Hi,
Here's a debdiff against buster.
The testsuite passes, provided we modify MemHandlerTest1 to take the
leak into account.
What do you think?
Cheers!
Sylvain Beucler
Debian LTS Team
On 24/11/2020 17:39, Bill Blough wrote:
The package has a test suite, so that's probably the minimum. But I'm
not sure how much it exercises the DTD code, if at all.
I also typically test with some of our internal code at work. But
again, no DTDs in use there, either.
On Mon, Nov 23, 2020 at 03:56:37PM +0100, Sylvain Beucler wrote:
Hi,
I can assist with this, notably a LTS upload - not necessarily immediately
either.
Bill, do you have testing procedures to recommend for this package?
Security Team, before issuing a LTS upload, what is your view on a Stable
upload for this issue?
Cheers!
Sylvain Beucler
Debian LTS Team
On 23/11/2020 03:01, Bill Blough wrote:
Yes, this seems reasonable.
I'll prepare an upload to unstable prior to the freeze. But it likely
won't be for a couple of weeks due to my current workload.
Since I assume one of your concerns is for LTS, feel free to do the LTS
upload. Or, if you'd rather, I can make an attempt at that in a couple
of weeks as well.
diff -Nru xerces-c-3.2.2+debian/debian/changelog xerces-c-3.2.2+debian/debian/changelog
--- xerces-c-3.2.2+debian/debian/changelog 2018-09-19 21:19:49.000000000 +0200
+++ xerces-c-3.2.2+debian/debian/changelog 2020-12-09 16:42:11.000000000 +0100
@@ -1,3 +1,12 @@
+xerces-c (3.2.2+debian-1+deb10u1) buster-security; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2018-1311 mitigation: fix use-after-free vulnerability when
+ processing external DTD, at the expense of a memory leak. Users may
+ mitigate both by setting the XERCES_DISABLE_DTD environment variable.
+
+ -- Sylvain Beucler <b...@debian.org> Wed, 09 Dec 2020 16:42:11 +0100
+
xerces-c (3.2.2+debian-1) unstable; urgency=medium
* New upstream version 3.2.2+debian Closes: 909202
diff -Nru xerces-c-3.2.2+debian/debian/patches/CVE-2018-1311-mitigation.patch xerces-c-3.2.2+debian/debian/patches/CVE-2018-1311-mitigation.patch
--- xerces-c-3.2.2+debian/debian/patches/CVE-2018-1311-mitigation.patch 1970-01-01 01:00:00.000000000 +0100
+++ xerces-c-3.2.2+debian/debian/patches/CVE-2018-1311-mitigation.patch 2020-12-09 16:42:11.000000000 +0100
@@ -0,0 +1,35 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1311
+
+Index: xerces-c-3.2.2+debian/src/xercesc/internal/IGXMLScanner.cpp
+===================================================================
+--- xerces-c-3.2.2+debian.orig/src/xercesc/internal/IGXMLScanner.cpp
++++ xerces-c-3.2.2+debian/src/xercesc/internal/IGXMLScanner.cpp
+@@ -1532,7 +1532,6 @@ void IGXMLScanner::scanDocTypeDecl()
+ DTDEntityDecl* declDTD = new (fMemoryManager) DTDEntityDecl(gDTDStr, false, fMemoryManager);
+ declDTD->setSystemId(sysId);
+ declDTD->setIsExternal(true);
+- Janitor<DTDEntityDecl> janDecl(declDTD);
+
+ // Mark this one as a throw at end
+ reader->setThrowAtEnd(true);
+@@ -3095,7 +3094,6 @@ Grammar* IGXMLScanner::loadDTDGrammar(co
+ DTDEntityDecl* declDTD = new (fMemoryManager) DTDEntityDecl(gDTDStr, false, fMemoryManager);
+ declDTD->setSystemId(src.getSystemId());
+ declDTD->setIsExternal(true);
+- Janitor<DTDEntityDecl> janDecl(declDTD);
+
+ // Mark this one as a throw at end
+ newReader->setThrowAtEnd(true);
+Index: xerces-c-3.2.2+debian/tests/expected/MemHandlerTest1.log
+===================================================================
+--- xerces-c-3.2.2+debian.orig/tests/expected/MemHandlerTest1.log
++++ xerces-c-3.2.2+debian/tests/expected/MemHandlerTest1.log
+@@ -1,4 +1,4 @@
+-At destruction, domBuilderMemMonitor has 0 bytes.
+-At destruction, sax2MemMonitor has 0 bytes.
+-At destruction, sax1MemMonitor has 0 bytes.
++At destruction, domBuilderMemMonitor has 276 bytes.
++At destruction, sax2MemMonitor has 276 bytes.
++At destruction, sax1MemMonitor has 276 bytes.
+ At destruction, staticMemMonitor has 0 bytes.
diff -Nru xerces-c-3.2.2+debian/debian/patches/series xerces-c-3.2.2+debian/debian/patches/series
--- xerces-c-3.2.2+debian/debian/patches/series 2018-09-19 21:19:49.000000000 +0200
+++ xerces-c-3.2.2+debian/debian/patches/series 2020-12-09 16:42:11.000000000 +0100
@@ -0,0 +1 @@
+CVE-2018-1311-mitigation.patch
