Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: tiny...@packages.debian.org Control: affects -1 + src:tinyxml
[ Reason ] Fix CVE-2023-34194: Reachable assertion (and application exit) via a crafted XML document with a '\0' located after whitespace. The issue has been fixed in buster LTS as well as sid (via NMU). The security team argued it didn't warrant a DSA, and suggested to go via s-pu instead. [ Impact ] Buster users will regress when upgrading to bullseye. [ Tests ] The vulnerability report came with POCs which was checked against. [ Risks ] The patch is trivial but tinyxml appears to be abandoned upstream so I wrote it myself. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in oldstable [x] the issue is verified as fixed in unstable [ Changes ] Fix CVE-2023-34194: Reachable assertion (and application exit) via a crafted XML document with a '\0' located after whitespace. -- Guilhem.
diffstat for tinyxml-2.6.2 tinyxml-2.6.2 changelog | 9 +++++++++ patches/CVE-2023-34194.patch | 27 +++++++++++++++++++++++++++ patches/series | 1 + 3 files changed, 37 insertions(+) diff -Nru tinyxml-2.6.2/debian/changelog tinyxml-2.6.2/debian/changelog --- tinyxml-2.6.2/debian/changelog 2022-10-20 16:32:51.000000000 +0200 +++ tinyxml-2.6.2/debian/changelog 2024-01-25 04:12:05.000000000 +0100 @@ -1,3 +1,12 @@ +tinyxml (2.6.2-4+deb11u2) bullseye; urgency=medium + + * Non-maintainer upload. + * Fix CVE-2023-34194 / CVE-2023-40462: Reachable assertion (and application + exit) via a crafted XML document with a '\0' located after whitespace. + (Closes: #1059315) + + -- Guilhem Moulin <guil...@debian.org> Thu, 25 Jan 2024 04:12:05 +0100 + tinyxml (2.6.2-4+deb11u1) bullseye; urgency=medium * Import fix for CVE-2021-42260. diff -Nru tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch --- tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch 1970-01-01 01:00:00.000000000 +0100 +++ tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch 2024-01-25 04:12:05.000000000 +0100 @@ -0,0 +1,27 @@ +From: Guilhem Moulin <guil...@debian.org> +Date: Sat, 30 Dec 2023 14:15:54 +0100 +Subject: Avoid reachable assertion via crafted XML document with a '\0' + located after whitespace + +Bug: https://www.forescout.com/resources/sierra21-vulnerabilities +Bug-Debian: https://bugs.debian.org/1059315 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-34194 +--- + tinyxmlparser.cpp | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tinyxmlparser.cpp b/tinyxmlparser.cpp +index 8aa0dfa..1601962 100644 +--- a/tinyxmlparser.cpp ++++ b/tinyxmlparser.cpp +@@ -1606,6 +1606,10 @@ const char* TiXmlDeclaration::Parse( const char* p, TiXmlParsingData* data, TiXm + } + + p = SkipWhiteSpace( p, _encoding ); ++ if ( !p || !*p ) ++ { ++ break; ++ } + if ( StringEqual( p, "version", true, _encoding ) ) + { + TiXmlAttribute attrib; diff -Nru tinyxml-2.6.2/debian/patches/series tinyxml-2.6.2/debian/patches/series --- tinyxml-2.6.2/debian/patches/series 2022-10-20 16:32:49.000000000 +0200 +++ tinyxml-2.6.2/debian/patches/series 2024-01-25 04:12:05.000000000 +0100 @@ -1,3 +1,4 @@ enforce-use-stl.patch entity-encoding.patch CVE-2021-42260.patch +CVE-2023-34194.patch
signature.asc
Description: PGP signature
