squeeze update of xmltooling?

Ferenc Wagner wferi at niif.hu
Mon Aug 3 12:47:22 UTC 2015 

> the Debian LTS team would like to fix the security issues which are
> currently open in the Squeeze version of xmltooling:
> https://security-tracker.debian.org/tracker/CVE-2015-0851

Hi,

I published patched packages at http://apt.niif.hu/CVE-2015-0851/, now
for squeeze as well.  Being no DD, I can't really do more, please pick
up from here.

$ debdiff xmltooling_1.3.3-2.dsc xmltooling_1.3.3-2+deb6u1.dsc
diff -u xmltooling-1.3.3/debian/changelog xmltooling-1.3.3/debian/changelog
--- xmltooling-1.3.3/debian/changelog
+++ xmltooling-1.3.3/debian/changelog
@@ -1,3 +1,10 @@
+xmltooling (1.3.3-2+deb6u1) squeeze-lts; urgency=high
+
+  * Apply security fix from 1.5.5 for CVE-2015-0851 DoS (Closes: #793855):
+    Shibboleth SP software crashes on well-formed but invalid XML
+
+ -- Ferenc Wagner <wferi at niif.hu>  Mon, 03 Aug 2015 13:25:11 +0200
+
 xmltooling (1.3.3-2) unstable; urgency=low
 
   * Force source format 1.0 for now since it makes backporting easier.
only in patch2:
unchanged:
--- xmltooling-1.3.3.orig/xmltooling/base.h
+++ xmltooling-1.3.3/xmltooling/base.h
@@ -683,7 +683,16 @@
         XMLCh* m_##proper; \
     public: \
         pair<bool,int> get##proper() const { \
-            return make_pair((m_##proper!=NULL),(m_##proper!=NULL ? xercesc::XMLString::parseInt(m_##proper): 0)); \
+            if (m_##proper) { \
+                try { \
+                    return std::make_pair(true, xercesc::XMLString::parseInt(m_##proper)); \
+                } \
+                catch (...) { \
+                    return std::make_pair(true, 0); \
+                } \
+            } else { \
+                return std::make_pair(false, 0); \
+            } \
         } \
         void set##proper(const XMLCh* proper) { \
             m_##proper = prepareForAssignment(m_##proper,proper); \
@@ -1237,7 +1246,16 @@
 #define DECL_INTEGER_CONTENT(proper) \
     XMLTOOLING_DOXYGEN(Returns proper in integer form after a NULL indicator.) \
     std::pair<bool,int> get##proper() const { \
-        return std::make_pair((getTextContent()!=NULL), (getTextContent()!=NULL ? xercesc::XMLString::parseInt(getTextContent()) : 0)); \
+        if (getTextContent()) { \
+            try { \
+                return std::make_pair(true, xercesc::XMLString::parseInt(getTextContent())); \
+            } \
+            catch (...) { \
+                return std::make_pair(true, 0); \
+            } \
+        } else { \
+            return std::make_pair(false, 0); \
+        } \
     } \
     XMLTOOLING_DOXYGEN(Sets proper.) \
     void set##proper(int proper) { \

I checked that opensaml2-2.3-2+squeeze1 builds against it (this rebuild
is needed to fix the security problem, the xmltooling upload is not
enough), but did no further testing.
-- 
Regards,
Feri.

More information about the Pkg-shibboleth-devel mailing list