debian/0000755000000000000000000000000013402244637007173 5ustar debian/changelog0000644000000000000000000001471013402244637011050 0ustar xerces-c (3.1.1-5.1+deb8u4build0.14.04.1) trusty-security; urgency=medium * fake sync from Debian -- Mike Salvatore Thu, 06 Dec 2018 11:09:03 -0500 xerces-c (3.1.1-5.1+deb8u4) jessie; urgency=medium * Fix CVE-2017-12627: Alberto Garcia, Francisco Oca and Suleman Ali of Offensive Research discovered that the Xerces-C XML parser mishandles certain kinds of external DTD references, resulting in dereference of a NULL pointer while processing the path to the DTD. The bug allows for a denial of service attack in applications that allow DTD processing and do not prevent external DTD usage, and could conceivably result in remote code execution. -- William Blough Thu, 26 Apr 2018 00:28:32 -0400 xerces-c (3.1.1-5.1+deb8u3) jessie-security; urgency=high * Non-maintainer upload by the Security Team. * CVE-2016-4463: Apache Xerces-C XML Parser Crashes on Malformed DTD (Closes: #828990) * Enable the ability to disable DTD processing through the use of an env variable * Add NEWS.Debian entry to document the XERCES_DISABLE_DTD variable -- Salvatore Bonaccorso Tue, 28 Jun 2016 16:53:20 +0200 xerces-c (3.1.1-5.1+deb8u2) jessie-security; urgency=high * Non-maintainer upload by the Security Team. * CVE-2016-2099: Use-after-free in heap on specially crafted XML input (Closes: #823863) -- Salvatore Bonaccorso Sat, 14 May 2016 05:45:10 +0200 xerces-c (3.1.1-5.1+deb8u1) jessie-security; urgency=high * Non-maintainer upload by the Security Team. * CVE-2016-0729: Buffer overlows during processing and error reporting -- Salvatore Bonaccorso Wed, 24 Feb 2016 19:25:29 +0100 xerces-c (3.1.1-5.1) unstable; urgency=high * Non-maintainer upload. * Add CVE-2015-0252.patch patch. CVE-2015-0252: Apache Xerces-C XML parser crashes on malformed input. (Closes: #780827) -- Salvatore Bonaccorso Fri, 20 Mar 2015 19:40:31 +0100 xerces-c (3.1.1-5) unstable; urgency=medium * Apply upstream patch for PATH_MAX to enable compilation on GNU hurd. (Closes: #636568) -- Jay Berkenbilt Wed, 08 Jan 2014 15:48:01 -0500 xerces-c (3.1.1-4) unstable; urgency=low * Update standards version to 3.9.5. Opting for shlibs files because of C++ interface. No changes required. * Depend on dh-autoreconf. (Closes: #733024) -- Jay Berkenbilt Tue, 24 Dec 2013 20:59:37 -0500 xerces-c (3.1.1-3) unstable; urgency=low * Update standards version to 3.9.3. * Enable hardening flags * Multiarch -- Jay Berkenbilt Fri, 29 Jun 2012 21:15:58 -0400 xerces-c (3.1.1-2) unstable; urgency=low * Stop installing .la files since no reverse dependencies are using them anymore. (Closes: #657663) * Update standards version to 3.9.2. No changes required. -- Jay Berkenbilt Sat, 28 Jan 2012 10:15:59 -0500 xerces-c (3.1.1-1) unstable; urgency=low * New upstream release -- Jay Berkenbilt Sat, 01 May 2010 08:39:53 -0400 xerces-c (3.1.0-3) unstable; urgency=low * Invoke configure with --disable-sse2 to disable sse2 extensions on platforms for which they not are enabled by default. This enables xerces-c to work on older ix86 processors in particular. This does not disable sse2 extensions on systems for which they are enabled by default, such as amd64 and ia64. (Closes: #574857) -- Jay Berkenbilt Fri, 09 Apr 2010 22:11:54 -0400 xerces-c (3.1.0-2) unstable; urgency=low * Fix importNode so that it works with xmlns=""; patch from upstream. (Closes: #572293) -- Jay Berkenbilt Sat, 06 Mar 2010 12:44:16 -0500 xerces-c (3.1.0-1) unstable; urgency=low * New upstream release * Updated standards version to 3.8.4. No changes required. -- Jay Berkenbilt Sat, 06 Feb 2010 16:46:23 -0500 xerces-c (3.1.0~rc1-1) unstable; urgency=low * New upstream release; public release candidate uploaded at request of upstream. * Updated source format to '3.0 (quilt)' -- Jay Berkenbilt Sat, 05 Dec 2009 14:58:32 -0500 xerces-c (3.0.1-2) unstable; urgency=low * Add dependency for libxerces-c-dev on libicu-dev. (Closes: #540964) * Update standards to 3.8.3. No changes required. * Apply patch to correct CVE-2009-1885: DoS attack from nested DTDs. (Closes: #540297) -- Jay Berkenbilt Fri, 21 Aug 2009 17:47:51 -0400 xerces-c (3.0.1-1) unstable; urgency=low * New upstream release -- Jay Berkenbilt Sun, 22 Feb 2009 16:52:23 -0500 xerces-c (3.0.0-1) experimental; urgency=low * New upstream release -- Jay Berkenbilt Fri, 03 Oct 2008 18:24:57 -0400 xerces-c (3.0.0~b2-1) experimental; urgency=low * New upstream release * Stopped using tarball in tarball, switched patchsys to quilt, and created README.source. Updated standards version to 3.8.0. -- Jay Berkenbilt Sat, 02 Aug 2008 09:12:24 -0400 xerces-c (3.0.0~b1-6) experimental; urgency=low * Regenerate Makefile.in from patched Makefile.am. -- Jay Berkenbilt Tue, 24 Jun 2008 10:56:57 -0400 xerces-c (3.0.0~b1-5) experimental; urgency=low * Add another change from upstream to address ICU-related failures. * Replace Apache License with reference to file in common-licenses. -- Jay Berkenbilt Mon, 23 Jun 2008 10:43:50 -0400 xerces-c (3.0.0~b1-4) experimental; urgency=low * Pull in all changes from upstream svn. See if this addresses ongoing build failures. -- Jay Berkenbilt Sat, 03 May 2008 09:46:49 -0400 xerces-c (3.0.0~b1-3) experimental; urgency=low * Fix signature of main. (Closes: #478418) -- Jay Berkenbilt Mon, 28 Apr 2008 22:14:15 -0400 xerces-c (3.0.0~b1-2) experimental; urgency=low * Apply patch from upstream to handle ICU makefile's use of .o or .ao for non-PIC object files on various platforms. (Closes: #474756) -- Jay Berkenbilt Sun, 27 Apr 2008 21:01:48 -0400 xerces-c (3.0.0~b1-1) experimental; urgency=low * Initial release of re-organized xerces packages. Going forward, any given debian release will contain only one version of xerces-c at any given major version number. This source package, xerces-c, will always correspond to the latest version. -- Jay Berkenbilt Sat, 22 Mar 2008 11:23:13 -0400 debian/compat0000644000000000000000000000000213270252560010366 0ustar 9 debian/rules0000755000000000000000000000273313270252560010255 0ustar #!/usr/bin/make -f # Enable all hardening options. export DEB_BUILD_MAINT_OPTIONS = hardening=+all DPKG_EXPORT_BUILDFLAGS = 1 include /usr/share/dpkg/buildflags.mk VERSION := $(shell dpkg-parsechangelog | \ awk '/Version:/ {print $$2}' | cut -d- -f 1 | sed -e 's/~/./g') # Variables used by cdbs DEB_TAR_SRCDIR = xerces-c-$(VERSION) DEB_COMPRESS_EXCLUDE = examples html # Include cdbs rules files. include /usr/share/cdbs/1/rules/debhelper.mk include /usr/share/cdbs/1/class/autotools.mk include /usr/share/cdbs/1/rules/autoreconf.mk # This disables explicit passing of -msse2 to gcc. It does not # actually disable sse2 extensions for platforms such as x86_64 # (amd64) which enable sse2 extensions by default. DEB_CONFIGURE_EXTRA_FLAGS = --disable-sse2 DEB_CONFIGURE_USER_FLAGS = --libdir="\$${prefix}/lib/$(DEB_HOST_MULTIARCH)" clean:: $(RM) *.cdbs-config_list $(RM) debian/stamp-samples post-patches:: debian/stamp-samples debian/stamp-samples: -$(RM) -r $(DEB_SRCDIR)/samples.clean cp -a $(DEB_SRCDIR)/samples $(DEB_SRCDIR)/samples.clean touch debian/stamp-samples install/libxerces-c-dev:: mkdir -p debian/tmp/usr/share/doc/libxerces-c-dev cp -a $(DEB_SRCDIR)/samples.clean \ debian/tmp/usr/share/doc/libxerces-c-dev/examples install/libxerces-c-doc:: mkdir -p debian/tmp/usr/share/doc/libxerces-c-doc cp -a $(DEB_SRCDIR)/doc/html \ debian/tmp/usr/share/doc/libxerces-c-doc/html install/libxerces-c-samples:: perl debian/misc/create_missing_manual_pages debian/patches/0000755000000000000000000000000013270252560010617 5ustar debian/patches/series0000644000000000000000000000025213270252560012033 0ustar hurd-path-max.patch CVE-2015-0252.patch CVE-2016-0729.patch CVE-2016-2099.patch CVE-2016-4463.patch disable-DTD-processing-through-envvariable.patch CVE-2017-12627.patch debian/patches/hurd-path-max.patch0000644000000000000000000001274613270252560014331 0ustar Description: check for PATH_MAX Bug: https://issues.apache.org/jira/browse/XERCESC-1998 Bug-Debian: http://bugs.debian.org/636568 Origin: upstream, http://svn.apache.org/viewvc/xerces/c/trunk/src/xercesc/util/FileManagers/PosixFileMgr.cpp?r1=673975&r2=1478186&pathrev=1478186&view=patch Index: xerces-c/src/xercesc/util/FileManagers/PosixFileMgr.cpp =================================================================== --- xerces-c.orig/src/xercesc/util/FileManagers/PosixFileMgr.cpp 2014-01-08 15:44:25.211067958 -0500 +++ xerces-c/src/xercesc/util/FileManagers/PosixFileMgr.cpp 2014-01-08 15:44:25.207067926 -0500 @@ -19,9 +19,16 @@ * $Id: PosixFileMgr.cpp 673975 2008-07-04 09:23:56Z borisk $ */ +#include #include + +#if HAVE_UNISTD_H #include +#endif + +#if HAVE_LIMITS_H #include +#endif #include @@ -74,7 +81,7 @@ PosixFileMgr::fileClose(FileHandle f, MemoryManager* const manager) { if (!f) - ThrowXMLwithMemMgr(XMLPlatformUtilsException, XMLExcepts::CPtr_PointerIsZero, manager); + ThrowXMLwithMemMgr(XMLPlatformUtilsException, XMLExcepts::CPtr_PointerIsZero, manager); if (fclose((FILE*)f)) ThrowXMLwithMemMgr(XMLPlatformUtilsException, @@ -86,7 +93,7 @@ PosixFileMgr::fileReset(FileHandle f, MemoryManager* const manager) { if (!f) - ThrowXMLwithMemMgr(XMLPlatformUtilsException, XMLExcepts::CPtr_PointerIsZero, manager); + ThrowXMLwithMemMgr(XMLPlatformUtilsException, XMLExcepts::CPtr_PointerIsZero, manager); // Seek to the start of the file if (fseek((FILE*)f, 0, SEEK_SET)) @@ -99,7 +106,7 @@ PosixFileMgr::curPos(FileHandle f, MemoryManager* const manager) { if (!f) - ThrowXMLwithMemMgr(XMLPlatformUtilsException, XMLExcepts::CPtr_PointerIsZero, manager); + ThrowXMLwithMemMgr(XMLPlatformUtilsException, XMLExcepts::CPtr_PointerIsZero, manager); long curPos = ftell((FILE*)f); @@ -114,7 +121,7 @@ PosixFileMgr::fileSize(FileHandle f, MemoryManager* const manager) { if (!f) - ThrowXMLwithMemMgr(XMLPlatformUtilsException, XMLExcepts::CPtr_PointerIsZero, manager); + ThrowXMLwithMemMgr(XMLPlatformUtilsException, XMLExcepts::CPtr_PointerIsZero, manager); // Get the current position long curPos = ftell((FILE*)f); @@ -141,16 +148,16 @@ PosixFileMgr::fileRead(FileHandle f, XMLSize_t byteCount, XMLByte* buffer, MemoryManager* const manager) { if (!f || !buffer) - ThrowXMLwithMemMgr(XMLPlatformUtilsException, XMLExcepts::CPtr_PointerIsZero, manager); + ThrowXMLwithMemMgr(XMLPlatformUtilsException, XMLExcepts::CPtr_PointerIsZero, manager); XMLSize_t bytesRead = 0; - if (byteCount > 0) - { - bytesRead = fread((void*)buffer, 1, byteCount, (FILE*)f); - - if (ferror((FILE*)f)) - ThrowXMLwithMemMgr(XMLPlatformUtilsException, XMLExcepts::File_CouldNotReadFromFile, manager); - } + if (byteCount > 0) + { + bytesRead = fread((void*)buffer, 1, byteCount, (FILE*)f); + + if (ferror((FILE*)f)) + ThrowXMLwithMemMgr(XMLPlatformUtilsException, XMLExcepts::File_CouldNotReadFromFile, manager); + } return bytesRead; } @@ -160,17 +167,17 @@ PosixFileMgr::fileWrite(FileHandle f, XMLSize_t byteCount, const XMLByte* buffer, MemoryManager* const manager) { if (!f || !buffer) - ThrowXMLwithMemMgr(XMLPlatformUtilsException, XMLExcepts::CPtr_PointerIsZero, manager); + ThrowXMLwithMemMgr(XMLPlatformUtilsException, XMLExcepts::CPtr_PointerIsZero, manager); while (byteCount > 0) { XMLSize_t bytesWritten = fwrite(buffer, sizeof(XMLByte), byteCount, (FILE*)f); if (ferror((FILE*)f)) - ThrowXMLwithMemMgr(XMLPlatformUtilsException, XMLExcepts::File_CouldNotWriteToFile, manager); + ThrowXMLwithMemMgr(XMLPlatformUtilsException, XMLExcepts::File_CouldNotWriteToFile, manager); - buffer += bytesWritten; - byteCount -= bytesWritten; + buffer += bytesWritten; + byteCount -= bytesWritten; } } @@ -186,28 +193,47 @@ char* newSrc = XMLString::transcode(srcPath, manager); ArrayJanitor janText(newSrc, manager); +#if HAVE_PATH_MAX // Use a local buffer that is big enough for the largest legal path char absPath[PATH_MAX + 1]; // get the absolute path if (!realpath(newSrc, absPath)) - ThrowXMLwithMemMgr(XMLPlatformUtilsException, XMLExcepts::File_CouldNotGetBasePathName, manager); + ThrowXMLwithMemMgr(XMLPlatformUtilsException, XMLExcepts::File_CouldNotGetBasePathName, manager); - return XMLString::transcode(absPath, manager); + XMLCh* ret = XMLString::transcode(absPath, manager); +#else + // get the absolute path + char *absPath = realpath(newSrc, NULL); + if(!absPath) + ThrowXMLwithMemMgr(XMLPlatformUtilsException, XMLExcepts::File_CouldNotGetBasePathName, manager); + + XMLCh* ret = XMLString::transcode(absPath, manager); + free(absPath); +#endif + return ret; } XMLCh* PosixFileMgr::getCurrentDirectory(MemoryManager* const manager) { +#if HAVE_PATH_MAX char dirBuf[PATH_MAX + 2]; char *curDir = getcwd(&dirBuf[0], PATH_MAX + 1); +#else + char *curDir = getcwd(NULL, 0); +#endif if (!curDir) ThrowXMLwithMemMgr(XMLPlatformUtilsException, XMLExcepts::File_CouldNotGetBasePathName, manager); - return XMLString::transcode(curDir, manager); + XMLCh* ret = XMLString::transcode(curDir, manager); +#if !HAVE_PATH_MAX + free(curDir); +#endif + return ret; } debian/patches/CVE-2016-2099.patch0000644000000000000000000000207113270252560013244 0ustar Description: CVE-2016-2099: Use-after-free in heap on specially crafted XML input Origin: upstream, https://issues.apache.org/jira/browse/XERCESC-2066 Bug: https://issues.apache.org/jira/browse/XERCESC-2066 Bug-Debian: https://bugs.debian.org/823863 Forwarded: not-needed Author: Salvatore Bonaccorso Reviewed-by: Salvatore Bonaccorso Last-Update: 2016-05-14 --- --- a/src/xercesc/validators/DTD/DTDScanner.cpp +++ b/src/xercesc/validators/DTD/DTDScanner.cpp @@ -2509,7 +2509,15 @@ void DTDScanner::scanExtSubsetDecl(const { while (true) { - const XMLCh nextCh = fReaderMgr->peekNextChar(); + XMLCh nextCh; + + try { + nextCh = fReaderMgr->peekNextChar(); + } + catch (XMLException& ex) { + fScanner->emitError(XMLErrs::XMLException_Fatal, ex.getCode(), ex.getMessage(), NULL, NULL); + nextCh = chNull; + } if (!nextCh) { debian/patches/disable-DTD-processing-through-envvariable.patch0000644000000000000000000000235113270252560022001 0ustar Description: Disable DTD processing through the use of an env variable XERCES_DISABLE_DTD set to "1" will cause the scanner to report a fatal error if a DTD is seen. Existing applications won't see any change. Origin: upstream, http://svn.apache.org/r1747620 Bug: https://issues.apache.org/jira/browse/XERCESC-2070 Forwarded: not-needed Author: Scott Cantor Last-Update: 2016-06-28 --- a/src/xercesc/internal/XMLScanner.cpp +++ b/src/xercesc/internal/XMLScanner.cpp @@ -1270,8 +1270,15 @@ void XMLScanner::scanProlog() if (sawDocTypeDecl) { emitError(XMLErrs::DuplicateDocTypeDecl); } - scanDocTypeDecl(); - sawDocTypeDecl = true; + + const char* envvar = getenv("XERCES_DISABLE_DTD"); + if (envvar && !strcmp(envvar, "1")) { + emitError(XMLErrs::InvalidDocumentStructure); + } + else { + scanDocTypeDecl(); + sawDocTypeDecl = true; + } // if reusing grammar, this has been validated already in first scan // skip for performance debian/patches/CVE-2015-0252.patch0000644000000000000000000000505713270252560013237 0ustar Description: CVE-2015-0252: Apache Xerces-C XML Parser Crashes on Malformed Input The Xerces-C XML parser mishandles certain kinds of malformed input documents, resulting in a segmentation fault during a parse operation. Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1667870 Bug-Debian: https://bugs.debian.org/780827 Forwarded: not-needed Author: Salvatore Bonaccorso Last-Update: 2015-03-12 Applied-Upstream: 3.1.2 --- a/src/xercesc/internal/XMLReader.cpp +++ b/src/xercesc/internal/XMLReader.cpp @@ -1460,6 +1460,17 @@ void XMLReader::doInitDecode() while (fRawBufIndex < fRawBytesAvail) { + // Security fix: make sure there are at least sizeof(UCS4Ch) bytes to consume. + if (fRawBufIndex + sizeof(UCS4Ch) > fRawBytesAvail) { + ThrowXMLwithMemMgr1 + ( + TranscodingException + , XMLExcepts::Reader_CouldNotDecodeFirstLine + , fSystemId + , fMemoryManager + ); + } + // Get out the current 4 byte value and inc our raw buf index UCS4Ch curVal = *asUCS++; fRawBufIndex += sizeof(UCS4Ch); @@ -1619,6 +1630,17 @@ void XMLReader::doInitDecode() while (fRawBufIndex < fRawBytesAvail) { + // Security fix: make sure there are at least sizeof(UTF16Ch) bytes to consume. + if (fRawBufIndex + sizeof(UTF16Ch) > fRawBytesAvail) { + ThrowXMLwithMemMgr1 + ( + TranscodingException + , XMLExcepts::Reader_CouldNotDecodeFirstLine + , fSystemId + , fMemoryManager + ); + } + // Get out the current 2 byte value UTF16Ch curVal = *asUTF16++; fRawBufIndex += sizeof(UTF16Ch); @@ -1708,6 +1730,17 @@ void XMLReader::doInitDecode() // void XMLReader::refreshRawBuffer() { + // Security fix: make sure we don't underflow on the subtraction. + if (fRawBufIndex > fRawBytesAvail) { + ThrowXMLwithMemMgr1 + ( + RuntimeException + , XMLExcepts::Str_StartIndexPastEnd + , fSystemId + , fMemoryManager + ); + } + // // If there are any bytes left, move them down to the start. There // should only ever be (max bytes per char - 1) at the most. debian/patches/CVE-2017-12627.patch0000644000000000000000000000165613270252560013333 0ustar From: Markus Koschany Date: Thu, 29 Mar 2018 20:58:48 +0200 Subject: CVE-2017-12627 Origin: https://svn.apache.org/viewvc?view=revision&revision=1819998 Upstream-Advisory: https://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt --- src/xercesc/util/PlatformUtils.cpp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/xercesc/util/PlatformUtils.cpp b/src/xercesc/util/PlatformUtils.cpp index eee1dc5..39c71ac 100644 --- a/src/xercesc/util/PlatformUtils.cpp +++ b/src/xercesc/util/PlatformUtils.cpp @@ -920,7 +920,10 @@ XMLCh* XMLPlatformUtils::weavePaths(const XMLCh* const basePath XMLString::subString(tmpBuf, basePath, 0, (basePtr - basePath + 1), manager); tmpBuf[basePtr - basePath + 1] = 0; - XMLString::catString(tmpBuf, relativePath); + if (relativePath) + { + XMLString::catString(tmpBuf, relativePath); + } removeDotSlash(tmpBuf, manager); debian/patches/CVE-2016-0729.patch0000644000000000000000000004216013270252560013245 0ustar Description: CVE-2016-0729: Buffer overlows during processing and error reporting Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1727978 Forwarded: not-needed Author: Scott Cantor Reviewed-by: Salvatore Bonaccorso Last-Update: 2016-02-24 Applied-Upstream: 3.1.3 --- a/src/xercesc/internal/XMLReader.cpp +++ b/src/xercesc/internal/XMLReader.cpp @@ -1460,8 +1460,30 @@ void XMLReader::doInitDecode() while (fRawBufIndex < fRawBytesAvail) { - // Security fix: make sure there are at least sizeof(UCS4Ch) bytes to consume. + // Make sure there are at least sizeof(UCS4Ch) bytes to consume. if (fRawBufIndex + sizeof(UCS4Ch) > fRawBytesAvail) { + fCharsAvail = 0; + fRawBufIndex = 0; + fMemoryManager->deallocate(fPublicId); + fMemoryManager->deallocate(fEncodingStr); + ArrayJanitor janValue(fSystemId, fMemoryManager); + ThrowXMLwithMemMgr1 + ( + TranscodingException + , XMLExcepts::Reader_CouldNotDecodeFirstLine + , fSystemId + , fMemoryManager + ); + } + + // Make sure we don't exhaust the limited prolog buffer size. + // Leave room for a space added at the end of this function. + if (fCharsAvail == kCharBufSize - 1) { + fCharsAvail = 0; + fRawBufIndex = 0; + fMemoryManager->deallocate(fPublicId); + fMemoryManager->deallocate(fEncodingStr); + ArrayJanitor janValue(fSystemId, fMemoryManager); ThrowXMLwithMemMgr1 ( TranscodingException @@ -1547,6 +1569,23 @@ void XMLReader::doInitDecode() const char curCh = *asChars++; fRawBufIndex++; + // Make sure we don't exhaust the limited prolog buffer size. + // Leave room for a space added at the end of this function. + if (fCharsAvail == kCharBufSize - 1) { + fCharsAvail = 0; + fRawBufIndex = 0; + fMemoryManager->deallocate(fPublicId); + fMemoryManager->deallocate(fEncodingStr); + ArrayJanitor janValue(fSystemId, fMemoryManager); + ThrowXMLwithMemMgr1 + ( + TranscodingException + , XMLExcepts::Reader_CouldNotDecodeFirstLine + , fSystemId + , fMemoryManager + ); + } + // Looks ok, so store it fCharSizeBuf[fCharsAvail] = 1; fCharBuf[fCharsAvail++] = XMLCh(curCh); @@ -1630,8 +1669,30 @@ void XMLReader::doInitDecode() while (fRawBufIndex < fRawBytesAvail) { - // Security fix: make sure there are at least sizeof(UTF16Ch) bytes to consume. + // Make sure there are at least sizeof(UTF16Ch) bytes to consume. if (fRawBufIndex + sizeof(UTF16Ch) > fRawBytesAvail) { + fCharsAvail = 0; + fRawBufIndex = 0; + fMemoryManager->deallocate(fPublicId); + fMemoryManager->deallocate(fEncodingStr); + ArrayJanitor janValue(fSystemId, fMemoryManager); + ThrowXMLwithMemMgr1 + ( + TranscodingException + , XMLExcepts::Reader_CouldNotDecodeFirstLine + , fSystemId + , fMemoryManager + ); + } + + // Make sure we don't exhaust the limited prolog buffer size. + // Leave room for a space added at the end of this function. + if (fCharsAvail == kCharBufSize - 1) { + fCharsAvail = 0; + fRawBufIndex = 0; + fMemoryManager->deallocate(fPublicId); + fMemoryManager->deallocate(fEncodingStr); + ArrayJanitor janValue(fSystemId, fMemoryManager); ThrowXMLwithMemMgr1 ( TranscodingException @@ -1676,6 +1737,24 @@ void XMLReader::doInitDecode() const XMLCh chCur = XMLEBCDICTranscoder::xlatThisOne(*srcPtr++); fRawBufIndex++; + // Make sure we don't exhaust the limited prolog buffer size. + // Leave room for a space added at the end of this function. + if (fCharsAvail == kCharBufSize - 1) { + fCharsAvail = 0; + fRawBufIndex = 0; + fMemoryManager->deallocate(fPublicId); + fMemoryManager->deallocate(fEncodingStr); + ArrayJanitor janValue(fSystemId, fMemoryManager); + ThrowXMLwithMemMgr1 + ( + TranscodingException + , XMLExcepts::Reader_CouldNotDecodeFirstLine + , fSystemId + , fMemoryManager + ); + } + + // // And put it into the character buffer. This stuff has to // look like it was normally transcoded. @@ -1730,7 +1809,7 @@ void XMLReader::doInitDecode() // void XMLReader::refreshRawBuffer() { - // Security fix: make sure we don't underflow on the subtraction. + // Make sure we don't underflow on the subtraction. if (fRawBufIndex > fRawBytesAvail) { ThrowXMLwithMemMgr1 ( --- a/src/xercesc/util/XMLURL.cpp +++ b/src/xercesc/util/XMLURL.cpp @@ -611,9 +611,20 @@ BinInputStream* XMLURL::makeNewStream() while (percentIndex != -1) { - if (percentIndex+2 >= (int)end || - !isHexDigit(realPath[percentIndex+1]) || - !isHexDigit(realPath[percentIndex+2])) + // Isolate the length/boundary check so we don't try and copy off the end. + if (percentIndex+2 >= (int)end) + { + XMLCh value1[3]; + value1[1] = chNull; + value1[2] = chNull; + XMLString::moveChars(value1, &(realPath[percentIndex]), (percentIndex + 1 >= (int)end ? 1 : 2)); + ThrowXMLwithMemMgr2(MalformedURLException + , XMLExcepts::XMLNUM_URI_Component_Invalid_EscapeSequence + , realPath + , value1 + , fMemoryManager); + } + else if (!isHexDigit(realPath[percentIndex+1]) || !isHexDigit(realPath[percentIndex+2])) { XMLCh value1[4]; XMLString::moveChars(value1, &(realPath[percentIndex]), 3); --- a/src/xercesc/util/XMLUri.cpp +++ b/src/xercesc/util/XMLUri.cpp @@ -875,11 +875,21 @@ void XMLUri::initializePath(const XMLCh* // check for valid escape sequence if (testChar == chPercent) { - if (index+2 >= end || - !XMLString::isHex(uriSpec[index+1]) || - !XMLString::isHex(uriSpec[index+2])) + if (index + 2 >= end) { - XMLCh value1[BUF_LEN+1]; + XMLCh value1[3]; + value1[1] = chNull; + value1[2] = chNull; + XMLString::moveChars(value1, &(uriSpec[index]), (index + 1 >= end ? 1 : 2)); + ThrowXMLwithMemMgr2(MalformedURLException + , XMLExcepts::XMLNUM_URI_Component_Invalid_EscapeSequence + , errMsg_PATH + , value1 + , fMemoryManager); + } + else if (!XMLString::isHex(uriSpec[index+1]) || !XMLString::isHex(uriSpec[index+2])) + { + XMLCh value1[4]; XMLString::moveChars(value1, &(uriSpec[index]), 3); value1[3] = chNull; ThrowXMLwithMemMgr2(MalformedURLException @@ -892,7 +902,7 @@ void XMLUri::initializePath(const XMLCh* else if (!isUnreservedCharacter(testChar) && !isPathCharacter(testChar)) { - XMLCh value1[BUF_LEN+1]; + XMLCh value1[2]; value1[0] = testChar; value1[1] = chNull; ThrowXMLwithMemMgr2(MalformedURLException @@ -920,11 +930,21 @@ void XMLUri::initializePath(const XMLCh* // check for valid escape sequence if (testChar == chPercent) { - if (index+2 >= end || - !XMLString::isHex(uriSpec[index+1]) || - !XMLString::isHex(uriSpec[index+2])) + if (index + 2 >= end) { - XMLCh value1[BUF_LEN+1]; + XMLCh value1[3]; + value1[1] = chNull; + value1[2] = chNull; + XMLString::moveChars(value1, &(uriSpec[index]), (index + 1 >= end ? 1 : 2)); + ThrowXMLwithMemMgr2(MalformedURLException + , XMLExcepts::XMLNUM_URI_Component_Invalid_EscapeSequence + , errMsg_PATH + , value1 + , fMemoryManager); + } + else if (!XMLString::isHex(uriSpec[index+1]) || !XMLString::isHex(uriSpec[index+2])) + { + XMLCh value1[4]; XMLString::moveChars(value1, &(uriSpec[index]), 3); value1[3] = chNull; ThrowXMLwithMemMgr2(MalformedURLException @@ -941,7 +961,7 @@ void XMLUri::initializePath(const XMLCh* // contains '[' and ']'. else if (!isReservedOrUnreservedCharacter(testChar)) { - XMLCh value1[BUF_LEN+1]; + XMLCh value1[2]; value1[0] = testChar; value1[1] = chNull; ThrowXMLwithMemMgr2(MalformedURLException @@ -979,11 +999,21 @@ void XMLUri::initializePath(const XMLCh* if (testChar == chPercent) { - if (index+2 >= end || - !XMLString::isHex(uriSpec[index+1]) || - !XMLString::isHex(uriSpec[index+2])) + if (index + 2 >= end) + { + XMLCh value1[3]; + value1[1] = chNull; + value1[2] = chNull; + XMLString::moveChars(value1, &(uriSpec[index]), (index + 1 >= end ? 1 : 2)); + ThrowXMLwithMemMgr2(MalformedURLException + , XMLExcepts::XMLNUM_URI_Component_Invalid_EscapeSequence + , errMsg_QUERY + , value1 + , fMemoryManager); + } + if (!XMLString::isHex(uriSpec[index+1]) || !XMLString::isHex(uriSpec[index+2])) { - XMLCh value1[BUF_LEN+1]; + XMLCh value1[4]; XMLString::moveChars(value1, &(uriSpec[index]), 3); value1[3] = chNull; ThrowXMLwithMemMgr2(MalformedURLException @@ -995,7 +1025,7 @@ void XMLUri::initializePath(const XMLCh* } else if (!isReservedOrUnreservedCharacter(testChar)) { - XMLCh value1[BUF_LEN+1]; + XMLCh value1[2]; value1[0] = testChar; value1[1] = chNull; ThrowXMLwithMemMgr2(MalformedURLException @@ -1030,11 +1060,21 @@ void XMLUri::initializePath(const XMLCh* if (testChar == chPercent) { - if (index+2 >= end || - !XMLString::isHex(uriSpec[index+1]) || - !XMLString::isHex(uriSpec[index+2])) + if (index + 2 >= end) + { + XMLCh value1[3]; + value1[1] = chNull; + value1[2] = chNull; + XMLString::moveChars(value1, &(uriSpec[index]), (index + 1 >= end ? 1 : 2)); + ThrowXMLwithMemMgr2(MalformedURLException + , XMLExcepts::XMLNUM_URI_Component_Invalid_EscapeSequence + , errMsg_FRAGMENT + , value1 + , fMemoryManager); + } + if (!XMLString::isHex(uriSpec[index+1]) || !XMLString::isHex(uriSpec[index+2])) { - XMLCh value1[BUF_LEN+1]; + XMLCh value1[4]; XMLString::moveChars(value1, &(uriSpec[index]), 3); value1[3] = chNull; ThrowXMLwithMemMgr2(MalformedURLException @@ -1046,7 +1086,7 @@ void XMLUri::initializePath(const XMLCh* } else if (!isReservedOrUnreservedCharacter(testChar)) { - XMLCh value1[BUF_LEN+1]; + XMLCh value1[2]; value1[0] = testChar; value1[1] = chNull; ThrowXMLwithMemMgr2(MalformedURLException @@ -1410,14 +1450,15 @@ void XMLUri::isConformantUserInfo(const } else if (*tmpStr == chPercent) // '%' { - if (XMLString::isHex(*(tmpStr+1)) && // 1st hex - XMLString::isHex(*(tmpStr+2)) ) // 2nd hex + if (XMLString::stringLen(tmpStr) >= 3 + && XMLString::isHex(*(tmpStr+1)) // 1st hex + && XMLString::isHex(*(tmpStr+2)) ) // 2nd hex { tmpStr+=3; } else { - XMLCh value1[BUF_LEN+1]; + XMLCh value1[4]; value1[0] = chPercent; value1[1] = *(tmpStr+1); value1[2] = *(tmpStr+2); @@ -1468,8 +1509,9 @@ bool XMLUri::isValidServerBasedAuthority } else if (userinfo[index] == chPercent) // '%' { - if (XMLString::isHex(userinfo[index+1]) && // 1st hex - XMLString::isHex(userinfo[index+2]) ) // 2nd hex + if (index + 2 < userLen + && XMLString::isHex(userinfo[index+1]) // 1st hex + && XMLString::isHex(userinfo[index+2]) ) // 2nd hex index +=3; else return false; @@ -1508,8 +1550,9 @@ bool XMLUri::isValidServerBasedAuthority } else if (*tmpStr == chPercent) // '%' { - if (XMLString::isHex(*(tmpStr+1)) && // 1st hex - XMLString::isHex(*(tmpStr+2)) ) // 2nd hex + if (XMLString::stringLen(tmpStr) >= 3 + && XMLString::isHex(*(tmpStr+1)) // 1st hex + && XMLString::isHex(*(tmpStr+2)) ) // 2nd hex { tmpStr+=3; } @@ -1537,8 +1580,9 @@ bool XMLUri::isValidRegistryBasedAuthori } else if (authority[index] == chPercent) // '%' { - if (XMLString::isHex(authority[index+1]) && // 1st hex - XMLString::isHex(authority[index+2]) ) // 2nd hex + if (index + 2 < authLen + && XMLString::isHex(authority[index+1]) // 1st hex + && XMLString::isHex(authority[index+2]) ) // 2nd hex index +=3; else return false; @@ -1566,8 +1610,9 @@ bool XMLUri::isValidRegistryBasedAuthori } else if (*tmpStr == chPercent) // '%' { - if (XMLString::isHex(*(tmpStr+1)) && // 1st hex - XMLString::isHex(*(tmpStr+2)) ) // 2nd hex + if (XMLString::stringLen(tmpStr) >= 3 + && XMLString::isHex(*(tmpStr + 1)) // 1st hex + && XMLString::isHex(*(tmpStr + 2))) // 2nd hex { tmpStr+=3; } @@ -1602,8 +1647,9 @@ bool XMLUri::isURIString(const XMLCh* co } else if (*tmpStr == chPercent) // '%' { - if (XMLString::isHex(*(tmpStr+1)) && // 1st hex - XMLString::isHex(*(tmpStr+2)) ) // 2nd hex + if (XMLString::stringLen(tmpStr) >=3 + && XMLString::isHex(*(tmpStr+1)) // 1st hex + && XMLString::isHex(*(tmpStr+2)) ) // 2nd hex { tmpStr+=3; } debian/patches/CVE-2016-4463.patch0000644000000000000000000000455313270252560013250 0ustar Description: CVE-2016-4463: Apache Xerces-C XML Parser Crashes on Malformed DTD Origin: upstream, https://svn.apache.org/r1747619 Bug: https://issues.apache.org/jira/browse/XERCESC-2069 Forwarded: not-needed Author: Scott Cantor Last-Update: 2016-06-28 --- a/src/xercesc/validators/DTD/DTDScanner.cpp +++ b/src/xercesc/validators/DTD/DTDScanner.cpp @@ -44,6 +44,8 @@ XERCES_CPP_NAMESPACE_BEGIN +#define CONTENTSPEC_DEPTH_LIMIT 1000 + // --------------------------------------------------------------------------- // Local methods // --------------------------------------------------------------------------- @@ -1038,8 +1040,13 @@ bool DTDScanner::scanCharRef(XMLCh& firs ContentSpecNode* -DTDScanner::scanChildren(const DTDElementDecl& elemDecl, XMLBuffer& bufToUse) +DTDScanner::scanChildren(const DTDElementDecl& elemDecl, XMLBuffer& bufToUse, unsigned int& depth) { + if (depth++ > CONTENTSPEC_DEPTH_LIMIT) { + fScanner->emitError(XMLErrs::UnterminatedDOCTYPE); + return 0; + } + // Check for a PE ref here, but don't require spaces checkForPERef(false, true); @@ -1240,7 +1247,7 @@ DTDScanner::scanChildren(const DTDElemen // Recurse to handle this new guy ContentSpecNode* subNode; try { - subNode = scanChildren(elemDecl, bufToUse); + subNode = scanChildren(elemDecl, bufToUse, depth); } catch (const XMLErrs::Codes) { @@ -1577,7 +1584,8 @@ bool DTDScanner::scanContentSpec(DTDElem // toFill.setModelType(DTDElementDecl::Children); XMLBufBid bbTmp(fBufMgr); - ContentSpecNode* resNode = scanChildren(toFill, bbTmp.getBuffer()); + unsigned int depth = 0; + ContentSpecNode* resNode = scanChildren(toFill, bbTmp.getBuffer(), depth); status = (resNode != 0); if (status) toFill.setContentSpec(resNode); --- a/src/xercesc/validators/DTD/DTDScanner.hpp +++ b/src/xercesc/validators/DTD/DTDScanner.hpp @@ -143,6 +143,7 @@ private: ( const DTDElementDecl& elemDecl , XMLBuffer& bufToUse + , unsigned int& depth ); bool scanCharRef(XMLCh& toFill, XMLCh& second); void scanComment(); debian/control0000644000000000000000000000466613270252560010607 0ustar Source: xerces-c Section: libs Priority: optional Build-Depends: cdbs (>= 0.4.106~), debhelper (>> 9), dpkg-dev (>= 1.16.1~), libicu-dev, cdbs, dh-autoreconf Maintainer: Jay Berkenbilt Standards-Version: 3.9.5 Package: libxerces-c3.1 Architecture: any Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} Depends: ${misc:Depends}, ${shlibs:Depends} Description: validating XML parser library for C++ Xerces-C++ is a validating XML parser written in a portable subset of C++. Xerces-C++ makes it easy to give your application the ability to read and write XML data. A shared library is provided for parsing, generating, manipulating, and validating XML documents. Xerces-C++ is faithful to the XML 1.0 recommendation and associated standards (DOM 1.0, DOM 2.0, SAX 1.0, SAX 2.0, Namespaces, XML Schema Part 1 and Part 2). It also provides experimental implementations of XML 1.1 and DOM Level 3.0. The parser provides high performance, modularity, and scalability. Package: libxerces-c-dev Section: libdevel Provides: libxerces-c3-dev Architecture: any Depends: ${misc:Depends}, libxerces-c3.1 (= ${binary:Version}), libicu-dev, libc6-dev | libc-dev Conflicts: libxerces25-dev, libxerces26-dev, libxerces27-dev, libxerces28-dev, libxerces-c2-dev Suggests: libxerces-c-doc Description: validating XML parser library for C++ (development files) Xerces-C++ is a validating XML parser written in a portable subset of C++. This package contains the development files for Xerces. It also contains sources to various sample files. The libxerces-c-samples package contains compiled versions of the samples. Package: libxerces-c-doc Section: doc Architecture: all Provides: libxerces-c3-doc Depends: ${misc:Depends} Suggests: libxerces-c-dev Description: validating XML parser library for C++ (documentation) Xerces-C++ is a validating XML parser written in a portable subset of C++. This package contains the documentation files. Package: libxerces-c-samples Section: devel Architecture: any Provides: libxerces-c3-samples Depends: ${misc:Depends}, ${shlibs:Depends} Description: validating XML parser library for C++ (compiled samples) Xerces-C++ is a validating XML parser written in a portable subset of C++. This package contains compiled versions of the samples. You probably don't want this package, but it can be useful if you are trying to reproduce a problem before reporting a bug that will be easy for the xerces developers to reproduce. debian/source/0000755000000000000000000000000013270252560010470 5ustar debian/source/format0000644000000000000000000000001413270252560011676 0ustar 3.0 (quilt) debian/libxerces-c-dev.README.Debian0000644000000000000000000000167113270252560014211 0ustar Any given debian release may contain one xerces-c package for each major version of xerces-c. It is expected that most releases will have only a single version of xerces-c since major releases are rare. The package "libxerces-c-dev" is always the development package for the latest major version. You may also use libxerces-cn-dev, where n is the major version, to get the development package for the specific major version. For example, libxerces-c3-dev would be the development packages for the latest 3.x release, and libxerces-c2-dev would be the development packages for the latest 2.x release. If your package uses on xerces-c, you should generally declare a build dependency on libxerces-c-dev. You should only use a specific version of the dev package if it is specifically known that your package will not work (yet) with a new version of xerces-c when it comes out. -- Jay Berkenbilt , Sat, 22 Mar 2008 13:58:45 -0400 debian/libxerces-c-doc.doc-base0000644000000000000000000000070613270252560013535 0ustar Document: libxerces-c-doc Title: Xerces-C++ Documentation Author: The Apache Software Foundation Abstract: The Xerces C++ documentation includes general information, documentation of the Xerces API, FAQs, release information, sample code, and a lot of other useful information about the Xerces validating XML parser. Section: Programming Format: HTML Index: /usr/share/doc/libxerces-c-doc/html/index.html Files: /usr/share/doc/libxerces-c-doc/html/* debian/libxerces-c-dev.install0000644000000000000000000000025013270252560013531 0ustar debian/tmp/usr/lib/*/libxerces-c.so debian/tmp/usr/lib/*/lib*.a debian/tmp/usr/lib/*/pkgconfig debian/tmp/usr/include debian/tmp/usr/share/doc/libxerces-c-dev/examples debian/copyright0000644000000000000000000000251113270252560011122 0ustar This package was debianized by Jay Berkenbilt . It was downloaded from http://xerces.apache.org/ Copyright (C) 1999-2007 The Apache Software Foundation Xerces-C++ is released under the terms of the Apache License, version 2.0, which can be found in /usr/share/common-licenses/Apache-2.0. The source distribution includes a "NOTICE" file as discussed in item 4(d) below. Here is the notice file text: ----------------------------------------------------------------------------- ========================================================================= == NOTICE file corresponding to section 4(d) of the Apache License, == == Version 2.0, in this case for the Apache Xerces distribution. == ========================================================================= This product includes software developed by The Apache Software Foundation (http://www.apache.org/). Portions of this software were originally based on the following: - software copyright (c) 1999, IBM Corporation., http://www.ibm.com. ----------------------------------------------------------------------------- Additionally, portions of this distribution have the following copyrights: Copyright 1998-2004 W3C (MIT, ERCIM, Keio) Copyright (C) 1999-2007 Free Software Foundation, Inc. Copyright (C) 1994 X Consortium debian/misc/0000755000000000000000000000000013270252560010123 5ustar debian/misc/create_missing_manual_pages0000644000000000000000000000144213270252560015557 0ustar #!/usr/bin/env perl require 5.008; BEGIN { $^W = 1; } use strict; use File::Copy; my $whoami = ($0 =~ m,([^/\\]*)$,) ? $1 : $0; my @programs = (); my $dir = "debian/tmp/usr/bin"; opendir(D, $dir) or die; my @entries = readdir(D) or die; closedir(D); foreach my $entry (@entries) { my $fullpath = "$dir/$entry"; if ((-f $fullpath) && (-x $fullpath)) { push(@programs, $entry); } } my $mandir = 'debian/tmp/usr/share/man/man1'; mkdir "debian/tmp/usr", 0777; mkdir "debian/tmp/usr/share", 0777; mkdir "debian/tmp/usr/share/man", 0777; mkdir "debian/tmp/usr/share/man/man1", 0777; foreach my $prog (@programs) { open(M, ">$mandir/$prog.1") or die; print M ".so man1/xerces-c-sample.1\n"; close(M); } copy("debian/misc/xerces-c-sample.1", "$mandir/xerces-c-sample.1") or die; debian/misc/xerces-c-sample.10000644000000000000000000000106413270252560013176 0ustar .TH XERCES-C-SAMPLE 1 "22 Mar 2008" .SH NAME xerces-c \- xerces-c sample program .SH DESCRIPTION This program is part of the libxerces-c-samples package. That package supplies compiled versions of the sample programs that are included in the libxerces-c-dev packages. Please see the examples for details. These programs are not intended for production use, but they may be useful in helping to create bug reports that the xerces-c maintainers can easily reproduce. .SH SEE ALSO .br /usr/share/doc/libxerces-c-dev/examples .br /usr/share/doc/libxerces-c-doc/html debian/libxerces-c3.1.shlibs0000644000000000000000000000003713270252560013020 0ustar libxerces-c 3.1 libxerces-c3.1 debian/libxerces-c-samples.install0000644000000000000000000000005413270252560014421 0ustar debian/tmp/usr/bin debian/tmp/usr/share/man debian/libxerces-c3.1.lintian-overrides0000644000000000000000000000045213270252560015173 0ustar libxerces-c3.1: package-name-doesnt-match-sonames libxerces-c-3.1 # The xerces-3 packages install their shared libaries with weird # names, which confuses lintian. libxerces-c3.1: dev-pkg-without-shlib-symlink usr/lib/x86_64-linux-gnu/libxerces-c-3.1.so usr/lib/x86_64-linux-gnu/libxerces-c-3.1.so debian/libxerces-c-doc.install0000644000000000000000000000005613270252560013524 0ustar debian/tmp/usr/share/doc/libxerces-c-doc/html debian/NEWS0000644000000000000000000000066713270252560007700 0ustar xerces-c (3.1.1-5.1+deb8u3) jessie-security; urgency=high In addition to the fix for CVE-2016-4463 this update enables applications to fully disable DTD processing through the use of an environment variable. . XERCES_DISABLE_DTD set to "1" will cause the scanner to report a fatal error if a DTD is seen. Existing applications won't see any change. -- Salvatore Bonaccorso Tue, 28 Jun 2016 16:50:55 +0200 debian/libxerces-c3.1.install0000644000000000000000000000004613270252560013202 0ustar debian/tmp/usr/lib/*/libxerces-c-*.so