Your message dated Mon, 08 Oct 2012 11:35:09 +0200
with message-id <[email protected]>
and subject line Re: Bug#689818: unblock: xml-light/2.2-15
has caused the Debian Bug report #689818,
regarding unblock: xml-light/2.2-15
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
689818: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689818
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package xml-light.
xml-light/2.2-15 fixes a security issue (namely CVE-2012-3514). It
changed an internal datastructure from a Hash table to a Map to avoid
hash collision attacks.
This upload required the rebuild of its reverse dependencies because
ABI changed. AFAIK, all r-deps were rebuilt sucessfully.
Debdiff between -14 and -15 is attached for your convenience.
unblock xml-light/2.2-15
Regards,
--
Mehdi
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_GB.UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru xml-light-2.2/debian/changelog xml-light-2.2/debian/changelog
--- xml-light-2.2/debian/changelog 2012-06-07 13:55:42.000000000 +0200
+++ xml-light-2.2/debian/changelog 2012-10-05 15:31:52.000000000 +0200
@@ -1,3 +1,14 @@
+xml-light (2.2-15) unstable; urgency=low
+
+ [ Sylvain Le Gall ]
+ * Remove Sylvain Le Gall from uploaders
+
+ [ Mehdi Dogguy ]
+ * Fix CVE-2012-3514 (Closes: #685584).
+ - add 06_CVE-2012-3514.diff
+
+ -- Mehdi Dogguy <[email protected]> Fri, 05 Oct 2012 15:31:52 +0200
+
xml-light (2.2-14) unstable; urgency=low
* Do not try to install the .cmxs plugin on architectures where
diff -Nru xml-light-2.2/debian/control xml-light-2.2/debian/control
--- xml-light-2.2/debian/control 2012-06-05 16:38:56.000000000 +0200
+++ xml-light-2.2/debian/control 2012-10-01 14:40:35.000000000 +0200
@@ -3,7 +3,6 @@
Priority: optional
Maintainer: Debian OCaml Maintainers <[email protected]>
Uploaders:
- Sylvain Le Gall <[email protected]>,
Mehdi Dogguy <[email protected]>
Build-Depends:
cdbs (>= 0.4.23-1.1),
diff -Nru xml-light-2.2/debian/patches/06_CVE-2012-3514.diff xml-light-2.2/debian/patches/06_CVE-2012-3514.diff
--- xml-light-2.2/debian/patches/06_CVE-2012-3514.diff 1970-01-01 01:00:00.000000000 +0100
+++ xml-light-2.2/debian/patches/06_CVE-2012-3514.diff 2012-10-01 15:40:17.000000000 +0200
@@ -0,0 +1,153 @@
+--- a/dtd.ml
++++ b/dtd.ml
+@@ -93,16 +93,18 @@
+
+ type dtd = dtd_item list
+
+-type ('a,'b) hash = ('a,'b) Hashtbl.t
++module StringMap = Map.Make(String)
++
++type 'a map = 'a StringMap.t ref
+
+ type checked = {
+- c_elements : (string,dtd_element_type) hash;
+- c_attribs : (string,(string,(dtd_attr_type * dtd_attr_default)) hash) hash;
++ c_elements : dtd_element_type map;
++ c_attribs : (dtd_attr_type * dtd_attr_default) map map;
+ }
+
+ type dtd_state = {
+- elements : (string,dtd_element_type) hash;
+- attribs : (string,(string,(dtd_attr_type * dtd_attr_default)) hash) hash;
++ elements : dtd_element_type map;
++ attribs : (dtd_attr_type * dtd_attr_default) map map;
+ mutable current : dtd_element_type;
+ mutable curtag : string;
+ state : (string * dtd_element_type) Stack.t;
+@@ -113,7 +115,21 @@
+ let _raises e =
+ file_not_found := e
+
+-let empty_hash = Hashtbl.create 0
++let create_map() = ref StringMap.empty
++
++let empty_map = create_map()
++
++let find_map m k = StringMap.find k (!m)
++
++let set_map m k v = m := StringMap.add k v (!m)
++
++let unset_map m k = m := StringMap.remove k (!m)
++
++let iter_map f m = StringMap.iter f (!m)
++
++let fold_map f m = StringMap.fold f (!m)
++
++let mem_map m k = StringMap.mem k (!m)
+
+ let pos source =
+ let line, lstart, min, max = Xml_lexer.pos source in
+@@ -158,45 +174,45 @@
+ raise e
+
+ let check dtd =
+- let attribs = Hashtbl.create 0 in
+- let hdone = Hashtbl.create 0 in
+- let htodo = Hashtbl.create 0 in
++ let attribs = create_map () in
++ let hdone = create_map () in
++ let htodo = create_map () in
+ let ftodo tag from =
+ try
+- ignore(Hashtbl.find hdone tag);
++ ignore(find_map hdone tag);
+ with
+ Not_found ->
+ try
+- match Hashtbl.find htodo tag with
+- | None -> Hashtbl.replace htodo tag from
++ match find_map htodo tag with
++ | None -> set_map htodo tag from
+ | Some _ -> ()
+ with
+ Not_found ->
+- Hashtbl.add htodo tag from
++ set_map htodo tag from
+ in
+ let fdone tag edata =
+ try
+- ignore(Hashtbl.find hdone tag);
++ ignore(find_map hdone tag);
+ raise (Check_error (ElementDefinedTwice tag));
+ with
+ Not_found ->
+- Hashtbl.remove htodo tag;
+- Hashtbl.add hdone tag edata
++ unset_map htodo tag;
++ set_map hdone tag edata
+ in
+ let fattrib tag aname adata =
+ let h = (try
+- Hashtbl.find attribs tag
++ find_map attribs tag
+ with
+ Not_found ->
+- let h = Hashtbl.create 1 in
+- Hashtbl.add attribs tag h;
++ let h = create_map () in
++ set_map attribs tag h;
+ h) in
+ try
+- ignore(Hashtbl.find h aname);
++ ignore(find_map h aname);
+ raise (Check_error (AttributeDefinedTwice (tag,aname)));
+ with
+ Not_found ->
+- Hashtbl.add h aname adata
++ set_map h aname adata
+ in
+ let check_item = function
+ | DTDAttribute (tag,aname,atype,adef) ->
+@@ -229,7 +245,7 @@
+ check_type etype
+ in
+ List.iter check_item dtd;
+- Hashtbl.iter (fun t from ->
++ iter_map (fun t from ->
+ match from with
+ | None -> raise (Check_error (ElementNotDeclared t))
+ | Some tag -> raise (Check_error (ElementReferenced (t,tag)))
+@@ -248,7 +264,7 @@
+ curtag = "_root";
+ } in
+ try
+- ignore(Hashtbl.find d.elements (String.uppercase root));
++ ignore(find_map d.elements (String.uppercase root));
+ d
+ with
+ Not_found -> raise (Check_error (ElementNotDeclared root))
+@@ -365,7 +381,7 @@
+
+ let check_attrib ahash (aname,_) =
+ try
+- ignore(Hashtbl.find ahash aname);
++ ignore(find_map ahash aname);
+ with
+ Not_found -> raise (Prove_error (UnexpectedAttribute aname))
+
+@@ -378,12 +394,12 @@
+ let uattr = List.map (fun (aname,aval) -> String.uppercase aname , aval) attr in
+ prove_child dtd (Some utag);
+ Stack.push (dtd.curtag,dtd.current) dtd.state;
+- let elt = (try Hashtbl.find dtd.elements utag with Not_found -> raise (Prove_error (UnexpectedTag tag))) in
+- let ahash = (try Hashtbl.find dtd.attribs utag with Not_found -> empty_hash) in
++ let elt = (try find_map dtd.elements utag with Not_found -> raise (Prove_error (UnexpectedTag tag))) in
++ let ahash = (try find_map dtd.attribs utag with Not_found -> empty_map) in
+ dtd.curtag <- tag;
+ dtd.current <- elt;
+ List.iter (check_attrib ahash) uattr;
+- let attr = Hashtbl.fold (prove_attrib dtd uattr) ahash [] in
++ let attr = fold_map (prove_attrib dtd uattr) ahash [] in
+ let childs = ref (List.map (do_prove dtd) childs) in
+ (match dtd.current with
+ | DTDAny
diff -Nru xml-light-2.2/debian/patches/series xml-light-2.2/debian/patches/series
--- xml-light-2.2/debian/patches/series 2012-06-05 16:38:56.000000000 +0200
+++ xml-light-2.2/debian/patches/series 2012-10-01 14:41:10.000000000 +0200
@@ -3,3 +3,4 @@
03_cflags.diff
04_dtd_trace.diff
05_cmxs_plugin.diff
+06_CVE-2012-3514.diff
--- End Message ---
--- Begin Message ---
On 2012-10-06 18:50, Mehdi Dogguy wrote:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
>
> Please unblock package xml-light.
>
> xml-light/2.2-15 fixes a security issue (namely CVE-2012-3514). It
> changed an internal datastructure from a Hash table to a Map to avoid
> hash collision attacks.
>
> This upload required the rebuild of its reverse dependencies because
> ABI changed. AFAIK, all r-deps were rebuilt sucessfully.
>
> Debdiff between -14 and -15 is attached for your convenience.
>
> unblock xml-light/2.2-15
>
> Regards,
>
Unblocked, thanks.
~Niels
--- End Message ---
