Bug#896945: stretch-pu: package cffi/0.18.0-1+deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Dear Release Team, I have prepared (and uploaded) an update to the cffi package that fixes #894543. The debdiff is attached. Best, -- ⢀⣴⠾⠻⢶⣦⠀ Sébastien Villemot ⣾⠁⢠⠒⠀⣿⡁ Debian Developer ⢿⡄⠘⠷⠚⠋⠀ http://sebastien.villemot.name ⠈⠳⣄ http://www.debian.org diff -u cffi-0.18.0/debian/changelog cffi-0.18.0/debian/changelog --- cffi-0.18.0/debian/changelog +++ cffi-0.18.0/debian/changelog @@ -1,3 +1,12 @@ +cffi (1:0.18.0-1+deb9u1) stretch; urgency=medium + + * Add missing files for cffi-libffi and cffi-toolchain. (Closes: #894543) + * Add missing Depends on gcc (for cffi-toolchain), pkg-config and +libc6-dev | libc-dev (for cffi-grovel) and libffi-dev (for +cffi-libffi). + + -- Sébastien Villemot Thu, 26 Apr 2018 08:24:48 + + cffi (1:0.18.0-1) unstable; urgency=medium * Quicklisp release update. diff -u cffi-0.18.0/debian/control cffi-0.18.0/debian/control --- cffi-0.18.0/debian/control +++ cffi-0.18.0/debian/control @@ -11,7 +11,11 @@ Package: cl-cffi Architecture: all -Depends: ${misc:Depends}, cl-alexandria, cl-trivial-features, cl-babel +Depends: ${misc:Depends}, cl-alexandria, cl-trivial-features, cl-babel, + gcc, + libc6-dev | libc-dev, + pkg-config, + libffi-dev Description: The Common Foreign Function Interface for Common Lisp CFFI, the Common Foreign Function Interface, purports to be a portable foreign function interface for Common Lisp. The CFFI library is composed of a diff -u cffi-0.18.0/debian/install cffi-0.18.0/debian/install --- cffi-0.18.0/debian/install +++ cffi-0.18.0/debian/install @@ -1 +1 @@ -*.asd examples/ tests/ uffi-compat/ src/ grovel/ usr/share/common-lisp/source/cl-cffi/ +*.asd examples/ tests/ uffi-compat/ src/ grovel/ libffi/ toolchain/ usr/share/common-lisp/source/cl-cffi/ signature.asc Description: PGP signature
Bug#896942: jessie-pu: package xerces-c/3.1.1-5.1+deb8u3
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu I would like to update xerces-c in a future point release. This update will fix one issue: * Fix CVE-2017-12627: Alberto Garcia, Francisco Oca and Suleman Ali of Offensive Research discovered that the Xerces-C XML parser mishandles certain kinds of external DTD references, resulting in dereference of a NULL pointer while processing the path to the DTD. The bug allows for a denial of service attack in applications that allow DTD processing and do not prevent external DTD usage, and could conceivably result in remote code execution. The CVE was deemed by the security team to not be critical enough for a DSA, but they suggested that it might be included in a point release. This issue has been fixed in unstable, and I have attached a debdiff that reflects the desired changes. Regards, Bill -- System Information: Debian Release: 9.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru xerces-c-3.1.1/debian/changelog xerces-c-3.1.1/debian/changelog --- xerces-c-3.1.1/debian/changelog 2016-06-29 10:47:44.0 -0400 +++ xerces-c-3.1.1/debian/changelog 2018-04-26 00:28:32.0 -0400 @@ -1,3 +1,15 @@ +xerces-c (3.1.1-5.1+deb8u4) jessie; urgency=medium + + * Fix CVE-2017-12627: Alberto Garcia, Francisco Oca and Suleman Ali of +Offensive Research discovered that the Xerces-C XML parser mishandles +certain kinds of external DTD references, resulting in dereference of a +NULL pointer while processing the path to the DTD. The bug allows for a +denial of service attack in applications that allow DTD processing and do +not prevent external DTD usage, and could conceivably result in remote code +execution. + + -- William Blough Thu, 26 Apr 2018 00:28:32 -0400 + xerces-c (3.1.1-5.1+deb8u3) jessie-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru xerces-c-3.1.1/debian/patches/CVE-2017-12627.patch xerces-c-3.1.1/debian/patches/CVE-2017-12627.patch --- xerces-c-3.1.1/debian/patches/CVE-2017-12627.patch 1969-12-31 19:00:00.0 -0500 +++ xerces-c-3.1.1/debian/patches/CVE-2017-12627.patch 2018-04-26 00:28:32.0 -0400 @@ -0,0 +1,26 @@ +From: Markus Koschany +Date: Thu, 29 Mar 2018 20:58:48 +0200 +Subject: CVE-2017-12627 + +Origin: https://svn.apache.org/viewvc?view=revision&revision=1819998 +Upstream-Advisory: https://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt +--- + src/xercesc/util/PlatformUtils.cpp | 5 - + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/xercesc/util/PlatformUtils.cpp b/src/xercesc/util/PlatformUtils.cpp +index eee1dc5..39c71ac 100644 +--- a/src/xercesc/util/PlatformUtils.cpp b/src/xercesc/util/PlatformUtils.cpp +@@ -920,7 +920,10 @@ XMLCh* XMLPlatformUtils::weavePaths(const XMLCh* const basePath + + XMLString::subString(tmpBuf, basePath, 0, (basePtr - basePath + 1), manager); + tmpBuf[basePtr - basePath + 1] = 0; +-XMLString::catString(tmpBuf, relativePath); ++if (relativePath) ++{ ++XMLString::catString(tmpBuf, relativePath); ++} + + removeDotSlash(tmpBuf, manager); + diff -Nru xerces-c-3.1.1/debian/patches/series xerces-c-3.1.1/debian/patches/series --- xerces-c-3.1.1/debian/patches/series2016-06-29 10:47:44.0 -0400 +++ xerces-c-3.1.1/debian/patches/series2018-04-26 00:28:32.0 -0400 @@ -4,3 +4,4 @@ CVE-2016-2099.patch CVE-2016-4463.patch disable-DTD-processing-through-envvariable.patch +CVE-2017-12627.patch
Bug#896940: stretch-pu: package xerces-c/3.1.4+debian-2
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu I would like to update xerces-c in a future point release. This update will fix two issues: * Fix CVE-2017-12627: Alberto Garcia, Francisco Oca and Suleman Ali of Offensive Research discovered that the Xerces-C XML parser mishandles certain kinds of external DTD references, resulting in dereference of a NULL pointer while processing the path to the DTD. The bug allows for a denial of service attack in applications that allow DTD processing and do not prevent external DTD usage, and could conceivably result in remote code execution. * Fix a regression that forced gcc to use SSE2, even on platforms that do not support it (e.g., i386). This caused program crashes due to invalid CPU instructions. The CVE was deemed by the security team to not be critical enough for a DSA, but they suggested that it might be included in a point release. Both of these issues have been fixed in unstable, and I have attached a debdiff that reflects the desired changes. Regards, Bill -- System Information: Debian Release: 9.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru xerces-c-3.1.4+debian/debian/changelog xerces-c-3.1.4+debian/debian/changelog --- xerces-c-3.1.4+debian/debian/changelog 2016-12-16 06:52:57.0 -0500 +++ xerces-c-3.1.4+debian/debian/changelog 2018-04-26 00:35:59.0 -0400 @@ -1,3 +1,18 @@ +xerces-c (3.1.4+debian-2+deb9u1) stretch; urgency=medium + + * Fix CVE-2017-12627: Alberto Garcia, Francisco Oca and Suleman Ali of +Offensive Research discovered that the Xerces-C XML parser mishandles +certain kinds of external DTD references, resulting in dereference of a +NULL pointer while processing the path to the DTD. The bug allows for a +denial of service attack in applications that allow DTD processing and do +not prevent external DTD usage, and could conceivably result in remote code +execution. + * Fix a regression that forced gcc to use SSE2, even on platforms that do not +support it (e.g., i386). This caused program crashes due to invalid CPU +instructions. + + -- William Blough Thu, 26 Apr 2018 00:35:59 -0400 + xerces-c (3.1.4+debian-2) unstable; urgency=medium * Fix AC_LANG_SOURCE warnings. diff -Nru xerces-c-3.1.4+debian/debian/patches/CVE-2017-12627.patch xerces-c-3.1.4+debian/debian/patches/CVE-2017-12627.patch --- xerces-c-3.1.4+debian/debian/patches/CVE-2017-12627.patch 1969-12-31 19:00:00.0 -0500 +++ xerces-c-3.1.4+debian/debian/patches/CVE-2017-12627.patch 2018-04-26 00:35:59.0 -0400 @@ -0,0 +1,26 @@ +From: Markus Koschany +Date: Thu, 29 Mar 2018 20:58:48 +0200 +Subject: CVE-2017-12627 + +Origin: https://svn.apache.org/viewvc?view=revision&revision=1819998 +Upstream-Advisory: https://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt +--- + src/xercesc/util/PlatformUtils.cpp | 5 - + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/xercesc/util/PlatformUtils.cpp b/src/xercesc/util/PlatformUtils.cpp +index eee1dc5..39c71ac 100644 +--- a/src/xercesc/util/PlatformUtils.cpp b/src/xercesc/util/PlatformUtils.cpp +@@ -920,7 +920,10 @@ XMLCh* XMLPlatformUtils::weavePaths(const XMLCh* const basePath + + XMLString::subString(tmpBuf, basePath, 0, (basePtr - basePath + 1), manager); + tmpBuf[basePtr - basePath + 1] = 0; +-XMLString::catString(tmpBuf, relativePath); ++if (relativePath) ++{ ++XMLString::catString(tmpBuf, relativePath); ++} + + removeDotSlash(tmpBuf, manager); + diff -Nru xerces-c-3.1.4+debian/debian/patches/series xerces-c-3.1.4+debian/debian/patches/series --- xerces-c-3.1.4+debian/debian/patches/series 2016-12-16 06:52:57.0 -0500 +++ xerces-c-3.1.4+debian/debian/patches/series 2018-04-26 00:35:59.0 -0400 @@ -1,3 +1,4 @@ psviwriter_strrchr_fix fix_fprintf_warnings.diff fix_ac_lang_source_warnings +CVE-2017-12627.patch diff -Nru xerces-c-3.1.4+debian/debian/rules xerces-c-3.1.4+debian/debian/rules --- xerces-c-3.1.4+debian/debian/rules 2016-12-16 06:52:57.0 -0500 +++ xerces-c-3.1.4+debian/debian/rules 2018-04-26 00:35:59.0 -0400 @@ -15,7 +15,10 @@ dh $@ --with autoreconf override_dh_auto_configure: - dh_auto_configure -- --disable-pretty-make --enable-netaccessor-curl + dh_auto_configure -- --disable-pretty-make --enable-netaccessor-curl --disable-sse2 + # Note: This disables explicit passing of -msse2 to gcc. It does not + # actually disable sse2 extensions for platforms such as