Bug#714241: xml-security-c: CVE-2013-2210

Thu, 27 Jun 2013 15:34:24 -0700 

Salvatore Bonaccorso <car...@debian.org> writes:

> Could you double check this, and prepare packages for squeeze and
> wheezy too?

I've uploaded fixed versions for experimental and unstable.  Here are the
debdiff patches for wheezy and squeeze.  Permission to upload to the
security queue?

Please note that Shibboleth doesn't exercise this part of the code, so I
don't personally have any application that tests this part of the
library.  However, the upstream change is fairly simple.

-- 
Russ Allbery (r...@debian.org)               <http://www.eyrie.org/~eagle/>


diff -u xml-security-c-1.5.1/debian/changelog xml-security-c-1.5.1/debian/changelog
--- xml-security-c-1.5.1/debian/changelog
+++ xml-security-c-1.5.1/debian/changelog
@@ -1,3 +1,13 @@
+xml-security-c (1.5.1-3+squeeze3) oldstable-security; urgency=high
+
+  * The attempted fix to address CVE-2013-2154 introduced the possibility
+    of a heap overflow, possibly leading to arbitrary code execution, in
+    the processing of malformed XPointer expressions in the XML Signature
+    Reference processing code.  Apply upstream patch to fix that heap
+    overflow.  (Closes: #714241, CVE-2013-2210)
+
+ -- Russ Allbery <r...@debian.org>  Thu, 27 Jun 2013 15:15:18 -0700
+
 xml-security-c (1.5.1-3+squeeze2) oldstable-security; urgency=high
 
   * Apply upstream patch to fix a spoofing vulnerability that allows an
diff -u xml-security-c-1.5.1/src/dsig/DSIGReference.cpp xml-security-c-1.5.1/src/dsig/DSIGReference.cpp
--- xml-security-c-1.5.1/src/dsig/DSIGReference.cpp
+++ xml-security-c-1.5.1/src/dsig/DSIGReference.cpp
@@ -501,10 +501,15 @@
 			xsecsize_t j = 14, i = 0;
 
 			// Have an ID
-			while (URI[j] != '\'') {
+			while (i < len && URI[j] != '\'') {
 				tmp[i++] = URI[j++];
 			}
+
 			tmp[i] = XERCES_CPP_NAMESPACE_QUALIFIER chNull;
+			
+			if (URI[j] != '\'') {
+				throw XSECException(XSECException::UnsupportedXpointerExpr);	
+			}
 
 			to->setInput(doc, tmp);
 

diff -Nru xml-security-c-1.6.1/debian/changelog xml-security-c-1.6.1/debian/changelog
--- xml-security-c-1.6.1/debian/changelog	2013-06-17 22:25:47.000000000 -0700
+++ xml-security-c-1.6.1/debian/changelog	2013-06-27 13:54:30.000000000 -0700
@@ -1,3 +1,13 @@
+xml-security-c (1.6.1-5+deb7u2) stable-security; urgency=high
+
+  * The attempted fix to address CVE-2013-2154 introduced the possibility
+    of a heap overflow, possibly leading to arbitrary code execution, in
+    the processing of malformed XPointer expressions in the XML Signature
+    Reference processing code.  Apply upstream patch to fix that heap
+    overflow.  (Closes: #714241, CVE-2013-2210)
+
+ -- Russ Allbery <r...@debian.org>  Thu, 27 Jun 2013 13:54:03 -0700
+
 xml-security-c (1.6.1-5+deb7u1) stable-security; urgency=high
 
   * Apply upstream patch to fix a spoofing vulnerability that allows an
diff -Nru xml-security-c-1.6.1/debian/patches/debian-changes xml-security-c-1.6.1/debian/patches/debian-changes
--- xml-security-c-1.6.1/debian/patches/debian-changes	2013-06-17 22:26:43.000000000 -0700
+++ xml-security-c-1.6.1/debian/patches/debian-changes	2013-06-27 13:55:44.000000000 -0700
@@ -298,7 +298,7 @@
  
 --- xml-security-c-1.6.1.orig/xsec/dsig/DSIGReference.cpp
 +++ xml-security-c-1.6.1/xsec/dsig/DSIGReference.cpp
-@@ -516,17 +516,15 @@ TXFMBase * DSIGReference::getURIBaseTXFM
+@@ -516,25 +516,28 @@ TXFMBase * DSIGReference::getURIBaseTXFM
  		}
  
  		else if (URI[9] == XERCES_CPP_NAMESPACE_QUALIFIER chOpenParen &&
@@ -322,7 +322,21 @@
  
  			xsecsize_t j = 14, i = 0;
  
-@@ -630,9 +628,14 @@ void DSIGReference::load(void) {
+ 			// Have an ID
+-			while (URI[j] != '\'') {
++			while (i < len && URI[j] != '\'') {
+ 				tmp[i++] = URI[j++];
+ 			}
++
+ 			tmp[i] = XERCES_CPP_NAMESPACE_QUALIFIER chNull;
++			
++			if (URI[j] != '\'') {
++				throw XSECException(XSECException::UnsupportedXpointerExpr);	
++			}
+ 
+ 			to->setInput(doc, tmp);
+ 
+@@ -630,9 +633,14 @@ void DSIGReference::load(void) {
  	// Now check for Transforms
  	tmpElt = mp_referenceNode->getFirstChild();
  
@@ -338,7 +352,7 @@
  
  	if (tmpElt == 0) {
  
-@@ -651,13 +654,19 @@ void DSIGReference::load(void) {
+@@ -651,13 +659,19 @@ void DSIGReference::load(void) {
  
  		// Find next node
  		tmpElt = tmpElt->getNextSibling();
@@ -360,7 +374,7 @@
  
  
  	if (tmpElt == NULL || !strEquals(getDSIGLocalName(tmpElt), "DigestMethod")) {
-@@ -692,8 +701,14 @@ void DSIGReference::load(void) {
+@@ -692,8 +706,14 @@ void DSIGReference::load(void) {
  
  	tmpElt = tmpElt->getNextSibling();
  
@@ -376,7 +390,7 @@
  
  	if (tmpElt == 0) {
  
-@@ -731,8 +746,13 @@ void DSIGReference::load(void) {
+@@ -731,8 +751,13 @@ void DSIGReference::load(void) {
  
  			// Find Manifest child
  			manifestNode = manifestNode->getFirstChild();
@@ -391,7 +405,7 @@
  
  			if (manifestNode == 0 || !strEquals(getDSIGLocalName(manifestNode), "Manifest"))
  				throw XSECException(XSECException::ExpectedDSIGChildNotFound,
-@@ -743,8 +763,14 @@ void DSIGReference::load(void) {
+@@ -743,8 +768,14 @@ void DSIGReference::load(void) {
  		// Now have the manifest node, find the first reference and load!
  		referenceNode = manifestNode->getFirstChild();
  
@@ -407,7 +421,7 @@
  
  		if (referenceNode == 0)
  			throw XSECException(XSECException::ExpectedDSIGChildNotFound,
-@@ -797,8 +823,13 @@ DSIGReferenceList *DSIGReference::loadRe
+@@ -797,8 +828,13 @@ DSIGReferenceList *DSIGReference::loadRe
  		// Find next element Node
  		tmpRef = tmpRef->getNextSibling();

Reply via email to