Package: xerces-c | Debian Sources

Package: xerces-c / 3.2.3+debian-3+deb11u1

Metadata

Package	Version	Patches format
xerces-c	3.2.3+debian-3+deb11u1	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
CVE 2023 37536.patch \| (download)	src/xercesc/validators/common/DFAContentModel.cpp \| 28 25 + 3 - 0 ! 1 file changed, 25 insertions(+), 3 deletions(-)	xercesc-2241 - integer overflows in dfacontentmodel class
Fix NetAccessorTest to exit with non zero status in case .patch \| (download)	tests/src/NetAccessorTest/NetAccessorTest.cpp \| 8 5 + 3 - 0 ! 1 file changed, 5 insertions(+), 3 deletions(-)	fix netaccessortest to exit with non-zero status in case of error
CVE 2018 1311.patch \| (download)	src/xercesc/internal/DGXMLScanner.cpp \| 6 2 + 4 - 0 ! src/xercesc/internal/IGXMLScanner.cpp \| 6 2 + 4 - 0 ! src/xercesc/internal/ReaderMgr.cpp \| 207 146 + 61 - 0 ! src/xercesc/internal/ReaderMgr.hpp \| 92 79 + 13 - 0 ! 4 files changed, 229 insertions(+), 82 deletions(-)	xercesc-2188 - use-after-free on external dtd scan (cve-2018-1311) These are the instructions for observing the bug (before this commit): $ git clone https://github.com/apache/xerces-c.git $ cd xerces-c $ mkdir build $ cd build $ cmake -G "Unix Makefiles" -DCMAKE_BUILD_TYPE=Debug .. $ make -j8 $ cp ../samples/data/personal.xml . $ cat <<EOF >personal.dtd <?xml encoding="ISO-8859-1"?> <!ENTITY % nonExistentEntity SYSTEM "non-existent.ent"> %nonExistentEntity; EOF $ gdb samples/StdInParse (gdb) b IGXMLScanner.cpp:1544 (gdb) run <personal.xml 1544 fReaderMgr.pushReader(reader, declDTD); (gdb) p declDTD $1 = (xercesc_4_0::DTDEntityDecl ) 0x49ac68 (gdb) n 1547 dtdScanner.scanExtSubsetDecl(false, true); (gdb) n 1548 } (gdb) s ... (gdb) s # The Janitor is about to delete the above declDTD. 90 delete fData; (gdb) p fData $1 = (xercesc_4_0::DTDEntityDecl ) 0x49ac68 (gdb) b ReaderMgr.cpp:1024 (gdb) n ... (gdb) n # Now we about to dereference the deleted declDTD. 1024 if (curEntity && !curEntity->isExternal()) (gdb) p curEntity $2 = (const xercesc_4_0::XMLEntityDecl *) 0x49ac68

Patch

File delta

Description

CVE 2023 37536.patch | (download)

src/xercesc/validators/common/DFAContentModel.cpp | 28 25 + 3 - 0 !
1 file changed, 25 insertions(+), 3 deletions(-)

 xercesc-2241 - integer overflows in dfacontentmodel class

Fix NetAccessorTest to exit with non zero status in case .patch | (download)

tests/src/NetAccessorTest/NetAccessorTest.cpp | 8 5 + 3 - 0 !
1 file changed, 5 insertions(+), 3 deletions(-)

 fix netaccessortest to exit with non-zero status in case of error

CVE 2018 1311.patch | (download)

src/xercesc/internal/DGXMLScanner.cpp | 6 2 + 4 - 0 !
src/xercesc/internal/IGXMLScanner.cpp | 6 2 + 4 - 0 !
src/xercesc/internal/ReaderMgr.cpp | 207 146 + 61 - 0 !
src/xercesc/internal/ReaderMgr.hpp | 92 79 + 13 - 0 !
4 files changed, 229 insertions(+), 82 deletions(-)

 xercesc-2188 - use-after-free on external dtd scan (cve-2018-1311)

These are the instructions for observing the bug (before this commit):

$ git clone https://github.com/apache/xerces-c.git
$ cd xerces-c
$ mkdir build
$ cd build
$ cmake -G "Unix Makefiles" -DCMAKE_BUILD_TYPE=Debug ..
$ make -j8
$ cp ../samples/data/personal.xml .

$ cat <<EOF >personal.dtd
<?xml encoding="ISO-8859-1"?>
<!ENTITY % nonExistentEntity SYSTEM "non-existent.ent">
%nonExistentEntity;
EOF

$ gdb samples/StdInParse
(gdb) b IGXMLScanner.cpp:1544
(gdb) run <personal.xml
1544	            fReaderMgr.pushReader(reader, declDTD);
(gdb) p declDTD
$1 = (xercesc_4_0::DTDEntityDecl *) 0x49ac68
(gdb) n
1547	            dtdScanner.scanExtSubsetDecl(false, true);
(gdb) n
1548	        }
(gdb) s
...
(gdb) s                     # The Janitor is about to delete the above declDTD.
90	        delete fData;
(gdb) p fData
$1 = (xercesc_4_0::DTDEntityDecl *) 0x49ac68
(gdb) b ReaderMgr.cpp:1024
(gdb) n
...
(gdb) n                     # Now we about to dereference the deleted declDTD.
1024	    if (curEntity && !curEntity->isExternal())
(gdb) p curEntity
$2 = (const xercesc_4_0::XMLEntityDecl *) 0x49ac68