Package: xerces-c / 3.2.3+debian-3+deb11u1

Metadata

Package Version Patches format
xerces-c 3.2.3+debian-3+deb11u1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
CVE 2023 37536.patch | (download)

src/xercesc/validators/common/DFAContentModel.cpp | 28 25 + 3 - 0 !
1 file changed, 25 insertions(+), 3 deletions(-)

 xercesc-2241 - integer overflows in dfacontentmodel class

Fix NetAccessorTest to exit with non zero status in case .patch | (download)

tests/src/NetAccessorTest/NetAccessorTest.cpp | 8 5 + 3 - 0 !
1 file changed, 5 insertions(+), 3 deletions(-)

 fix netaccessortest to exit with non-zero status in case of error

CVE 2018 1311.patch | (download)

src/xercesc/internal/DGXMLScanner.cpp | 6 2 + 4 - 0 !
src/xercesc/internal/IGXMLScanner.cpp | 6 2 + 4 - 0 !
src/xercesc/internal/ReaderMgr.cpp | 207 146 + 61 - 0 !
src/xercesc/internal/ReaderMgr.hpp | 92 79 + 13 - 0 !
4 files changed, 229 insertions(+), 82 deletions(-)

 xercesc-2188 - use-after-free on external dtd scan (cve-2018-1311)

These are the instructions for observing the bug (before this commit):

$ git clone https://github.com/apache/xerces-c.git
$ cd xerces-c
$ mkdir build
$ cd build
$ cmake -G "Unix Makefiles" -DCMAKE_BUILD_TYPE=Debug ..
$ make -j8
$ cp ../samples/data/personal.xml .

$ cat <<EOF >personal.dtd
<?xml encoding="ISO-8859-1"?>
<!ENTITY % nonExistentEntity SYSTEM "non-existent.ent">
%nonExistentEntity;
EOF

$ gdb samples/StdInParse
(gdb) b IGXMLScanner.cpp:1544
(gdb) run <personal.xml
1544	            fReaderMgr.pushReader(reader, declDTD);
(gdb) p declDTD
$1 = (xercesc_4_0::DTDEntityDecl *) 0x49ac68
(gdb) n
1547	            dtdScanner.scanExtSubsetDecl(false, true);
(gdb) n
1548	        }
(gdb) s
...
(gdb) s                     # The Janitor is about to delete the above declDTD.
90	        delete fData;
(gdb) p fData
$1 = (xercesc_4_0::DTDEntityDecl *) 0x49ac68
(gdb) b ReaderMgr.cpp:1024
(gdb) n
...
(gdb) n                     # Now we about to dereference the deleted declDTD.
1024	    if (curEntity && !curEntity->isExternal())
(gdb) p curEntity
$2 = (const xercesc_4_0::XMLEntityDecl *) 0x49ac68