Debian Bug report logs -
#894050
xerces-c: CVE-2017-12627: Null pointer dereference while processing the path to DTD allows denial of service
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 25 Mar 2018 20:03:01 UTC
Severity: grave
Tags: patch, security, upstream
Found in versions xerces-c/3.2.0+debian-2, xerces-c/3.1.1-5.1
Fixed in versions xerces-c/3.2.1+debian-1, xerces-c/3.1.1-5.1+deb8u4, xerces-c/3.1.4+debian-2+deb9u1
Done: William Blough <devel@blough.us>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, William Blough <devel@blough.us>:
Bug#894050; Package src:xerces-c.
(Sun, 25 Mar 2018 20:03:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, William Blough <devel@blough.us>.
(Sun, 25 Mar 2018 20:03:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: xerces-c
Version: 3.2.0+debian-2
Severity: grave
Tags: patch security upstream
Hi,
the following vulnerability was published for xerces-c.
CVE-2017-12627[0]:
| In Apache Xerces-C XML Parser library before 3.2.1, processing of
| external DTD paths can result in a null pointer dereference under
| certain conditions.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-12627
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12627
[1] https://svn.apache.org/viewvc?view=revision&revision=1819998
[2] https://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions xerces-c/3.1.1-5.1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 25 Mar 2018 20:15:13 GMT) (full text, mbox, link).
Reply sent
to William Blough <devel@blough.us>:
You have taken responsibility.
(Wed, 28 Mar 2018 23:39:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 28 Mar 2018 23:39:09 GMT) (full text, mbox, link).
Message #12 received at 894050-close@bugs.debian.org (full text, mbox, reply):
Source: xerces-c
Source-Version: 3.2.1+debian-1
We believe that the bug you reported is fixed in the latest version of
xerces-c, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 894050@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
William Blough <devel@blough.us> (supplier of updated xerces-c package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 28 Mar 2018 17:56:05 -0400
Source: xerces-c
Binary: libxerces-c3.2 libxerces-c-dev libxerces-c-doc libxerces-c-samples
Architecture: source amd64 all
Version: 3.2.1+debian-1
Distribution: unstable
Urgency: medium
Maintainer: William Blough <devel@blough.us>
Changed-By: William Blough <devel@blough.us>
Description:
libxerces-c-dev - validating XML parser library for C++ (development files)
libxerces-c-doc - validating XML parser library for C++ (documentation)
libxerces-c-samples - validating XML parser library for C++ (compiled samples)
libxerces-c3.2 - validating XML parser library for C++
Closes: 891841 894050
Changes:
xerces-c (3.2.1+debian-1) unstable; urgency=medium
.
* New upstream release. Closes: 891841
Fixes CVE-2017-12627 Closes: 894050
* Update to policy 4.1.3 (no changes)
* Remove patch that was applied upstream
* Lintian fixes:
- remove trailing whitespace in changelog
- install NOTICE file
- change watch file to use https
Checksums-Sha1:
11d4cb29957ac1350c02a1d5ff0a1d8893188293 2407 xerces-c_3.2.1+debian-1.dsc
16bc29dfee1f854b9f5942a40b1cc91fd181a55b 2502048 xerces-c_3.2.1+debian.orig.tar.gz
dcf359aeb2bd2a7f04958d0c3df93e4a3da0e418 21620 xerces-c_3.2.1+debian-1.debian.tar.xz
6174d86836db62f4ee3b0af0aea85e8a92a19fef 1648908 libxerces-c-dev_3.2.1+debian-1_amd64.deb
f5709156f769826672512340d712f85017f6582d 1758504 libxerces-c-doc_3.2.1+debian-1_all.deb
c6b294c4b21346b2cf6fdd10ec1c243f3f33fdd5 1116340 libxerces-c-samples-dbgsym_3.2.1+debian-1_amd64.deb
f4e4b8db25faea576221363c5d708d513d33c399 133624 libxerces-c-samples_3.2.1+debian-1_amd64.deb
33d75fa53f6c6a4169b2ac78a2b96fdbcdbeb866 6159768 libxerces-c3.2-dbgsym_3.2.1+debian-1_amd64.deb
737d7eca64c016aeaef7ec88ec6bb0553329747f 861220 libxerces-c3.2_3.2.1+debian-1_amd64.deb
71e66f276b7750d827bb31986b696439b3756e8e 10260 xerces-c_3.2.1+debian-1_amd64.buildinfo
Checksums-Sha256:
14182c237a035d40b0bcdfaea6291370d4c1061f6695486e1f8c7348ad0e6422 2407 xerces-c_3.2.1+debian-1.dsc
0a2cb3c371909c5723d1b696957ac4e9c51bd162612f1fd285563b39a66f5137 2502048 xerces-c_3.2.1+debian.orig.tar.gz
912875f7188228d58fbd27aa91e50833e81f92f58e67aeb59061cf9e76c74ffb 21620 xerces-c_3.2.1+debian-1.debian.tar.xz
1c2aad6ff47b452ea6ebff872fd0a68b264d6471e61d088ef40cda4ab84a836d 1648908 libxerces-c-dev_3.2.1+debian-1_amd64.deb
8037b6f44d9df75d98b4f6d7dbac482c4e9abd1b1a8393f25e235b0de820302c 1758504 libxerces-c-doc_3.2.1+debian-1_all.deb
9c16dfb5d8c2bc5ba363b355fd516d587c80b92e3fd7869073f4610740b7d480 1116340 libxerces-c-samples-dbgsym_3.2.1+debian-1_amd64.deb
b32b1d2af006f9e38aca463c3b4185eba48c2389dbe2c943c05f14b1d76c95ac 133624 libxerces-c-samples_3.2.1+debian-1_amd64.deb
e3f79c50706310a89c67c22ae63776e1784ed60f48cbf05a78a88120008c53f9 6159768 libxerces-c3.2-dbgsym_3.2.1+debian-1_amd64.deb
8053b4ea018b753d69e78956fa44744ae6858c6997f4f8d9e0a059b75b893118 861220 libxerces-c3.2_3.2.1+debian-1_amd64.deb
7552adb613bac086b6b24895db44bc73b284098ae45417dc7afcb6b8457a71c7 10260 xerces-c_3.2.1+debian-1_amd64.buildinfo
Files:
8fc4603f6fd4bd19ad94d42ac96c42fd 2407 libs optional xerces-c_3.2.1+debian-1.dsc
a77f4349f7032af3ad7df909d7b29290 2502048 libs optional xerces-c_3.2.1+debian.orig.tar.gz
a5a3574f3b6c90de7891da6fca111b1a 21620 libs optional xerces-c_3.2.1+debian-1.debian.tar.xz
4df7265b94f8a755764722d21e69f934 1648908 libdevel optional libxerces-c-dev_3.2.1+debian-1_amd64.deb
f9fc4c23a33b6c590bab58e5b870483d 1758504 doc optional libxerces-c-doc_3.2.1+debian-1_all.deb
4ba6f16caf8f7d82d1b91c1706e6bdae 1116340 debug optional libxerces-c-samples-dbgsym_3.2.1+debian-1_amd64.deb
a24c6a871e869b7bee475343fc1b753d 133624 devel optional libxerces-c-samples_3.2.1+debian-1_amd64.deb
78461bbb7474d869ddf13d67666ab8c1 6159768 debug optional libxerces-c3.2-dbgsym_3.2.1+debian-1_amd64.deb
d2e4bc2aa7fb044e41dc804091a80fbc 861220 libs optional libxerces-c3.2_3.2.1+debian-1_amd64.deb
9fac8cd0f4529d0c74665d64ca88aa3b 10260 libs optional xerces-c_3.2.1+debian-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKkBAEBCACOFiEEXN0MnPRGvBslCYeRF2LgInA0z4QFAlq8HGxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDVD
REQwQzlDRjQ0NkJDMUIyNTA5ODc5MTE3NjJFMDIyNzAzNENGODQQHGRldmVsQGJs
b3VnaC51cwAKCRAXYuAicDTPhJQpEACD4/4LF2R3XAnPBOHaWxfY5X7iskXXXWlp
Xnl9g9fW9UZF0NqU1OMF0vVHoGz0UssOiBr4aL88Q/TqAiVpY7MSGT9QI7aSTqb5
lfmWByKt9VsPBjhZPw1RteqFRG5f1r9EmXQ+l9jH8GdyZjUkyoyAX5kZtpEre+/I
Me4XGwqD4FR6qTEQoBLcM/7dk/kPRaz5HCU7pOaNqzOBeebu25rkYNvUknm4/HbT
JDPo+83qiRMLM4LN5W17+pQxDQJ4p8nTgTLmBKD1ySNPUF3AyUbRiahF0Qzn6oGO
/j8e2QjntrkwcRPxLM67R4Sxe66QaP1AnuLqFCw3T6FNPyfTWRAW7jtwBnwh6B6E
Dc58ywDdcBnhB5C7VorNKoi2zX86ugfS5feM7zKrk/YWnkvClEwcFAcFqgGu/Myv
IZ53aO2otnZkoD2n4o5U4PIedK9ZsLSPaBFgW1w6HF+M+q4Q64KnTo9agWMHQqr0
XdHHk5wdgbwFVAmsfhbI0/LVcIFtxim6K0MHYI+7SyniUB3YiMqsPffCFCmgZOI4
6wSjJcpM+ruLqcoGOAnGRoIq96k094cmtv/Iy20QEW/WJNV3EwTHYjIrP4IzFH/M
WVzBApcrIp7dHW2wkVuR7VPQnB/Rk+3vkfKZnVtrI8H8qTPzKjT4J7Db2ZFo+BrV
ikWIVrx0rA==
=Sn0W
-----END PGP SIGNATURE-----
Bug reopened
Request was from William Blough <devel@blough.us>
to control@bugs.debian.org.
(Wed, 04 Apr 2018 03:57:03 GMT) (full text, mbox, link).
No longer marked as fixed in versions xerces-c/3.2.1+debian-1.
Request was from William Blough <devel@blough.us>
to control@bugs.debian.org.
(Wed, 04 Apr 2018 03:57:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, William Blough <devel@blough.us>:
Bug#894050; Package src:xerces-c.
(Wed, 04 Apr 2018 04:24:17 GMT) (full text, mbox, link).
Acknowledgement sent
to Bill Blough <devel@blough.us>:
Extra info received and forwarded to list. Copy sent to William Blough <devel@blough.us>.
(Wed, 04 Apr 2018 04:24:17 GMT) (full text, mbox, link).
Message #21 received at 894050@bugs.debian.org (full text, mbox, reply):
While this is fixed for unstable/testing, the security team has informed
me that there will be no DSA for this issue for stable/oldstable.
As such, I'm reopening this until stable/oldstable can be updated via a
point release.
Marked as fixed in versions xerces-c/3.2.1+debian-1.
Request was from William Blough <devel@blough.us>
to control@bugs.debian.org.
(Wed, 04 Apr 2018 04:45:02 GMT) (full text, mbox, link).
Marked as fixed in versions xerces-c/3.1.4+debian-2+deb9u1.
Request was from William Blough <devel@blough.us>
to control@bugs.debian.org.
(Sat, 28 Apr 2018 22:06:02 GMT) (full text, mbox, link).
Marked as fixed in versions xerces-c/3.1.1-5.1+deb8u4.
Request was from William Blough <devel@blough.us>
to control@bugs.debian.org.
(Sat, 28 Apr 2018 22:06:04 GMT) (full text, mbox, link).
Marked Bug as done
Request was from William Blough <devel@blough.us>
to control@bugs.debian.org.
(Sat, 28 Apr 2018 22:06:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 28 Apr 2018 22:06:06 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 12 Aug 2018 07:31:25 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:58:20 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon