This patch has been applied in 3.2.3+debian-2 which has been uploaded to unstable.
I'll leave this bug open in hopes of an eventual upstream fix. On Wed, Dec 09, 2020 at 05:46:33PM +0100, Sylvain Beucler wrote: > Hi, > > Here's a debdiff against buster. > > The testsuite passes, provided we modify MemHandlerTest1 to take the leak > into account. > > What do you think? > > Cheers! > Sylvain Beucler > Debian LTS Team > > On 24/11/2020 17:39, Bill Blough wrote: > > The package has a test suite, so that's probably the minimum. But I'm > > not sure how much it exercises the DTD code, if at all. > > > > I also typically test with some of our internal code at work. But > > again, no DTDs in use there, either. > > > > On Mon, Nov 23, 2020 at 03:56:37PM +0100, Sylvain Beucler wrote: > > > Hi, > > > > > > I can assist with this, notably a LTS upload - not necessarily immediately > > > either. > > > > > > Bill, do you have testing procedures to recommend for this package? > > > > > > Security Team, before issuing a LTS upload, what is your view on a Stable > > > upload for this issue? > > > > > > Cheers! > > > Sylvain Beucler > > > Debian LTS Team > > > > > > On 23/11/2020 03:01, Bill Blough wrote: > > > > Yes, this seems reasonable. > > > > > > > > I'll prepare an upload to unstable prior to the freeze. But it likely > > > > won't be for a couple of weeks due to my current workload. > > > > > > > > Since I assume one of your concerns is for LTS, feel free to do the LTS > > > > upload. Or, if you'd rather, I can make an attempt at that in a couple > > > > of weeks as well. > diff -Nru xerces-c-3.2.2+debian/debian/changelog > xerces-c-3.2.2+debian/debian/changelog > --- xerces-c-3.2.2+debian/debian/changelog 2018-09-19 21:19:49.000000000 > +0200 > +++ xerces-c-3.2.2+debian/debian/changelog 2020-12-09 16:42:11.000000000 > +0100 > @@ -1,3 +1,12 @@ > +xerces-c (3.2.2+debian-1+deb10u1) buster-security; urgency=medium > + > + * Non-maintainer upload. > + * CVE-2018-1311 mitigation: fix use-after-free vulnerability when > + processing external DTD, at the expense of a memory leak. Users may > + mitigate both by setting the XERCES_DISABLE_DTD environment variable. > + > + -- Sylvain Beucler <b...@debian.org> Wed, 09 Dec 2020 16:42:11 +0100 > + > xerces-c (3.2.2+debian-1) unstable; urgency=medium > > * New upstream version 3.2.2+debian Closes: 909202 > diff -Nru xerces-c-3.2.2+debian/debian/patches/CVE-2018-1311-mitigation.patch > xerces-c-3.2.2+debian/debian/patches/CVE-2018-1311-mitigation.patch > --- xerces-c-3.2.2+debian/debian/patches/CVE-2018-1311-mitigation.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ xerces-c-3.2.2+debian/debian/patches/CVE-2018-1311-mitigation.patch > 2020-12-09 16:42:11.000000000 +0100 > @@ -0,0 +1,35 @@ > + > +https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1311 > + > +Index: xerces-c-3.2.2+debian/src/xercesc/internal/IGXMLScanner.cpp > +=================================================================== > +--- xerces-c-3.2.2+debian.orig/src/xercesc/internal/IGXMLScanner.cpp > ++++ xerces-c-3.2.2+debian/src/xercesc/internal/IGXMLScanner.cpp > +@@ -1532,7 +1532,6 @@ void IGXMLScanner::scanDocTypeDecl() > + DTDEntityDecl* declDTD = new (fMemoryManager) > DTDEntityDecl(gDTDStr, false, fMemoryManager); > + declDTD->setSystemId(sysId); > + declDTD->setIsExternal(true); > +- Janitor<DTDEntityDecl> janDecl(declDTD); > + > + // Mark this one as a throw at end > + reader->setThrowAtEnd(true); > +@@ -3095,7 +3094,6 @@ Grammar* IGXMLScanner::loadDTDGrammar(co > + DTDEntityDecl* declDTD = new (fMemoryManager) DTDEntityDecl(gDTDStr, > false, fMemoryManager); > + declDTD->setSystemId(src.getSystemId()); > + declDTD->setIsExternal(true); > +- Janitor<DTDEntityDecl> janDecl(declDTD); > + > + // Mark this one as a throw at end > + newReader->setThrowAtEnd(true); > +Index: xerces-c-3.2.2+debian/tests/expected/MemHandlerTest1.log > +=================================================================== > +--- xerces-c-3.2.2+debian.orig/tests/expected/MemHandlerTest1.log > ++++ xerces-c-3.2.2+debian/tests/expected/MemHandlerTest1.log > +@@ -1,4 +1,4 @@ > +-At destruction, domBuilderMemMonitor has 0 bytes. > +-At destruction, sax2MemMonitor has 0 bytes. > +-At destruction, sax1MemMonitor has 0 bytes. > ++At destruction, domBuilderMemMonitor has 276 bytes. > ++At destruction, sax2MemMonitor has 276 bytes. > ++At destruction, sax1MemMonitor has 276 bytes. > + At destruction, staticMemMonitor has 0 bytes. > diff -Nru xerces-c-3.2.2+debian/debian/patches/series > xerces-c-3.2.2+debian/debian/patches/series > --- xerces-c-3.2.2+debian/debian/patches/series 2018-09-19 > 21:19:49.000000000 +0200 > +++ xerces-c-3.2.2+debian/debian/patches/series 2020-12-09 > 16:42:11.000000000 +0100 > @@ -0,0 +1 @@ > +CVE-2018-1311-mitigation.patch -- GPG: 5CDD 0C9C F446 BC1B 2509 8791 1762 E022 7034 CF84
