[xml/sgml-pkgs] Bug#296432: marked as done (xerces25: [CAN-2004-1575] Xerces-C++ 2.5.0: Attribute blowup)

Debian Bug Tracking System owner@bugs.debian.org
Tue, 22 Mar 2005 18:48:27 -0800


Your message dated Tue, 22 Mar 2005 21:17:17 -0500
with message-id <E1DDvQr-0007FX-00@newraff.debian.org>
and subject line Bug#296432: fixed in xerces25 2.5.0-4
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 22 Feb 2005 13:49:20 +0000
>From djoume@taket.org Tue Feb 22 05:49:20 2005
Return-path: <djoume@taket.org>
Received: from krepost.taket.org [82.233.235.217] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1D3aPf-0004Y4-00; Tue, 22 Feb 2005 05:49:20 -0800
Received: from djoume by krepost.taket.org with local (Exim 3.36 #1 (Debian))
	id 1D3aPw-0000lI-00; Tue, 22 Feb 2005 14:49:36 +0100
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: SALVETTI Djoume <djoume@taket.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: xerces25: [CAN-2004-1575] Xerces-C++ 2.5.0: Attribute blowup
X-Mailer: reportbug 3.2
Date: Tue, 22 Feb 2005 14:49:36 +0100
Message-Id: <E1D3aPw-0000lI-00@krepost.taket.org>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: xerces25
Severity: normal


Good day,

>From [CAN-2004-1575] :

| The XML parser in Xerces-C++ 2.5.0 allows remote attackers to cause a
| denial of service (CPU consumption) via XML attributes in a crafted
| XML document.

This problem have been fixed in version 2.6 of Xerces.

It's not clear to me if prior versions ( xerces24, xerces23, xerces22,
xerces21) are also vulnerable. 

I can filed bugs if you think it's appropriate.

Could you also mention the CAN number in changelog entries about this problem.

Regards.

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro (charmap=ISO-8859-15) (ignored: LC_ALL set to fr_FR@euro)

---------------------------------------
Received: (at 296432-close) by bugs.debian.org; 23 Mar 2005 02:27:08 +0000
>From katie@ftp-master.debian.org Tue Mar 22 18:27:08 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DDvaN-0001vb-00; Tue, 22 Mar 2005 18:27:07 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1DDvQr-0007FX-00; Tue, 22 Mar 2005 21:17:17 -0500
From: Jay Berkenbilt <qjb@debian.org>
To: 296432-close@bugs.debian.org
X-Katie: $Revision: 1.55 $
Subject: Bug#296432: fixed in xerces25 2.5.0-4
Message-Id: <E1DDvQr-0007FX-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Tue, 22 Mar 2005 21:17:17 -0500
Delivered-To: 296432-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Source: xerces25
Source-Version: 2.5.0-4

We believe that the bug you reported is fixed in the latest version of
xerces25, which is due to be installed in the Debian FTP archive:

libxerces25-dev_2.5.0-4_i386.deb
  to pool/main/x/xerces25/libxerces25-dev_2.5.0-4_i386.deb
libxerces25-doc_2.5.0-4_all.deb
  to pool/main/x/xerces25/libxerces25-doc_2.5.0-4_all.deb
libxerces25_2.5.0-4_i386.deb
  to pool/main/x/xerces25/libxerces25_2.5.0-4_i386.deb
libxercesicu25_2.5.0-4_i386.deb
  to pool/main/x/xerces25/libxercesicu25_2.5.0-4_i386.deb
xerces25_2.5.0-4.diff.gz
  to pool/main/x/xerces25/xerces25_2.5.0-4.diff.gz
xerces25_2.5.0-4.dsc
  to pool/main/x/xerces25/xerces25_2.5.0-4.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 296432@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jay Berkenbilt <qjb@debian.org> (supplier of updated xerces25 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 22 Mar 2005 19:36:41 -0500
Source: xerces25
Binary: libxercesicu25 libxerces25 libxerces25-doc libxerces25-dev
Architecture: source i386 all
Version: 2.5.0-4
Distribution: unstable
Urgency: low
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Jay Berkenbilt <qjb@debian.org>
Description: 
 libxerces25 - validating XML parser library for C++
 libxerces25-dev - validating XML parser library for C++ (development files)
 libxerces25-doc - validating XML parser library for C++ (documentation)
 libxercesicu25 - validating XML parser library for C++
Closes: 296432
Changes: 
 xerces25 (2.5.0-4) unstable; urgency=low
 .
   * Fix for performance problem on elements with a large number of
     attributes [CAN-2004-1575].  (Closes: #296432)
   * Clarify documentation on differences between icu and native versions
     of the library.
   * Add shlibs files
   * Removed dependency on autoconf, updated dependency on debhelper
   * Changed dependency on libc6-dev to libc6-dev | libc-dev
Files: 
 c35e3961a36513f4b447f64ac9247507 758 libs extra xerces25_2.5.0-4.dsc
 d5fd9cdb601594f6abd12413396f8847 9301 libs extra xerces25_2.5.0-4.diff.gz
 a0a61d607282803a5a6a622579aaf88d 5338710 doc extra libxerces25-doc_2.5.0-4_all.deb
 0320719e3e3cf5e1f3a6c4a6825471ec 1039218 libs extra libxerces25_2.5.0-4_i386.deb
 60c67009033f7be7a118fe2cd695a1e1 841770 libdevel extra libxerces25-dev_2.5.0-4_i386.deb
 de6317fe8530d0839711b9f78a9a78f5 1039522 libs extra libxercesicu25_2.5.0-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCQMzVEBVk6taI4KcRAl7rAKDdYV3hgdXuBK6TWUij5RysyDxTVQCcCd63
B3Do+25yihdxzhGqrqwb7Ks=
=wYQt
-----END PGP SIGNATURE-----