the path to the DTD. The bug allows for a
+    denial of service attack in applications that allow DTD processing and do
+    not prevent external DTD usage, and could conceivably result in remote code
+    execution.
+
+ -- William Blough <[email protected]>  Thu, 26 Apr 2018 00:28:32 -0400
+
 xerces-c (3.1.1-5.1+deb8u3) jessie-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru xerces-c-3.1.1/debian/patches/CVE-2017-12627.patch 
xerces-c-3.1.1/debian/patches/CVE-2017-12627.patch
--- xerces-c-3.1.1/debian/patches/CVE-2017-12627.patch  1969-12-31 
19:00:00.000000000 -0500
+++ xerces-c-3.1.1/debian/patches/CVE-2017-12627.patch  2018-04-26 
00:28:32.000000000 -0400
@@ -0,0 +1,26 @@
+From: Markus Koschany <[email protected]>
+Date: Thu, 29 Mar 2018 20:58:48 +0200
+Subject: CVE-2017-12627
+
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1819998
+Upstream-Advisory: https://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt
+---
+ src/xercesc/util/PlatformUtils.cpp | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/xercesc/util/PlatformUtils.cpp 
b/src/xercesc/util/PlatformUtils.cpp
+index eee1dc5..39c71ac 100644
+--- a/src/xercesc/util/PlatformUtils.cpp
++++ b/src/xercesc/util/PlatformUtils.cpp
+@@ -920,7 +920,10 @@ XMLCh* XMLPlatformUtils::weavePaths(const XMLCh* const    
basePath
+ 
+     XMLString::subString(tmpBuf, basePath, 0, (basePtr - basePath + 1), 
manager);
+     tmpBuf[basePtr - basePath + 1] = 0;
+-    XMLString::catString(tmpBuf, relativePath);
++    if (relativePath)
++    {
++        XMLString::catString(tmpBuf, relativePath);
++    }
+ 
+     removeDotSlash(tmpBuf, manager);
+ 
diff -Nru xerces-c-3.1.1/debian/patches/series 
xerces-c-3.1.1/debian/patches/series
--- xerces-c-3.1.1/debian/patches/series        2016-06-29 10:47:44.000000000 
-0400
+++ xerces-c-3.1.1/debian/patches/series        2018-04-26 00:28:32.000000000 
-0400
@@ -4,3 +4,4 @@
 CVE-2016-2099.patch
 CVE-2016-4463.patch
 disable-DTD-processing-through-envvariable.patch
+CVE-2017-12627.patch

--- End Message ---

--- Begin Message ---

Version: 8.11

Hi,

The updates referenced by these bugs were included in today's EoL point
release for jessie (8.11).

Regards,

Adam

--- End Message ---

Bug#896942: marked as done (jessie-pu: package xerces-c/3.1.1-5.1+deb8u3)

Reply via email to