[xmltooling] 01/01: Import Debian changes 1.4.2-5+deb7u2
Ferenc Wágner
wferi at moszumanska.debian.org
Wed Jan 17 14:16:03 UTC 2018
This is an automated email from the git hooks/post-receive script.
wferi pushed a commit to branch debian/wheezy
in repository xmltooling.
commit 9057c27738d224d6f4e7eebc4570ca1be51c4e8f
Author: Markus Koschany <apo at debian.org>
Date: Sun Jan 14 20:41:01 2018 +0100
Import Debian changes 1.4.2-5+deb7u2
xmltooling (1.4.2-5+deb7u2) wheezy-security; urgency=high
* Non-maintainer upload by the LTS team.
* Fix CVE-2018-0486:
Philip Huppert discovered the Shibboleth service provider is vulnerable to
impersonation attacks and information disclosure due to mishandling of DTDs
in the XMLTooling XML parsing library. For additional details please refer
to the upstream advisory at
https://shibboleth.net/community/advisories/secadv_20180112.txt
---
debian/changelog | 12 ++++++++++
debian/patches/CVE-2018-0486.patch | 38 ++++++++++++++++++++++++++++++
debian/patches/debian-changes | 48 ++++++++++++++++++++++++++++++++++++++
debian/patches/series | 2 ++
debian/source/options | 1 -
xmltooling/base.h | 22 ++---------------
6 files changed, 102 insertions(+), 21 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 74c618a..ae47294 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+xmltooling (1.4.2-5+deb7u2) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the LTS team.
+ * Fix CVE-2018-0486:
+ Philip Huppert discovered the Shibboleth service provider is vulnerable to
+ impersonation attacks and information disclosure due to mishandling of DTDs
+ in the XMLTooling XML parsing library. For additional details please refer
+ to the upstream advisory at
+ https://shibboleth.net/community/advisories/secadv_20180112.txt
+
+ -- Markus Koschany <apo at debian.org> Sun, 14 Jan 2018 20:41:01 +0100
+
xmltooling (1.4.2-5+deb7u1) wheezy-security; urgency=high
* Apply security fix from 1.5.5 for CVE-2015-0851 DoS (Closes: #793855):
diff --git a/debian/patches/CVE-2018-0486.patch b/debian/patches/CVE-2018-0486.patch
new file mode 100644
index 0000000..30d40a9
--- /dev/null
+++ b/debian/patches/CVE-2018-0486.patch
@@ -0,0 +1,38 @@
+From: Scott Cantor <cantor.2 at osu.edu>
+Date: Wed, 10 Jan 2018 12:20:07 -0500
+Subject: CVE-2018-0486: vulnerability to forged user attribute data
+
+The Service Provider software relies on a generic XML parser to process
+SAML responses and there are limitations in older versions of the parser
+that make it impossible to fully disable Document Type Definition (DTD)
+processing.
+
+Through addition/manipulation of a DTD, it's possible to make changes
+to an XML document that do not break a digital signature but are
+mishandled by the SP and its libraries. These manipulations can alter
+the user data passed through to applications behind the SP and result
+in impersonation attacks and exposure of protected information.
+
+While the use of XML Encryption can serve as a mitigation for this bug,
+it may still be possible to construct attacks in such cases, and the SP
+does not provide a means to enforce its use.
+
+CPPXT-127 - Block entity reference nodes during unmarshalling.
+https://issues.shibboleth.net/jira/browse/CPPXT-127
+---
+ xmltooling/io/AbstractXMLObjectUnmarshaller.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/xmltooling/io/AbstractXMLObjectUnmarshaller.cpp b/xmltooling/io/AbstractXMLObjectUnmarshaller.cpp
+index ae2709e..487348e 100644
+--- a/xmltooling/io/AbstractXMLObjectUnmarshaller.cpp
++++ b/xmltooling/io/AbstractXMLObjectUnmarshaller.cpp
+@@ -206,6 +206,8 @@ void AbstractXMLObjectUnmarshaller::unmarshallContent(const DOMElement* domEleme
+ else if (childNode->getNodeType() == DOMNode::TEXT_NODE || childNode->getNodeType() == DOMNode::CDATA_SECTION_NODE) {
+ m_log.debug("processing text content at position (%d)", position);
+ setTextContent(childNode->getNodeValue(), position);
++ } else if (childNode->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE || childNode->getNodeType() == DOMNode::ENTITY_NODE) {
++ throw UnmarshallingException("Unmarshaller found Entity/Reference node.");
+ }
+
+ childNode = childNode->getNextSibling();
diff --git a/debian/patches/debian-changes b/debian/patches/debian-changes
new file mode 100644
index 0000000..5d94ca1
--- /dev/null
+++ b/debian/patches/debian-changes
@@ -0,0 +1,48 @@
+Subject: Collected Debian patches for xmltooling
+Author: Russ Allbery <rra at debian.org>
+
+The packaging for xmltooling is maintained in Git using multiple
+branches for fixes, which makes it complex to separate the changes
+into individual patches. They are therefore all included in a single
+Debian patch.
+
+For full commit history and separated commits, see the packaging Git
+repository.
+--- xmltooling-1.4.2.orig/xmltooling/base.h
++++ xmltooling-1.4.2/xmltooling/base.h
+@@ -691,7 +691,16 @@
+ XMLCh* m_##proper; \
+ public: \
+ pair<bool,int> get##proper() const { \
+- return make_pair((m_##proper!=nullptr),(m_##proper!=nullptr ? xercesc::XMLString::parseInt(m_##proper): 0)); \
++ if (m_##proper) { \
++ try { \
++ return std::make_pair(true, xercesc::XMLString::parseInt(m_##proper)); \
++ } \
++ catch (...) { \
++ return std::make_pair(true, 0); \
++ } \
++ } else { \
++ return std::make_pair(false, 0); \
++ } \
+ } \
+ void set##proper(const XMLCh* proper) { \
+ m_##proper = prepareForAssignment(m_##proper,proper); \
+@@ -1245,7 +1254,16 @@
+ #define DECL_INTEGER_CONTENT(proper) \
+ XMLTOOLING_DOXYGEN(Returns proper in integer form after a NULL indicator.) \
+ std::pair<bool,int> get##proper() const { \
+- return std::make_pair((getTextContent()!=nullptr), (getTextContent()!=nullptr ? xercesc::XMLString::parseInt(getTextContent()) : 0)); \
++ if (getTextContent()) { \
++ try { \
++ return std::make_pair(true, xercesc::XMLString::parseInt(getTextContent())); \
++ } \
++ catch (...) { \
++ return std::make_pair(true, 0); \
++ } \
++ } else { \
++ return std::make_pair(false, 0); \
++ } \
+ } \
+ XMLTOOLING_DOXYGEN(Sets proper.) \
+ void set##proper(int proper) { \
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..5bcb746
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,2 @@
+debian-changes
+CVE-2018-0486.patch
diff --git a/debian/source/options b/debian/source/options
deleted file mode 100644
index 7423a2d..0000000
--- a/debian/source/options
+++ /dev/null
@@ -1 +0,0 @@
-single-debian-patch
diff --git a/xmltooling/base.h b/xmltooling/base.h
index 6ba495e..0626e81 100644
--- a/xmltooling/base.h
+++ b/xmltooling/base.h
@@ -691,16 +691,7 @@
XMLCh* m_##proper; \
public: \
pair<bool,int> get##proper() const { \
- if (m_##proper) { \
- try { \
- return std::make_pair(true, xercesc::XMLString::parseInt(m_##proper)); \
- } \
- catch (...) { \
- return std::make_pair(true, 0); \
- } \
- } else { \
- return std::make_pair(false, 0); \
- } \
+ return make_pair((m_##proper!=nullptr),(m_##proper!=nullptr ? xercesc::XMLString::parseInt(m_##proper): 0)); \
} \
void set##proper(const XMLCh* proper) { \
m_##proper = prepareForAssignment(m_##proper,proper); \
@@ -1254,16 +1245,7 @@
#define DECL_INTEGER_CONTENT(proper) \
XMLTOOLING_DOXYGEN(Returns proper in integer form after a NULL indicator.) \
std::pair<bool,int> get##proper() const { \
- if (getTextContent()) { \
- try { \
- return std::make_pair(true, xercesc::XMLString::parseInt(getTextContent())); \
- } \
- catch (...) { \
- return std::make_pair(true, 0); \
- } \
- } else { \
- return std::make_pair(false, 0); \
- } \
+ return std::make_pair((getTextContent()!=nullptr), (getTextContent()!=nullptr ? xercesc::XMLString::parseInt(getTextContent()) : 0)); \
} \
XMLTOOLING_DOXYGEN(Sets proper.) \
void set##proper(int proper) { \
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/xmltooling.git
More information about the Pkg-shibboleth-devel
mailing list