xmltooling: CVE-2019-9628: XML parser class fails to trap exceptions on malformed XML declaration

Debian Bug report logs - #924346
xmltooling: CVE-2019-9628: XML parser class fails to trap exceptions on malformed XML declaration

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: xmltooling: CVE-2019-9628: XML parser class fails to trap exceptions on malformed XML declaration

Date: Mon, 11 Mar 2019 22:02:48 +0100

Source: xmltooling
Version: 3.0.3-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://issues.shibboleth.net/jira/browse/CPPXT-143
Control: found -1 1.6.0-4+deb9u1
Control: found -1 1.6.0-4

Hi,

The following vulnerability was published for xmltooling, filling for
tracking.

CVE-2019-9628[0]:
XML parser class fails to trap exceptions on malformed XML declaration

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-9628
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9628
[1] https://shibboleth.net/community/advisories/secadv_20190311.txt
[2] https://issues.shibboleth.net/jira/browse/CPPXT-143
[3] https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commit;h=af27c422f551e16989ff6f1722d83614c8550eb5

Regards,
Salvatore

Message #14 received at 924346@bugs.debian.org (full text, mbox, reply):

From: wferi@niif.hu

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: team@security.debian.org, 924346@bugs.debian.org, wferi@niif.hu

Subject: Re: xmltooling: CVE-2019-9628: XML parser class fails to trap exceptions on malformed XML declaration

Date: Tue, 12 Mar 2019 10:19:00 +0100

Salvatore Bonaccorso <carnil@debian.org> writes:

> On Sat, Mar 09, 2019 at 07:25:52PM +0100, wferi@niif.hu wrote:
>
>> I reserved a CVE from Mitre, backported the probable patch to
>> xmltooling 1.6.0-4+deb9u1 in stable and prepared a tentative package
>> with it, please see the debdiff below.  I plan to add more
>> substantive info to the changelog as I get hold of any, but I expect
>> no other changes.
>
> Thanks for preparing the update, the issue is now public, so filled a
> respective Debian bug for it. 

Thanks, Salvatore!

> Were you able to test the resulting package in some extend under
> stretch?

The resulting packages works fine in my setup.  However, I failed to
reproduce the original issue under stretch.  After consulting upstream,
it turns out that the old Xerces library actually helps somewhat in this
case, please see Scott Cantor's reply below.  So the known exploit
(using an invalid XML declaration) does not work on stable, but if
somebody finds a way to trigger a DOMException in Xerces 3.1, any
xmltooling users will crash all the same.  See also his comment on
https://issues.apache.org/jira/browse/XERCESC-2016.

JFYI: we plan to upload the Shibboleth 3 stack to stretch-backports,
which will use the xerces-c 3.2 stretch backport.  These will be fixed
packages, though, in whatever form the Release Team gives its blessing
for.

> I think it sounds sensible to release a DSA for it, so in case yes
> please do upload to security-master (you might add the Debian bug
> closer as well if you need to rebuild and want to add additional
> information).

It will add the closer and the extra information, but won't upload to
security-master unless you tell me so again after reassessing the
situation based on the new information here.

"Cantor, Scott" <cantor.2@osu.edu> writes:

> Yeah, it's a Xerces change. I didn't make it, but it was applied to
> the trunk as part of XERCES-2016 and there's a very odd change that
> causes the XMLScanner to leak through versions that start with "1." It
> doesn't look correct to me, but it's not for me to say.
>
> Anything up to Xerces 3.1.x catches that and raises the old
> XMLException type that was already caught. Xerces 3.2 ends up with a
> DOMException, which is what caused the crash.
>
> Now: the bug is still a bug. I have no idea under what conditions
> other DOMExceptions could be triggered, and if it happens, you have a
> crash. And the DOMLSParser::parse method is absolutely allowed to
> throw that type of exception, that's in the docs and in the DOM
> standard. But this specific case is only exploitable under Xerces 3.2.
>
> Personally, I would just push the fix and be done with it, it's not a
> hard change, but it's certainly your call. I had to because I require
> Xerces 3.2 at this point in all my packages.
>
> I may update the advisory, but I'm not enthused about overcomplicating
> the message I'm sending with more caveats and conditions.
>
> Good catch though.
>
> -- Scott
-- 
Regards,
Feri

Message #19 received at 924346@bugs.debian.org (full text, mbox, reply):

From: wferi@niif.hu

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: team@security.debian.org, wferi@niif.hu, 924346@bugs.debian.org

Subject: Re: xmltooling: CVE-2019-9628: XML parser class fails to trap exceptions on malformed XML declaration

Date: Tue, 12 Mar 2019 14:53:14 +0100

Moritz Muehlenhoff <jmm@inutil.org> writes:

> On Tue, Mar 12, 2019 at 10:19:00AM +0100, wferi@niif.hu wrote:
>
>> The resulting packages works fine in my setup.  However, I failed to
>> reproduce the original issue under stretch.  After consulting upstream,
>> it turns out that the old Xerces library actually helps somewhat in this
>> case, please see Scott Cantor's reply below.  So the known exploit
>> (using an invalid XML declaration) does not work on stable, but if
>> somebody finds a way to trigger a DOMException in Xerces 3.1, any
>> xmltooling users will crash all the same.  See also his comment on
>> https://issues.apache.org/jira/browse/XERCESC-2016.
>
> I think we can still fix this via stretch-security

OK, uploaded.

> it's better to fix the root cause nonetheless.

Even though the Xerces change is suspicious, the documentation allows
the parser to throw DOMExceptions, so they must be handled by the
callers, which this fix achieves.
-- 
Regards,
Feri

Message #24 received at 924346@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: wferi@niif.hu

Cc: team@security.debian.org, 924346@bugs.debian.org

Subject: Re: xmltooling: CVE-2019-9628: XML parser class fails to trap exceptions on malformed XML declaration

Date: Tue, 12 Mar 2019 22:27:35 +0100

On Tue, Mar 12, 2019 at 02:53:14PM +0100, wferi@niif.hu wrote:
> Moritz Muehlenhoff <jmm@inutil.org> writes:
> 
> > On Tue, Mar 12, 2019 at 10:19:00AM +0100, wferi@niif.hu wrote:
> >
> >> The resulting packages works fine in my setup.  However, I failed to
> >> reproduce the original issue under stretch.  After consulting upstream,
> >> it turns out that the old Xerces library actually helps somewhat in this
> >> case, please see Scott Cantor's reply below.  So the known exploit
> >> (using an invalid XML declaration) does not work on stable, but if
> >> somebody finds a way to trigger a DOMException in Xerces 3.1, any
> >> xmltooling users will crash all the same.  See also his comment on
> >> https://issues.apache.org/jira/browse/XERCESC-2016.
> >
> > I think we can still fix this via stretch-security
> 
> OK, uploaded.

DSA has been released, thanks.

Cheers,
        Moritz

Message #29 received at 924346@bugs.debian.org (full text, mbox, reply):

From: José Santiago Silva Ramirez <shagitoramsil@outlook.com>

To: "924346@bugs.debian.org" <924346@bugs.debian.org>

Subject: Reporte and. Updates softwate

Date: Wed, 13 Mar 2019 10:00:28 +0000

[Message part 1 (text/plain, inline)]

Obtener Outlook para Android<https://aka.ms/ghei36>

[Message part 2 (text/html, inline)]

Message #34 received at 924346@bugs.debian.org (full text, mbox, reply):

From: José Santiago Silva Ramirez <shagitoramsil@outlook.com>

To: "924346@bugs.debian.org" <924346@bugs.debian.org>

Subject: Whare

Date: Wed, 13 Mar 2019 14:35:30 +0000

[Message part 1 (text/plain, inline)]

Obtener Outlook para Android<https://aka.ms/ghei36>

[Message part 2 (text/html, inline)]

Message #39 received at 924346@bugs.debian.org (full text, mbox, reply):

From: José Santiago Silva Ramirez <shagitoramsil@outlook.com>

To: "924346@bugs.debian.org" <924346@bugs.debian.org>

Subject: Report. I fixed already

Date: Wed, 13 Mar 2019 14:36:15 +0000

[Message part 1 (text/plain, inline)]

Obtener Outlook para Android<https://aka.ms/ghei36>

[Message part 2 (text/html, inline)]

Message #44 received at 924346-close@bugs.debian.org (full text, mbox, reply):

From: Ferenc Wágner <wferi@debian.org>

To: 924346-close@bugs.debian.org

Subject: Bug#924346: fixed in xmltooling 3.0.4-1

Date: Thu, 14 Mar 2019 15:20:27 +0000

Source: xmltooling
Source-Version: 3.0.4-1

We believe that the bug you reported is fixed in the latest version of
xmltooling, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 924346@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ferenc Wágner <wferi@debian.org> (supplier of updated xmltooling package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 14 Mar 2019 14:58:36 +0100
Source: xmltooling
Architecture: source
Version: 3.0.4-1
Distribution: unstable
Urgency: high
Maintainer: Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
Changed-By: Ferenc Wágner <wferi@debian.org>
Closes: 924346
Changes:
 xmltooling (3.0.4-1) unstable; urgency=high
 .
   * [f185b26] New upstream security release: 3.0.4
     DSA-4407-1, CVE-2019-9628: uncaught exception on malformed XML
     declaration.
     Invalid data in the XML declaration causes an exception of a type
     that was not handled properly in the parser class and propagates an
     unexpected exception type.
     This generally manifests as a crash in the calling code, which in the
     Service Provider software's case is usually the shibd daemon process,
     but can be Apache in some cases. Note that the crash occurs prior to
     evaluation of a message's authenticity, so can be exploited by an
     untrusted attacker.
     https://shibboleth.net/community/advisories/secadv_20190311.txt
     https://issues.shibboleth.net/jira/browse/CPPXT-143
     Thanks to Scott Cantor (Closes: #924346)
Checksums-Sha1:
 5bae877c157e05c1161bc104f673c9a30cccfd32 2677 xmltooling_3.0.4-1.dsc
 e0ef8e450c6517eca3273d9900777b354d3997bf 608437 xmltooling_3.0.4.orig.tar.bz2
 ea9ddb61217250015760c11bf6f1a8641ad3e17b 833 xmltooling_3.0.4.orig.tar.bz2.asc
 52ae2293d2f6d0e68c5db083a20cf7c1e35471e9 52912 xmltooling_3.0.4-1.debian.tar.xz
 eb4243157a4eecc87bf4033922629fc4416d9b92 9832 xmltooling_3.0.4-1_amd64.buildinfo
Checksums-Sha256:
 7597c2b1c21205527531648443586d4b32b6937652e72dedfbcdbb6be9e31bfc 2677 xmltooling_3.0.4-1.dsc
 bb87febe730f97fc58f6f6b6782d7ab89bf240944dd6e5f1c1d9681254bb9a88 608437 xmltooling_3.0.4.orig.tar.bz2
 d25e2b86fe37f1764ce6262bf6741f378164b1883d5438cd8c8ccc6e7bbd6948 833 xmltooling_3.0.4.orig.tar.bz2.asc
 013d771ee9f5be8f1a7268a379e36bf2a5909172612d1314a3af3a90b0ad59e0 52912 xmltooling_3.0.4-1.debian.tar.xz
 1778a5430e07a8866e0e0b16401119089b55efe831e863e30ed0617492aa074a 9832 xmltooling_3.0.4-1_amd64.buildinfo
Files:
 308c3546142c7658a582a4c42acc1254 2677 libs optional xmltooling_3.0.4-1.dsc
 b210bffe55ddaf8ded77af4ac8389639 608437 libs optional xmltooling_3.0.4.orig.tar.bz2
 c7858fa00afbaaf864c9b1f7c8c6908b 833 libs optional xmltooling_3.0.4.orig.tar.bz2.asc
 b67c62db4d85791052c1b92e5fb015b2 52912 libs optional xmltooling_3.0.4-1.debian.tar.xz
 a1e98c1b410ce9126748e118454dfce8 9832 libs optional xmltooling_3.0.4-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAlyKYrcACgkQOsj3Fkd+
2yM2MBAAjoNmuufKDbPZJvlKFGnBuapwFpBu+TcVOH3j2uy9zHzVjcVM5CNDZ9Hr
vjbDwg050KG7AmunTeygi/d3/v/N+z4Q7DF5dCGbryyjBeKuy72gvhJdmigI1kay
cXzljhrWmiM1X58khjrLqBLqP0bpHXMzk+73qubf5wI4uRdPqE0xo95ygglINb6z
w57ZJODyT4RcDI/h5Fgk0iKo+4DrHE7M6r1h41HYXWja6Kxdgr45y6QVgljHjrEj
NR3Xl84CLdd/mDDbqp+n0y5F/ce3O6MINcU5EDAJOe2W4F+tt4AwcfV3SJWWgVwU
ewJ6bywX2wCiXFRl5z2lVeNVMPeg4Y04GVupStmb6PwzXcq79U85oLCBMrgu+fzk
W35nXD4XEcXTreRfD3tpHN8/Rbriohhq/EEwITBUD5njr/S2k2o9wzkbqOMRlj86
qhqGcAcDHTqboFWKX9VZLKNXXMFycJ/rJrneCNuhQL5j8fbJ6cbelpgsUYVv0Nhp
4qd88AquVGab6Ny5z/NcEAiyB7Gh5sNlPZjc18wZbDHkMSwLe9kJ3zuR9V6Ryms8
mzJjI1USPa64oPWMslyIgTSSXoBlqMnO5vtx1ELlDGizdAhpSwoX0surwj29NE1a
cvOD6zGOSVm7IZaDqgJalem6563V2bWflVJmVEs03fLflUof/CA=
=7hrA
-----END PGP SIGNATURE-----

Message #55 received at 924346-close@bugs.debian.org (full text, mbox, reply):

From: Ferenc Wágner <wferi@debian.org>

To: 924346-close@bugs.debian.org

Subject: Bug#924346: fixed in xmltooling 1.6.0-4+deb9u2

Date: Fri, 29 Mar 2019 01:21:02 +0000

Source: xmltooling
Source-Version: 1.6.0-4+deb9u2

We believe that the bug you reported is fixed in the latest version of
xmltooling, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 924346@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ferenc Wágner <wferi@debian.org> (supplier of updated xmltooling package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 12 Mar 2019 13:40:20 +0100
Source: xmltooling
Binary: libxmltooling7 libxmltooling-dev xmltooling-schemas libxmltooling-doc
Architecture: source
Version: 1.6.0-4+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
Changed-By: Ferenc Wágner <wferi@debian.org>
Description:
 libxmltooling-dev - C++ XML parsing library with encryption support (development)
 libxmltooling-doc - C++ XML parsing library with encryption support (API docs)
 libxmltooling7 - C++ XML parsing library with encryption support (runtime)
 xmltooling-schemas - XML schemas for XMLTooling
Closes: 924346
Changes:
 xmltooling (1.6.0-4+deb9u2) stretch-security; urgency=high
 .
   * [2f0c065] New patch fixing CVE-2019-9628: uncaught exception on malformed
     XML declaration.
     Invalid data in the XML declaration causes an exception of a type
     that was not handled properly in the parser class and propagates an
     unexpected exception type.
     This generally manifests as a crash in the calling code, which in the
     Service Provider software's case is usually the shibd daemon process,
     but can be Apache in some cases. Note that the crash occurs prior to
     evaluation of a message's authenticity, so can be exploited by an
     untrusted attacker.
     https://shibboleth.net/community/advisories/secadv_20190311.txt
     https://issues.shibboleth.net/jira/browse/CPPXT-143
     Thanks to Scott Cantor (Closes: #924346)
Checksums-Sha1:
 bf6bf956fc3012b0acee1bac4f013f951e7b9dac 2491 xmltooling_1.6.0-4+deb9u2.dsc
 e6d3e6d474b1bcb75456d1a042ac0eb18bcc67be 73544 xmltooling_1.6.0-4+deb9u2.debian.tar.xz
 a006286edf5829d2664ff81ed2a86c53726f406d 10312 xmltooling_1.6.0-4+deb9u2_amd64.buildinfo
Checksums-Sha256:
 b43977f04b17fa63da1bb6bf49cbb241e1043c4ad38f4983f97caa2038e52ae8 2491 xmltooling_1.6.0-4+deb9u2.dsc
 729e06f8429c4793deb28188e5138ac2a74df7025c685ab0b45557a0af93d2cd 73544 xmltooling_1.6.0-4+deb9u2.debian.tar.xz
 f1661f18a4d5778fa535e131ce502126934841ad5351b3e5333ea2f33f7d54ea 10312 xmltooling_1.6.0-4+deb9u2_amd64.buildinfo
Files:
 b0b91ca7c4c4d15a0d6d5a4b053e5864 2491 libs extra xmltooling_1.6.0-4+deb9u2.dsc
 036129e212c16c33c148d3cf158402c7 73544 libs extra xmltooling_1.6.0-4+deb9u2.debian.tar.xz
 f1d8254ce793b1b469696c3b02673108 10312 libs extra xmltooling_1.6.0-4+deb9u2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAlyHtpAACgkQOsj3Fkd+
2yMl0hAAui9s2tTJw6y+fSEReZt7Q3zZsAMKD0gjWtNl+nJNVXgxnRv4ULZKru8u
GkIZyGRenz9aoLpLJVWr/+A8lM3fS97E7+qbEaPgm8j9BQ3WQlDxB3O/8RAo6iyM
osujQ/PiFWoxI0W4CDdDaQZF8VeBBMK8Ly1BJodeRllNLMOj9vOkpO6n4eVdP5Rq
0wJwSjGMitR3iWY2LeGKuHPSWyERoaMVdn3aDRzkbkponizTa8/Z0V2P31nLZ/8q
Fwml7BHdTfnKckAG0Vv1wq7o3e/A6XmpUvDHGyF4hsCe8x48sUn6x3tOML9+FcNe
pnQcv6T8IDrAfOqj8EFL/Sa38IYom9JbC5U7jKtRLiPjuf34lFHmrKb6MC+kiF0L
1YMu3l185+ekdHLQknSNotOK3S8Ds7Tej+1BwQk2SAkpkGDIhPa2Vdp2epF64sFx
O3+pJFiAjkB827acyipESgkep4DNhhkZ8S5wjhMIqNDeANYZIRZ4UGDbeKVVUhU5
XfO7zIHR+j10Ms57977IyD7abc5mnJ6VSKS7xX2/z9Grbs9jjLb7d9q0F9WtDRCT
ZWW7nPYlg6H67zhirjPY3xgnVNIgkoDt7iGH+koM893nmHfGHfJ5KuKWtYENPauJ
4Szd8pmhXg8HbBupE2TaZq5OTMhwUlhPZx0JmrznWG0HE1OIkH8=
=POhM
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.