[SCM] Debian packaging for XML-Security-C branch, jessie, updated. debian/1.6.1-6-1-gf9f730c

Russ Allbery rra at debian.org
Thu Jun 27 20:53:26 UTC 2013 

The following commit has been merged in the jessie branch:
commit f9f730ceedd3d4867eb23324080a68201da8fd75
Author: Russ Allbery <rra at debian.org>
Date:   Thu Jun 27 13:45:14 2013 -0700

    Apply upstream patch for heap overflow (CVE-2013-2210)
    
    * The attempted fix to address CVE-2013-2154 introduced the possibility
      of a heap overflow, possibly leading to arbitrary code execution, in
      the processing of malformed XPointer expressions in the XML Signature
      Reference processing code.  Apply upstream patch to fix that heap
      overflow.  (Closes: #714241, CVE-2013-2210)

diff --git a/debian/changelog b/debian/changelog
index 350017f..6895f69 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+xml-security-c (1.6.1-7) unstable; urgency=high
+
+  * The attempted fix to address CVE-2013-2154 introduced the possibility
+    of a heap overflow, possibly leading to arbitrary code execution, in
+    the processing of malformed XPointer expressions in the XML Signature
+    Reference processing code.  Apply upstream patch to fix that heap
+    overflow.  (Closes: #714241, CVE-2013-2210)
+
+ -- Russ Allbery <rra at debian.org>  Thu, 27 Jun 2013 13:44:56 -0700
+
 xml-security-c (1.6.1-6) unstable; urgency=high
 
   * Apply upstream patch to fix a spoofing vulnerability that allows an
diff --git a/xsec/dsig/DSIGReference.cpp b/xsec/dsig/DSIGReference.cpp
index 36c9d39..19c1a20 100644
--- a/xsec/dsig/DSIGReference.cpp
+++ b/xsec/dsig/DSIGReference.cpp
@@ -529,10 +529,15 @@ TXFMBase * DSIGReference::getURIBaseTXFM(DOMDocument * doc,
 			xsecsize_t j = 14, i = 0;
 
 			// Have an ID
-			while (URI[j] != '\'') {
+			while (i < len && URI[j] != '\'') {
 				tmp[i++] = URI[j++];
 			}
+
 			tmp[i] = XERCES_CPP_NAMESPACE_QUALIFIER chNull;
+			
+			if (URI[j] != '\'') {
+				throw XSECException(XSECException::UnsupportedXpointerExpr);	
+			}
 
 			to->setInput(doc, tmp);
 

-- 
Debian packaging for XML-Security-C

More information about the Pkg-shibboleth-devel mailing list