Bug#924346: xmltooling: CVE-2019-9628: XML parser class fails to trap exceptions on malformed XML declaration
wferi at niif.hu
wferi at niif.hu
Tue Mar 12 13:53:14 GMT 2019
Moritz Muehlenhoff <jmm at inutil.org> writes:
> On Tue, Mar 12, 2019 at 10:19:00AM +0100, wferi at niif.hu wrote:
>
>> The resulting packages works fine in my setup. However, I failed to
>> reproduce the original issue under stretch. After consulting upstream,
>> it turns out that the old Xerces library actually helps somewhat in this
>> case, please see Scott Cantor's reply below. So the known exploit
>> (using an invalid XML declaration) does not work on stable, but if
>> somebody finds a way to trigger a DOMException in Xerces 3.1, any
>> xmltooling users will crash all the same. See also his comment on
>> https://issues.apache.org/jira/browse/XERCESC-2016.
>
> I think we can still fix this via stretch-security
OK, uploaded.
> it's better to fix the root cause nonetheless.
Even though the Xerces change is suspicious, the documentation allows
the parser to throw DOMExceptions, so they must be handled by the
callers, which this fix achieves.
--
Regards,
Feri
More information about the Pkg-shibboleth-devel
mailing list