[SCM] Debian packaging for XML-Security-C branch, squeeze, updated. debian/1.5.1-3+squeeze2-1-gc6cbb5d

Russ Allbery rra at debian.org
Fri Jun 28 05:17:37 UTC 2013 

The following commit has been merged in the squeeze branch:
commit c6cbb5d6572015e65f9b916429d8303571d06af1
Author: Russ Allbery <rra at debian.org>
Date:   Thu Jun 27 15:15:37 2013 -0700

    Apply upstream patch for heap overflow (CVE-2013-2210)
    
    * The attempted fix to address CVE-2013-2154 introduced the possibility
      of a heap overflow, possibly leading to arbitrary code execution, in
      the processing of malformed XPointer expressions in the XML Signature
      Reference processing code.  Apply upstream patch to fix that heap
      overflow.  (Closes: #714241, CVE-2013-2210)

diff --git a/debian/changelog b/debian/changelog
index f863265..d783b3d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+xml-security-c (1.5.1-3+squeeze3) oldstable-security; urgency=high
+
+  * The attempted fix to address CVE-2013-2154 introduced the possibility
+    of a heap overflow, possibly leading to arbitrary code execution, in
+    the processing of malformed XPointer expressions in the XML Signature
+    Reference processing code.  Apply upstream patch to fix that heap
+    overflow.  (Closes: #714241, CVE-2013-2210)
+
+ -- Russ Allbery <rra at debian.org>  Thu, 27 Jun 2013 15:15:18 -0700
+
 xml-security-c (1.5.1-3+squeeze2) oldstable-security; urgency=high
 
   * Apply upstream patch to fix a spoofing vulnerability that allows an
diff --git a/src/dsig/DSIGReference.cpp b/src/dsig/DSIGReference.cpp
index a6cc179..cc2c046 100644
--- a/src/dsig/DSIGReference.cpp
+++ b/src/dsig/DSIGReference.cpp
@@ -501,10 +501,15 @@ TXFMBase * DSIGReference::getURIBaseTXFM(DOMDocument * doc,
 			xsecsize_t j = 14, i = 0;
 
 			// Have an ID
-			while (URI[j] != '\'') {
+			while (i < len && URI[j] != '\'') {
 				tmp[i++] = URI[j++];
 			}
+
 			tmp[i] = XERCES_CPP_NAMESPACE_QUALIFIER chNull;
+			
+			if (URI[j] != '\'') {
+				throw XSECException(XSECException::UnsupportedXpointerExpr);	
+			}
 
 			to->setInput(doc, tmp);
 

-- 
Debian packaging for XML-Security-C

More information about the Pkg-shibboleth-devel mailing list