Version in base suite: 3.0.4-1 Base version: xmltooling_3.0.4-1 Target version: xmltooling_3.0.4-1+deb10u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/x/xmltooling/xmltooling_3.0.4-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/x/xmltooling/xmltooling_3.0.4-1+deb10u1.dsc changelog | 8 + gbp.conf | 2 patches/CPPXT-145-DataSealer-is-sharing-non-thread-safe-keys.patch | 42 ++++++++++ patches/series | 1 4 files changed, 52 insertions(+), 1 deletion(-) diff -Nru xmltooling-3.0.4/debian/changelog xmltooling-3.0.4/debian/changelog --- xmltooling-3.0.4/debian/changelog 2019-03-14 13:58:36.000000000 +0000 +++ xmltooling-3.0.4/debian/changelog 2020-01-31 22:06:07.000000000 +0000 @@ -1,3 +1,11 @@ +xmltooling (3.0.4-1+deb10u1) buster; urgency=medium + + * [7c6eb12] This branch is for buster updates + * [97e580e] New patch: CPPXT-145 - DataSealer is sharing non-thread safe keys. + Thanks to Scott Cantor (Closes: #950135) + + -- Ferenc Wágner Fri, 31 Jan 2020 23:06:07 +0100 + xmltooling (3.0.4-1) unstable; urgency=high * [f185b26] New upstream security release: 3.0.4 diff -Nru xmltooling-3.0.4/debian/gbp.conf xmltooling-3.0.4/debian/gbp.conf --- xmltooling-3.0.4/debian/gbp.conf 2019-03-14 13:34:19.000000000 +0000 +++ xmltooling-3.0.4/debian/gbp.conf 2020-01-31 21:59:40.000000000 +0000 @@ -1,5 +1,5 @@ [DEFAULT] -debian-branch = debian/master +debian-branch = debian/buster upstream-branch = upstream/latest pristine-tar = True diff -Nru xmltooling-3.0.4/debian/patches/CPPXT-145-DataSealer-is-sharing-non-thread-safe-keys.patch xmltooling-3.0.4/debian/patches/CPPXT-145-DataSealer-is-sharing-non-thread-safe-keys.patch --- xmltooling-3.0.4/debian/patches/CPPXT-145-DataSealer-is-sharing-non-thread-safe-keys.patch 1970-01-01 00:00:00.000000000 +0000 +++ xmltooling-3.0.4/debian/patches/CPPXT-145-DataSealer-is-sharing-non-thread-safe-keys.patch 2020-01-31 22:04:41.000000000 +0000 @@ -0,0 +1,42 @@ +From: Scott Cantor +Date: Tue, 1 Oct 2019 19:16:19 -0400 +Subject: CPPXT-145 - DataSealer is sharing non-thread safe keys + +Xmltooling versions 3.0.0 to 3.0.4 suffer from a race condition bug that +leads to a crash under load. + +https://issues.shibboleth.net/jira/browse/CPPXT-145 + +Closes: #950135 +--- + xmltooling/security/impl/DataSealer.cpp | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/xmltooling/security/impl/DataSealer.cpp b/xmltooling/security/impl/DataSealer.cpp +index c7ec7f9..aef85b7 100644 +--- a/xmltooling/security/impl/DataSealer.cpp ++++ b/xmltooling/security/impl/DataSealer.cpp +@@ -156,8 +156,10 @@ string DataSealer::wrap(const char* s, time_t exp) const + + safeBuffer ciphertext; + try { ++ // Keys are not threadsafe, use a clone to encrypt. ++ scoped_ptr clonedKey(defaultKey.second->clone()); + scoped_ptr method(XENCEncryptionMethod::create(env.get(), algorithm)); +- if (!handler->encryptToSafeBuffer(&tx, method.get(), defaultKey.second, dummydoc, ciphertext)) { ++ if (!handler->encryptToSafeBuffer(&tx, method.get(), clonedKey.get(), dummydoc, ciphertext)) { + throw XMLSecurityException("Data encryption failed."); + } + } +@@ -235,8 +237,10 @@ string DataSealer::unwrap(const char* s) const + unsigned int len = 0; + safeBuffer plaintext; + try { ++ // Keys are not threadsafe, use a clone to decrypt. ++ scoped_ptr clonedKey(requiredKey.second->clone()); + scoped_ptr method(XENCEncryptionMethod::create(env.get(), algorithm)); +- len = handler->decryptToSafeBuffer(&tx, method.get(), requiredKey.second, dummydoc, plaintext); ++ len = handler->decryptToSafeBuffer(&tx, method.get(), clonedKey.get(), dummydoc, plaintext); + } + catch (const XSECException& ex) { + auto_ptr_char msg(ex.getMsg()); diff -Nru xmltooling-3.0.4/debian/patches/series xmltooling-3.0.4/debian/patches/series --- xmltooling-3.0.4/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ xmltooling-3.0.4/debian/patches/series 2020-01-31 22:04:41.000000000 +0000 @@ -0,0 +1 @@ +CPPXT-145-DataSealer-is-sharing-non-thread-safe-keys.patch