Package: xmltooling / 1.6.0-4+deb9u2

security/CVE-2019-9628-uncaught-exception-on-malformed-XML-declara.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
From: Scott Cantor <cantor.2@osu.edu>
Date: Wed, 6 Mar 2019 21:14:13 -0500
Subject: CVE-2019-9628 - uncaught exception on malformed XML declaration

Invalid data in the XML declaration causes an exception of a type
that was not handled properly in the parser class and propagates an
unexpected exception type.

This generally manifests as a crash in the calling code, which in the
Service Provider software's case is usually the shibd daemon process,
but can be Apache in some cases. Note that the crash occurs prior to
evaluation of a message's authenticity, so can be exploited by an
untrusted attacker.

https://shibboleth.net/community/advisories/secadv_20190311.txt
https://issues.shibboleth.net/jira/browse/CPPXT-143
---
 xmltooling/util/ParserPool.cpp | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/xmltooling/util/ParserPool.cpp b/xmltooling/util/ParserPool.cpp
index 67e793d..98d6fcc 100644
--- a/xmltooling/util/ParserPool.cpp
+++ b/xmltooling/util/ParserPool.cpp
@@ -150,14 +150,28 @@ DOMDocument* ParserPool::parse(DOMLSInput& domsrc)
         checkinBuilder(janitor.release());
         return doc;
     }
-    catch (XMLException& ex) {
+    catch (const DOMException& ex) {
+        parser->getDomConfig()->setParameter(XMLUni::fgDOMErrorHandler, (void*)nullptr);
+        parser->getDomConfig()->setParameter(XMLUni::fgXercesUserAdoptsDOMDocument, true);
+        checkinBuilder(janitor.release());
+        auto_ptr_char temp(ex.getMessage());
+        throw XMLParserException(string("DOM error during parsing: ") + (temp.get() ? temp.get() : "no message"));
+    }
+    catch (const SAXException& ex) {
+        parser->getDomConfig()->setParameter(XMLUni::fgDOMErrorHandler, (void*)nullptr);
+        parser->getDomConfig()->setParameter(XMLUni::fgXercesUserAdoptsDOMDocument, true);
+        checkinBuilder(janitor.release());
+        auto_ptr_char temp(ex.getMessage());
+        throw XMLParserException(string("SAX error during parsing: ") + (temp.get() ? temp.get() : "no message"));
+    }
+    catch (const XMLException& ex) {
         parser->getDomConfig()->setParameter(XMLUni::fgDOMErrorHandler, (void*)nullptr);
         parser->getDomConfig()->setParameter(XMLUni::fgXercesUserAdoptsDOMDocument, true);
         checkinBuilder(janitor.release());
         auto_ptr_char temp(ex.getMessage());
         throw XMLParserException(string("Xerces error during parsing: ") + (temp.get() ? temp.get() : "no message"));
     }
-    catch (XMLToolingException&) {
+    catch (const XMLToolingException&) {
         parser->getDomConfig()->setParameter(XMLUni::fgDOMErrorHandler, (void*)nullptr);
         parser->getDomConfig()->setParameter(XMLUni::fgXercesUserAdoptsDOMDocument, true);
         checkinBuilder(janitor.release());