Bug#924346: xmltooling: CVE-2019-9628: XML parser class fails to trap exceptions on malformed XML declaration

Moritz Mühlenhoff jmm at inutil.org
Tue Mar 12 21:27:35 GMT 2019


On Tue, Mar 12, 2019 at 02:53:14PM +0100, wferi at niif.hu wrote:
> Moritz Muehlenhoff <jmm at inutil.org> writes:
> 
> > On Tue, Mar 12, 2019 at 10:19:00AM +0100, wferi at niif.hu wrote:
> >
> >> The resulting packages works fine in my setup.  However, I failed to
> >> reproduce the original issue under stretch.  After consulting upstream,
> >> it turns out that the old Xerces library actually helps somewhat in this
> >> case, please see Scott Cantor's reply below.  So the known exploit
> >> (using an invalid XML declaration) does not work on stable, but if
> >> somebody finds a way to trigger a DOMException in Xerces 3.1, any
> >> xmltooling users will crash all the same.  See also his comment on
> >> https://issues.apache.org/jira/browse/XERCESC-2016.
> >
> > I think we can still fix this via stretch-security
> 
> OK, uploaded.

DSA has been released, thanks.

Cheers,
        Moritz



More information about the Pkg-shibboleth-devel mailing list