Your message dated Sat, 10 Feb 2024 13:02:58 +0000
with message-id <e1ryn0u-002xtb...@coccia.debian.org>
and subject line Released with 11.9
has caused the Debian Bug report #1061472,
regarding bullseye-pu: package tinyxml/2.6.2-4+deb11u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1061472: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061472
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: tiny...@packages.debian.org
Control: affects -1 + src:tinyxml
[ Reason ]
Fix CVE-2023-34194: Reachable assertion (and application exit) via a
crafted XML document with a '\0' located after whitespace.
The issue has been fixed in buster LTS as well as sid (via NMU). The
security team argued it didn't warrant a DSA, and suggested to go via
s-pu instead.
[ Impact ]
Buster users will regress when upgrading to bullseye.
[ Tests ]
The vulnerability report came with POCs which was checked against.
[ Risks ]
The patch is trivial but tinyxml appears to be abandoned upstream so I
wrote it myself.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in oldstable
[x] the issue is verified as fixed in unstable
[ Changes ]
Fix CVE-2023-34194: Reachable assertion (and application exit) via a
crafted XML document with a '\0' located after whitespace.
--
Guilhem.
diffstat for tinyxml-2.6.2 tinyxml-2.6.2
changelog | 9 +++++++++
patches/CVE-2023-34194.patch | 27 +++++++++++++++++++++++++++
patches/series | 1 +
3 files changed, 37 insertions(+)
diff -Nru tinyxml-2.6.2/debian/changelog tinyxml-2.6.2/debian/changelog
--- tinyxml-2.6.2/debian/changelog 2022-10-20 16:32:51.000000000 +0200
+++ tinyxml-2.6.2/debian/changelog 2024-01-25 04:12:05.000000000 +0100
@@ -1,3 +1,12 @@
+tinyxml (2.6.2-4+deb11u2) bullseye; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix CVE-2023-34194 / CVE-2023-40462: Reachable assertion (and application
+ exit) via a crafted XML document with a '\0' located after whitespace.
+ (Closes: #1059315)
+
+ -- Guilhem Moulin <guil...@debian.org> Thu, 25 Jan 2024 04:12:05 +0100
+
tinyxml (2.6.2-4+deb11u1) bullseye; urgency=medium
* Import fix for CVE-2021-42260.
diff -Nru tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch
tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch
--- tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch 1970-01-01
01:00:00.000000000 +0100
+++ tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch 2024-01-25
04:12:05.000000000 +0100
@@ -0,0 +1,27 @@
+From: Guilhem Moulin <guil...@debian.org>
+Date: Sat, 30 Dec 2023 14:15:54 +0100
+Subject: Avoid reachable assertion via crafted XML document with a '\0'
+ located after whitespace
+
+Bug: https://www.forescout.com/resources/sierra21-vulnerabilities
+Bug-Debian: https://bugs.debian.org/1059315
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-34194
+---
+ tinyxmlparser.cpp | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/tinyxmlparser.cpp b/tinyxmlparser.cpp
+index 8aa0dfa..1601962 100644
+--- a/tinyxmlparser.cpp
++++ b/tinyxmlparser.cpp
+@@ -1606,6 +1606,10 @@ const char* TiXmlDeclaration::Parse( const char* p,
TiXmlParsingData* data, TiXm
+ }
+
+ p = SkipWhiteSpace( p, _encoding );
++ if ( !p || !*p )
++ {
++ break;
++ }
+ if ( StringEqual( p, "version", true, _encoding ) )
+ {
+ TiXmlAttribute attrib;
diff -Nru tinyxml-2.6.2/debian/patches/series
tinyxml-2.6.2/debian/patches/series
--- tinyxml-2.6.2/debian/patches/series 2022-10-20 16:32:49.000000000 +0200
+++ tinyxml-2.6.2/debian/patches/series 2024-01-25 04:12:05.000000000 +0100
@@ -1,3 +1,4 @@
enforce-use-stl.patch
entity-encoding.patch
CVE-2021-42260.patch
+CVE-2023-34194.patch
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Version: 11.9
The upload requested in this bug has been released as part of 11.9.
--- End Message ---
