[SCM] Debian packaging for XML-Security-C branch, wheezy, updated. debian/1.6.1-5+deb7u1-1-gc27bcf6

Russ Allbery rra at debian.org
Fri Jun 28 05:17:37 UTC 2013 

The following commit has been merged in the wheezy branch:
commit c27bcf6c347c9c1b8b15e68bf837c3b9cab0c347
Author: Russ Allbery <rra at debian.org>
Date:   Thu Jun 27 13:54:30 2013 -0700

    Apply upstream patch for heap overflow (CVE-2013-2210)
    
    * The attempted fix to address CVE-2013-2154 introduced the possibility
      of a heap overflow, possibly leading to arbitrary code execution, in
      the processing of malformed XPointer expressions in the XML Signature
      Reference processing code.  Apply upstream patch to fix that heap
      overflow.  (Closes: #714241, CVE-2013-2210)

diff --git a/debian/changelog b/debian/changelog
index dad6533..9737cdf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+xml-security-c (1.6.1-5+deb7u2) stable-security; urgency=high
+
+  * The attempted fix to address CVE-2013-2154 introduced the possibility
+    of a heap overflow, possibly leading to arbitrary code execution, in
+    the processing of malformed XPointer expressions in the XML Signature
+    Reference processing code.  Apply upstream patch to fix that heap
+    overflow.  (Closes: #714241, CVE-2013-2210)
+
+ -- Russ Allbery <rra at debian.org>  Thu, 27 Jun 2013 13:54:03 -0700
+
 xml-security-c (1.6.1-5+deb7u1) stable-security; urgency=high
 
   * Apply upstream patch to fix a spoofing vulnerability that allows an
diff --git a/xsec/dsig/DSIGReference.cpp b/xsec/dsig/DSIGReference.cpp
index 36c9d39..19c1a20 100644
--- a/xsec/dsig/DSIGReference.cpp
+++ b/xsec/dsig/DSIGReference.cpp
@@ -529,10 +529,15 @@ TXFMBase * DSIGReference::getURIBaseTXFM(DOMDocument * doc,
 			xsecsize_t j = 14, i = 0;
 
 			// Have an ID
-			while (URI[j] != '\'') {
+			while (i < len && URI[j] != '\'') {
 				tmp[i++] = URI[j++];
 			}
+
 			tmp[i] = XERCES_CPP_NAMESPACE_QUALIFIER chNull;
+			
+			if (URI[j] != '\'') {
+				throw XSECException(XSECException::UnsupportedXpointerExpr);	
+			}
 
 			to->setInput(doc, tmp);
 

-- 
Debian packaging for XML-Security-C

More information about the Pkg-shibboleth-devel mailing list