Version in base suite: 3.2.2+debian-1 Base version: xerces-c_3.2.2+debian-1 Target version: xerces-c_3.2.2+debian-1+deb10u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/x/xerces-c/xerces-c_3.2.2+debian-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/x/xerces-c/xerces-c_3.2.2+debian-1+deb10u1.dsc changelog | 9 +++++ patches/CVE-2018-1311-mitigation.patch | 52 +++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 62 insertions(+) diff -Nru xerces-c-3.2.2+debian/debian/changelog xerces-c-3.2.2+debian/debian/changelog --- xerces-c-3.2.2+debian/debian/changelog 2018-09-19 19:19:49.000000000 +0000 +++ xerces-c-3.2.2+debian/debian/changelog 2020-12-15 14:55:44.000000000 +0000 @@ -1,3 +1,12 @@ +xerces-c (3.2.2+debian-1+deb10u1) buster-security; urgency=high + + * Non-maintainer upload. + * CVE-2018-1311 mitigation: fix use-after-free vulnerability when + processing external DTD, at the expense of a memory leak. Users may + mitigate both by setting the XERCES_DISABLE_DTD environment variable. + + -- Sylvain Beucler Tue, 15 Dec 2020 15:55:44 +0100 + xerces-c (3.2.2+debian-1) unstable; urgency=medium * New upstream version 3.2.2+debian Closes: 909202 diff -Nru xerces-c-3.2.2+debian/debian/patches/CVE-2018-1311-mitigation.patch xerces-c-3.2.2+debian/debian/patches/CVE-2018-1311-mitigation.patch --- xerces-c-3.2.2+debian/debian/patches/CVE-2018-1311-mitigation.patch 1970-01-01 00:00:00.000000000 +0000 +++ xerces-c-3.2.2+debian/debian/patches/CVE-2018-1311-mitigation.patch 2020-12-15 14:51:24.000000000 +0000 @@ -0,0 +1,52 @@ + +https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1311 + +--- a/src/xercesc/internal/IGXMLScanner.cpp ++++ b/src/xercesc/internal/IGXMLScanner.cpp +@@ -1532,7 +1532,6 @@ void IGXMLScanner::scanDocTypeDecl() + DTDEntityDecl* declDTD = new (fMemoryManager) DTDEntityDecl(gDTDStr, false, fMemoryManager); + declDTD->setSystemId(sysId); + declDTD->setIsExternal(true); +- Janitor janDecl(declDTD); + + // Mark this one as a throw at end + reader->setThrowAtEnd(true); +@@ -3095,7 +3094,6 @@ Grammar* IGXMLScanner::loadDTDGrammar(co + DTDEntityDecl* declDTD = new (fMemoryManager) DTDEntityDecl(gDTDStr, false, fMemoryManager); + declDTD->setSystemId(src.getSystemId()); + declDTD->setIsExternal(true); +- Janitor janDecl(declDTD); + + // Mark this one as a throw at end + newReader->setThrowAtEnd(true); +--- a/tests/expected/MemHandlerTest1.log ++++ b/tests/expected/MemHandlerTest1.log +@@ -1,4 +1,4 @@ +-At destruction, domBuilderMemMonitor has 0 bytes. +-At destruction, sax2MemMonitor has 0 bytes. +-At destruction, sax1MemMonitor has 0 bytes. ++At destruction, domBuilderMemMonitor has 276 bytes. ++At destruction, sax2MemMonitor has 276 bytes. ++At destruction, sax1MemMonitor has 276 bytes. + At destruction, staticMemMonitor has 0 bytes. +--- /dev/null ++++ b/tests/expected/MemHandlerTest1_32.log +@@ -0,0 +1,4 @@ ++At destruction, domBuilderMemMonitor has 180 bytes. ++At destruction, sax2MemMonitor has 180 bytes. ++At destruction, sax1MemMonitor has 180 bytes. ++At destruction, staticMemMonitor has 0 bytes. +--- a/scripts/run-test.in ++++ b/scripts/run-test.in +@@ -46,6 +46,11 @@ run_test() { + sed -i -e 's;\( *[0-9][0-9]* *ms *\);{timing removed};' "$output" + + exp=$(cat "${srcdir}/expected/${name}.log") ++ ++ if [ "${name}" = "MemHandlerTest1" ] && [ "$(dpkg-architecture -q DEB_HOST_ARCH_BITS)" -eq 32 ]; then ++ exp=$(cat "${srcdir}/expected/${name}_32.log") ++ fi ++ + obs=$(cat "$output") + + echo "------" diff -Nru xerces-c-3.2.2+debian/debian/patches/series xerces-c-3.2.2+debian/debian/patches/series --- xerces-c-3.2.2+debian/debian/patches/series 2018-09-19 19:19:49.000000000 +0000 +++ xerces-c-3.2.2+debian/debian/patches/series 2020-12-09 16:30:31.000000000 +0000 @@ -0,0 +1 @@ +CVE-2018-1311-mitigation.patch