Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: xerces-c@packages.debian.org
Control: affects -1 + src:xerces-c
[ Reason ]
xerces-c 3.2.3+debian-3 is vulnerable to CVE-2023-37536 (Integer
overflows in DFAContentModel class). Also, while it ships a mitigation
for CVE-2018-1311, it does so at the expense of a memory leak, cf.
#947431.
These issues have both been fixed in buster LTS. The “better”
(upstream-vetted) fix for CVE-2018-1311 have also landed in sid via NMU
and migrated to testing last month.
The security team argued the issues didn't warrant a DSA, and suggested
to go via s-pu instead.
[ Impact ]
Buster users will regress when upgrading to bullseye.
[ Tests ]
The vulnerabilities reports came with POCs which were checked against:
https://issues.apache.org/jira/browse/XERCESC-2241
https://issues.apache.org/jira/browse/XERCESC-2188
Also the package runs the upstream test suite at build time.
[ Risks ]
AFAICT no alternative exists. I think the risk of regression given
the upstream patches cleanly applied. Also the fixes are already
shipped in buster and sid/trixie.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in oldstable
[x] the issue is verified as fixed in unstable
[ Changes ]
* Fix CVE-2018-1311: Use-after-free on external DTD scan. This replaces
RedHat's mitigation patch (which introduced a memory leak).
Closes: #947431
* Fix CVE-2023-37536: Integer overflows in DFAContentModel class.
* Upstream tests: Cherry-pick upstream patch to fix NetAccessorTest to exit
with non-zero status in case of error.
--
Guilhem.
Attachment:
signature.asc
Description: PGP signature