Control: tags 828990 + pending Hi,
I've prepared an NMU for xerces-c (versioned as 3.1.3+debian-2.1) and uploaded it to DELAYED/10. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru xerces-c-3.1.3+debian/debian/NEWS xerces-c-3.1.3+debian/debian/NEWS --- xerces-c-3.1.3+debian/debian/NEWS 1970-01-01 01:00:00.000000000 +0100 +++ xerces-c-3.1.3+debian/debian/NEWS 2016-07-01 14:29:28.000000000 +0200 @@ -0,0 +1,9 @@ +xerces-c (3.1.3+debian-2.1) unstable; urgency=medium + + In addition to the fix for CVE-2016-4463 this update enables applications to + fully disable DTD processing through the use of an environment variable. + . + XERCES_DISABLE_DTD set to "1" will cause the scanner to report a fatal error + if a DTD is seen. Existing applications won't see any change. + + -- Salvatore Bonaccorso <car...@debian.org> Tue, 28 Jun 2016 16:50:55 +0200 diff -Nru xerces-c-3.1.3+debian/debian/changelog xerces-c-3.1.3+debian/debian/changelog --- xerces-c-3.1.3+debian/debian/changelog 2016-05-10 07:14:49.000000000 +0200 +++ xerces-c-3.1.3+debian/debian/changelog 2016-07-01 14:29:28.000000000 +0200 @@ -1,3 +1,14 @@ +xerces-c (3.1.3+debian-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * CVE-2016-4463: Apache Xerces-C XML Parser Crashes on Malformed DTD + (Closes: #828990) + * Enable the ability to disable DTD processing through the use of an env + variable + * Add NEWS.Debian entry to document the XERCES_DISABLE_DTD variable + + -- Salvatore Bonaccorso <car...@debian.org> Fri, 01 Jul 2016 14:28:51 +0200 + xerces-c (3.1.3+debian-2) unstable; urgency=medium * Fix CVE-2016-2099: Exception handling mistake in DTDScanner. diff -Nru xerces-c-3.1.3+debian/debian/patches/CVE-2016-4463.patch xerces-c-3.1.3+debian/debian/patches/CVE-2016-4463.patch --- xerces-c-3.1.3+debian/debian/patches/CVE-2016-4463.patch 1970-01-01 01:00:00.000000000 +0100 +++ xerces-c-3.1.3+debian/debian/patches/CVE-2016-4463.patch 2016-07-01 14:29:28.000000000 +0200 @@ -0,0 +1,62 @@ +Description: CVE-2016-4463: Apache Xerces-C XML Parser Crashes on Malformed DTD +Origin: upstream, https://svn.apache.org/r1747619 +Bug: https://issues.apache.org/jira/browse/XERCESC-2069 +Forwarded: not-needed +Author: Scott Cantor <canto...@osu.edu> +Last-Update: 2016-06-28 + +--- a/src/xercesc/validators/DTD/DTDScanner.cpp ++++ b/src/xercesc/validators/DTD/DTDScanner.cpp +@@ -44,6 +44,8 @@ + + XERCES_CPP_NAMESPACE_BEGIN + ++#define CONTENTSPEC_DEPTH_LIMIT 1000 ++ + // --------------------------------------------------------------------------- + // Local methods + // --------------------------------------------------------------------------- +@@ -1038,8 +1040,13 @@ bool DTDScanner::scanCharRef(XMLCh& firs + + + ContentSpecNode* +-DTDScanner::scanChildren(const DTDElementDecl& elemDecl, XMLBuffer& bufToUse) ++DTDScanner::scanChildren(const DTDElementDecl& elemDecl, XMLBuffer& bufToUse, unsigned int& depth) + { ++ if (depth++ > CONTENTSPEC_DEPTH_LIMIT) { ++ fScanner->emitError(XMLErrs::UnterminatedDOCTYPE); ++ return 0; ++ } ++ + // Check for a PE ref here, but don't require spaces + checkForPERef(false, true); + +@@ -1240,7 +1247,7 @@ DTDScanner::scanChildren(const DTDElemen + // Recurse to handle this new guy + ContentSpecNode* subNode; + try { +- subNode = scanChildren(elemDecl, bufToUse); ++ subNode = scanChildren(elemDecl, bufToUse, depth); + } + catch (const XMLErrs::Codes) + { +@@ -1577,7 +1584,8 @@ bool DTDScanner::scanContentSpec(DTDElem + // + toFill.setModelType(DTDElementDecl::Children); + XMLBufBid bbTmp(fBufMgr); +- ContentSpecNode* resNode = scanChildren(toFill, bbTmp.getBuffer()); ++ unsigned int depth = 0; ++ ContentSpecNode* resNode = scanChildren(toFill, bbTmp.getBuffer(), depth); + status = (resNode != 0); + if (status) + toFill.setContentSpec(resNode); +--- a/src/xercesc/validators/DTD/DTDScanner.hpp ++++ b/src/xercesc/validators/DTD/DTDScanner.hpp +@@ -143,6 +143,7 @@ private: + ( + const DTDElementDecl& elemDecl + , XMLBuffer& bufToUse ++ , unsigned int& depth + ); + bool scanCharRef(XMLCh& toFill, XMLCh& second); + void scanComment(); diff -Nru xerces-c-3.1.3+debian/debian/patches/disable-DTD-processing-through-envvariable.patch xerces-c-3.1.3+debian/debian/patches/disable-DTD-processing-through-envvariable.patch --- xerces-c-3.1.3+debian/debian/patches/disable-DTD-processing-through-envvariable.patch 1970-01-01 01:00:00.000000000 +0100 +++ xerces-c-3.1.3+debian/debian/patches/disable-DTD-processing-through-envvariable.patch 2016-07-01 14:29:28.000000000 +0200 @@ -0,0 +1,29 @@ +Description: Disable DTD processing through the use of an env variable + XERCES_DISABLE_DTD set to "1" will cause the scanner to report a fatal + error if a DTD is seen. Existing applications won't see any change. +Origin: upstream, http://svn.apache.org/r1747620 +Bug: https://issues.apache.org/jira/browse/XERCESC-2070 +Forwarded: not-needed +Author: Scott Cantor <canto...@osu.edu> +Last-Update: 2016-06-28 + +--- a/src/xercesc/internal/XMLScanner.cpp ++++ b/src/xercesc/internal/XMLScanner.cpp +@@ -1270,8 +1270,15 @@ void XMLScanner::scanProlog() + if (sawDocTypeDecl) { + emitError(XMLErrs::DuplicateDocTypeDecl); + } +- scanDocTypeDecl(); +- sawDocTypeDecl = true; ++ ++ const char* envvar = getenv("XERCES_DISABLE_DTD"); ++ if (envvar && !strcmp(envvar, "1")) { ++ emitError(XMLErrs::InvalidDocumentStructure); ++ } ++ else { ++ scanDocTypeDecl(); ++ sawDocTypeDecl = true; ++ } + + // if reusing grammar, this has been validated already in first scan + // skip for performance diff -Nru xerces-c-3.1.3+debian/debian/patches/series xerces-c-3.1.3+debian/debian/patches/series --- xerces-c-3.1.3+debian/debian/patches/series 2016-05-10 07:14:49.000000000 +0200 +++ xerces-c-3.1.3+debian/debian/patches/series 2016-07-01 14:29:28.000000000 +0200 @@ -1 +1,3 @@ cve_2016_2099 +CVE-2016-4463.patch +disable-DTD-processing-through-envvariable.patch
