diff -Nru xmltooling-1.5.3/debian/changelog xmltooling-1.5.3/debian/changelog --- xmltooling-1.5.3/debian/changelog 2015-08-07 18:55:01.000000000 +0000 +++ xmltooling-1.5.3/debian/changelog 2018-01-17 22:38:30.000000000 +0000 @@ -1,13 +1,38 @@ -xmltooling (1.5.3-2+deb8u1build0.14.04.1) trusty-security; urgency=medium +xmltooling (1.5.3-2+deb8u2build0.14.04.1) trusty-security; urgency=medium - * fake sync from Debian + * fake sync from Debian (LP: #1743762) - -- Tyler Hicks Fri, 07 Aug 2015 13:55:01 -0500 + -- Steve Beattie Wed, 17 Jan 2018 14:38:30 -0800 + +xmltooling (1.5.3-2+deb8u2) jessie-security; urgency=high + + * [5c2845b] Add gbp.conf for jessie + * [0ffc343] Convert our single patch into a proper patch queue + * [91e7acb] New patch: CVE-2018-0486: vulnerability to forged user attribute + data + The Service Provider software relies on a generic XML parser to process + SAML responses and there are limitations in older versions of the parser + that make it impossible to fully disable Document Type Definition (DTD) + processing. + Through addition/manipulation of a DTD, it's possible to make changes + to an XML document that do not break a digital signature but are + mishandled by the SP and its libraries. These manipulations can alter + the user data passed through to applications behind the SP and result + in impersonation attacks and exposure of protected information. + While the use of XML Encryption can serve as a mitigation for this bug, + it may still be possible to construct attacks in such cases, and the SP + does not provide a means to enforce its use. + CPPXT-127 - Block entity reference nodes during unmarshalling. + https://issues.shibboleth.net/jira/browse/CPPXT-127 + Thanks to Scott Cantor + * [49b7352] Update Uploaders: add Etienne, remove Russ, update myself + + -- Ferenc Wágner Fri, 12 Jan 2018 12:00:08 +0100 xmltooling (1.5.3-2+deb8u1) jessie-security; urgency=high * Apply security fix from 1.5.5 for CVE-2015-0851 DoS (Closes: #793855): - Shibboleth SP software crashes on well-formed but invalid XML + Shibboleth SP software crashes on well-formed but invalid XML -- Ferenc Wagner Sun, 19 Jul 2015 19:06:38 +0200 diff -Nru xmltooling-1.5.3/debian/control xmltooling-1.5.3/debian/control --- xmltooling-1.5.3/debian/control 2015-07-30 09:46:51.000000000 +0000 +++ xmltooling-1.5.3/debian/control 2018-01-12 10:57:51.000000000 +0000 @@ -2,7 +2,9 @@ Section: libs Priority: extra Maintainer: Debian Shib Team -Uploaders: Russ Allbery , Ferenc Wagner +Uploaders: + Ferenc Wágner , + Etienne Dysli Metref , Build-Depends: debhelper (>= 9), dh-autoreconf, doxygen, graphviz, libcurl4-openssl-dev, libboost-dev, liblog4shib-dev, libssl-dev (>= 1.0), libxerces-c-dev, libxml-security-c-dev (>= 1.7), pkg-config diff -Nru xmltooling-1.5.3/debian/gbp.conf xmltooling-1.5.3/debian/gbp.conf --- xmltooling-1.5.3/debian/gbp.conf 1970-01-01 00:00:00.000000000 +0000 +++ xmltooling-1.5.3/debian/gbp.conf 2018-01-12 10:36:14.000000000 +0000 @@ -0,0 +1,14 @@ +[DEFAULT] +debian-branch = debian/jessie +upstream-branch = upstream/latest + +[import-orig] +pristine-tar = True + +[dch] +full = True +multimaint-merge = True +id-length = 7 + +[pq] +patch-numbers = False diff -Nru xmltooling-1.5.3/debian/patches/CVE-2015-0851-crash-on-well-formed-but-invalid-XML.patch xmltooling-1.5.3/debian/patches/CVE-2015-0851-crash-on-well-formed-but-invalid-XML.patch --- xmltooling-1.5.3/debian/patches/CVE-2015-0851-crash-on-well-formed-but-invalid-XML.patch 1970-01-01 00:00:00.000000000 +0000 +++ xmltooling-1.5.3/debian/patches/CVE-2015-0851-crash-on-well-formed-but-invalid-XML.patch 2018-01-12 10:51:12.000000000 +0000 @@ -0,0 +1,48 @@ +From: Scott Cantor +Date: Fri, 12 Jan 2018 11:31:17 +0100 +Subject: CVE-2015-0851: crash on well-formed but invalid XML + +--- + xmltooling/base.h | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +diff --git a/xmltooling/base.h b/xmltooling/base.h +index 0393062..c55b5d1 100644 +--- a/xmltooling/base.h ++++ b/xmltooling/base.h +@@ -811,7 +811,16 @@ + XMLCh* m_##proper; \ + public: \ + pair get##proper() const { \ +- return make_pair((m_##proper!=nullptr),(m_##proper!=nullptr ? xercesc::XMLString::parseInt(m_##proper): 0)); \ ++ if (m_##proper) { \ ++ try { \ ++ return std::make_pair(true, xercesc::XMLString::parseInt(m_##proper)); \ ++ } \ ++ catch (...) { \ ++ return std::make_pair(true, 0); \ ++ } \ ++ } else { \ ++ return std::make_pair(false, 0); \ ++ } \ + } \ + void set##proper(const XMLCh* proper) { \ + m_##proper = prepareForAssignment(m_##proper,proper); \ +@@ -1369,7 +1378,16 @@ + #define DECL_INTEGER_CONTENT(proper) \ + XMLTOOLING_DOXYGEN(Returns proper in integer form after a NULL indicator.) \ + std::pair get##proper() const { \ +- return std::make_pair((getTextContent()!=nullptr), (getTextContent()!=nullptr ? xercesc::XMLString::parseInt(getTextContent()) : 0)); \ ++ if (getTextContent()) { \ ++ try { \ ++ return std::make_pair(true, xercesc::XMLString::parseInt(getTextContent())); \ ++ } \ ++ catch (...) { \ ++ return std::make_pair(true, 0); \ ++ } \ ++ } else { \ ++ return std::make_pair(false, 0); \ ++ } \ + } \ + XMLTOOLING_DOXYGEN(Sets proper.) \ + void set##proper(int proper) { \ diff -Nru xmltooling-1.5.3/debian/patches/CVE-2018-0486-vulnerability-to-forged-user-attribute-data.patch xmltooling-1.5.3/debian/patches/CVE-2018-0486-vulnerability-to-forged-user-attribute-data.patch --- xmltooling-1.5.3/debian/patches/CVE-2018-0486-vulnerability-to-forged-user-attribute-data.patch 1970-01-01 00:00:00.000000000 +0000 +++ xmltooling-1.5.3/debian/patches/CVE-2018-0486-vulnerability-to-forged-user-attribute-data.patch 2018-01-12 10:51:12.000000000 +0000 @@ -0,0 +1,38 @@ +From: Scott Cantor +Date: Wed, 10 Jan 2018 12:20:07 -0500 +Subject: CVE-2018-0486: vulnerability to forged user attribute data + +The Service Provider software relies on a generic XML parser to process +SAML responses and there are limitations in older versions of the parser +that make it impossible to fully disable Document Type Definition (DTD) +processing. + +Through addition/manipulation of a DTD, it's possible to make changes +to an XML document that do not break a digital signature but are +mishandled by the SP and its libraries. These manipulations can alter +the user data passed through to applications behind the SP and result +in impersonation attacks and exposure of protected information. + +While the use of XML Encryption can serve as a mitigation for this bug, +it may still be possible to construct attacks in such cases, and the SP +does not provide a means to enforce its use. + +CPPXT-127 - Block entity reference nodes during unmarshalling. +https://issues.shibboleth.net/jira/browse/CPPXT-127 +--- + xmltooling/io/AbstractXMLObjectUnmarshaller.cpp | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/xmltooling/io/AbstractXMLObjectUnmarshaller.cpp b/xmltooling/io/AbstractXMLObjectUnmarshaller.cpp +index ae2709e..487348e 100644 +--- a/xmltooling/io/AbstractXMLObjectUnmarshaller.cpp ++++ b/xmltooling/io/AbstractXMLObjectUnmarshaller.cpp +@@ -206,6 +206,8 @@ void AbstractXMLObjectUnmarshaller::unmarshallContent(const DOMElement* domEleme + else if (childNode->getNodeType() == DOMNode::TEXT_NODE || childNode->getNodeType() == DOMNode::CDATA_SECTION_NODE) { + m_log.debug("processing text content at position (%d)", position); + setTextContent(childNode->getNodeValue(), position); ++ } else if (childNode->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE || childNode->getNodeType() == DOMNode::ENTITY_NODE) { ++ throw UnmarshallingException("Unmarshaller found Entity/Reference node."); + } + + childNode = childNode->getNextSibling(); diff -Nru xmltooling-1.5.3/debian/patches/debian-changes xmltooling-1.5.3/debian/patches/debian-changes --- xmltooling-1.5.3/debian/patches/debian-changes 2015-07-30 09:46:51.000000000 +0000 +++ xmltooling-1.5.3/debian/patches/debian-changes 1970-01-01 00:00:00.000000000 +0000 @@ -1,49 +0,0 @@ -Subject: Collected Debian patches for xmltooling -Author: Russ Allbery - -The packaging for xmltooling is maintained in Git using multiple -branches for fixes, which makes it complex to separate the changes -into individual patches. They are therefore all included in a single -Debian patch. - -For full commit history and separated commits, see the packaging Git -repository. - ---- xmltooling-1.5.3.orig/xmltooling/base.h -+++ xmltooling-1.5.3/xmltooling/base.h -@@ -811,7 +811,16 @@ - XMLCh* m_##proper; \ - public: \ - pair get##proper() const { \ -- return make_pair((m_##proper!=nullptr),(m_##proper!=nullptr ? xercesc::XMLString::parseInt(m_##proper): 0)); \ -+ if (m_##proper) { \ -+ try { \ -+ return std::make_pair(true, xercesc::XMLString::parseInt(m_##proper)); \ -+ } \ -+ catch (...) { \ -+ return std::make_pair(true, 0); \ -+ } \ -+ } else { \ -+ return std::make_pair(false, 0); \ -+ } \ - } \ - void set##proper(const XMLCh* proper) { \ - m_##proper = prepareForAssignment(m_##proper,proper); \ -@@ -1369,7 +1378,16 @@ - #define DECL_INTEGER_CONTENT(proper) \ - XMLTOOLING_DOXYGEN(Returns proper in integer form after a NULL indicator.) \ - std::pair get##proper() const { \ -- return std::make_pair((getTextContent()!=nullptr), (getTextContent()!=nullptr ? xercesc::XMLString::parseInt(getTextContent()) : 0)); \ -+ if (getTextContent()) { \ -+ try { \ -+ return std::make_pair(true, xercesc::XMLString::parseInt(getTextContent())); \ -+ } \ -+ catch (...) { \ -+ return std::make_pair(true, 0); \ -+ } \ -+ } else { \ -+ return std::make_pair(false, 0); \ -+ } \ - } \ - XMLTOOLING_DOXYGEN(Sets proper.) \ - void set##proper(int proper) { \ diff -Nru xmltooling-1.5.3/debian/patches/series xmltooling-1.5.3/debian/patches/series --- xmltooling-1.5.3/debian/patches/series 2015-07-30 09:46:51.000000000 +0000 +++ xmltooling-1.5.3/debian/patches/series 2018-01-12 10:51:12.000000000 +0000 @@ -1 +1,2 @@ -debian-changes +CVE-2015-0851-crash-on-well-formed-but-invalid-XML.patch +CVE-2018-0486-vulnerability-to-forged-user-attribute-data.patch