[xml/sgml-pkgs] Bug#299729: marked as done ([CAN-2004-1575] Xerces-C++ 2.4.0: Attribute blowup)

Debian Bug Tracking System owner@bugs.debian.org
Tue, 22 Mar 2005 18:33:12 -0800

Your message dated Tue, 22 Mar 2005 21:02:47 -0500
with message-id <E1DDvCp-0005Qw-00@newraff.debian.org>
and subject line Bug#299729: fixed in xerces24 2.4.0-4
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

Received: (at submit) by bugs.debian.org; 22 Feb 2005 13:49:20 +0000
>From djoume@taket.org Tue Feb 22 05:49:20 2005
Return-path: <djoume@taket.org>
Received: from krepost.taket.org [] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1D3aPf-0004Y4-00; Tue, 22 Feb 2005 05:49:20 -0800
Received: from djoume by krepost.taket.org with local (Exim 3.36 #1 (Debian))
	id 1D3aPw-0000lI-00; Tue, 22 Feb 2005 14:49:36 +0100
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: SALVETTI Djoume <djoume@taket.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: xerces25: [CAN-2004-1575] Xerces-C++ 2.5.0: Attribute blowup
X-Mailer: reportbug 3.2
Date: Tue, 22 Feb 2005 14:49:36 +0100
Message-Id: <E1D3aPw-0000lI-00@krepost.taket.org>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

Package: xerces25
Severity: normal

Good day,

>From [CAN-2004-1575] :

| The XML parser in Xerces-C++ 2.5.0 allows remote attackers to cause a
| denial of service (CPU consumption) via XML attributes in a crafted
| XML document.

This problem have been fixed in version 2.6 of Xerces.

It's not clear to me if prior versions ( xerces24, xerces23, xerces22,
xerces21) are also vulnerable. 

I can filed bugs if you think it's appropriate.

Could you also mention the CAN number in changelog entries about this problem.


-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro (charmap=ISO-8859-15) (ignored: LC_ALL set to fr_FR@euro)

Received: (at 299729-close) by bugs.debian.org; 23 Mar 2005 02:18:08 +0000
>From katie@ftp-master.debian.org Tue Mar 22 18:18:08 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DDvRf-00018g-00; Tue, 22 Mar 2005 18:18:07 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1DDvCp-0005Qw-00; Tue, 22 Mar 2005 21:02:47 -0500
From: Jay Berkenbilt <qjb@debian.org>
To: 299729-close@bugs.debian.org
X-Katie: $Revision: 1.55 $
Subject: Bug#299729: fixed in xerces24 2.4.0-4
Message-Id: <E1DDvCp-0005Qw-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Tue, 22 Mar 2005 21:02:47 -0500
Delivered-To: 299729-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

Source: xerces24
Source-Version: 2.4.0-4

We believe that the bug you reported is fixed in the latest version of
xerces24, which is due to be installed in the Debian FTP archive:

  to pool/main/x/xerces24/libxerces24-dev_2.4.0-4_i386.deb
  to pool/main/x/xerces24/libxerces24-doc_2.4.0-4_all.deb
  to pool/main/x/xerces24/libxerces24_2.4.0-4_i386.deb
  to pool/main/x/xerces24/libxercesicu24_2.4.0-4_i386.deb
  to pool/main/x/xerces24/xerces24_2.4.0-4.diff.gz
  to pool/main/x/xerces24/xerces24_2.4.0-4.dsc

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 299729@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Jay Berkenbilt <qjb@debian.org> (supplier of updated xerces24 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)

Hash: SHA1

Format: 1.7
Date: Tue, 22 Mar 2005 19:40:45 -0500
Source: xerces24
Binary: libxerces24 libxerces24-doc libxerces24-dev libxercesicu24
Architecture: source i386 all
Version: 2.4.0-4
Distribution: unstable
Urgency: low
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Jay Berkenbilt <qjb@debian.org>
 libxerces24 - validating XML parser library for C++
 libxerces24-dev - validating XML parser library for C++ (development files)
 libxerces24-doc - validating XML parser library for C++ (documentation)
 libxercesicu24 - validating XML parser library for C++
Closes: 299729
 xerces24 (2.4.0-4) unstable; urgency=low
   * Fix for performance problem on elements with a large number of
     attributes [CAN-2004-1575].  (Closes: #299729)
   * Clarify documentation on differences between icu and native versions
     of the library.
   * Add shlibs files
   * Removed dependency on autoconf, updated dependency on debhelper
   * Changed dependency on libc6-dev to libc6-dev | libc-dev
 ab083897140ad84f065e73313d71e2f9 758 libs extra xerces24_2.4.0-4.dsc
 655b67fd766e452a53b554619c7f9280 9020 libs extra xerces24_2.4.0-4.diff.gz
 bd5261fcc84f7b74e23ba5f4973d89ae 5267690 doc extra libxerces24-doc_2.4.0-4_all.deb
 667ce225a4c17239bdf4e462a0cb1d6f 1016326 libs extra libxerces24_2.4.0-4_i386.deb
 0ee3be190d9ee3ddc39dc0399b04aa73 798100 libdevel extra libxerces24-dev_2.4.0-4_i386.deb
 39d280505024830d5214627ff5724ac4 1016566 libs extra libxercesicu24_2.4.0-4_i386.deb

Version: GnuPG v1.4.0 (GNU/Linux)