Package: xml-security-c Version: 1.7.2-2 Severity: important Tags: patch User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu disco ubuntu-patch
Dear Maintainer, We found a bug in Apache Santuario C, related to ECDSA signature generation, few years ego. We provide the fix to the Apache team, and Scott Cantor kindly accepted the fix in the project. How ever the fix was introduced in series 2.x of the the library. The fix we provide was for the version 1.7.x (xml-security-c17) found in Ubuntu 14.04 and looks like Ubuntu 18.04 is still including a version from series 1.7.x. The commit with the fix for the bug can be found here: http://svn.apache.org/viewvc/santuario/xml-security-cpp/trunk/xsec/utils/XSECSafeBuffer.cpp?r1=1806212&r2=1807280&diff_format=h In Ubuntu, the attached patch was applied to achieve the following: * debian/patches/99-xsecsafebuffer.patch: Fix undefined behavior in XSECSafeBuffer that affect ECDSA signature generation. This fix was introduced in serie 2.x, but it was not backported to serie 1.7.x. Thanks for considering the patch. -- System Information: Debian Release: jessie/sid APT prefers trusty-updates APT policy: (500, 'trusty-updates'), (500, 'trusty-security'), (500, 'trusty'), (100, 'trusty-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.4.0-130-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru xml-security-c-1.7.2/debian/changelog xml-security-c-1.7.2/debian/changelog diff -Nru xml-security-c-1.7.2/debian/control xml-security-c-1.7.2/debian/control --- xml-security-c-1.7.2/debian/control 2013-07-11 08:03:26.000000000 +0200 +++ xml-security-c-1.7.2/debian/control 2019-02-22 16:40:59.000000000 +0100 @@ -5,7 +5,7 @@ Uploaders: Russ Allbery <r...@debian.org> Build-Depends: debhelper (>= 9), dh-autoreconf, libssl-dev (>= 1.0.1), libxerces-c-dev, pkg-config -Standards-Version: 3.9.4 +Standards-Version: 3.9.5 Homepage: http://santuario.apache.org/cindex.html Vcs-Git: git://anonscm.debian.org/pkg-shibboleth/xml-security-c.git Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-shibboleth/xml-security-c.git diff -Nru xml-security-c-1.7.2/debian/patches/99-xsecsafebuffer.patch xml-security-c-1.7.2/debian/patches/99-xsecsafebuffer.patch --- xml-security-c-1.7.2/debian/patches/99-xsecsafebuffer.patch 1970-01-01 01:00:00.000000000 +0100 +++ xml-security-c-1.7.2/debian/patches/99-xsecsafebuffer.patch 2019-02-22 15:24:54.000000000 +0100 @@ -0,0 +1,16 @@ +## Description: add some description +## Origin/Author: add some origin or author +## Bug: bug URL +Index: xml-security-c-1.7.2/xsec/utils/XSECSafeBuffer.cpp +=================================================================== +--- xml-security-c-1.7.2.orig/xsec/utils/XSECSafeBuffer.cpp 2019-02-22 15:16:17.000000000 +0100 ++++ xml-security-c-1.7.2/xsec/utils/XSECSafeBuffer.cpp 2019-02-22 15:18:04.000000000 +0100 +@@ -639,7 +639,7 @@ + + assert (t != NULL); + +- len += XMLString::stringLen(t); ++ len += XMLString::stringLen(t) * size_XMLCh; + len += (xsecsize_t) (2 * size_XMLCh); + + checkAndExpand(len); diff -Nru xml-security-c-1.7.2/debian/patches/series xml-security-c-1.7.2/debian/patches/series --- xml-security-c-1.7.2/debian/patches/series 2013-07-11 08:03:42.000000000 +0200 +++ xml-security-c-1.7.2/debian/patches/series 2019-02-22 15:15:54.000000000 +0100 @@ -1 +1,2 @@ debian-changes +99-xsecsafebuffer.patch
