heap overflow while processing InclusiveNamespace PrefixList

Looks like Debian already have the patch in unstable:

http://packages.qa.debian.org/x/xml-security-c/news/20130618T054808Z.html

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Ubuntu 13.10 already has the fix, and I just performed fake syncs for 12.10 and 13.04. Ubuntu 12.04 LTS will need a debdiff.

I have attached a debdiff for the Precice release. It takes the changes from The Saucy Salamander release.

It compiles okay on Precice.

I have installed the package created with the above debdiff and also libapache2-mod-shib2.

Running shibd, which links to the xml-security-c library seems to run okay.

Status changed to 'Confirmed' because the bug affects multiple users.

Thanks for the patch! Unfortunately, it does not follow https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging - specifically it updates the package to 1.6.1-6. Instead a patch should be developed that only addresses the security issue. Please see the above wiki page for more information on how to prepare, test and submit a fix for this issue.

Unsubscribing ubuntu-security-sponsors for now. When an updated debdirr is provided, please feel free to resubscribe. Thanks again.

When fixing this bug in Precise, please also remember to incorporate changes required to fix 1199969

(see also bug 1199969)

Yes, the patch updates the package to 1.6.1-6. That actually seems appropriate to me in this case. The only code changes since 1.6.1-1 are the (four!) security patches in 1.6.1-6, only one of which is the one mentioned in this bug. Other changes relate only to packaging:
- Update to debhelper v9
- Enable multiarch
- Enable hardening build flags
- A format change to the debian/copyright file

In particular, the complex changes to build and maintain a symbols file mentioned in the changelog were completely reverted, and so do not appear here.

I suppose one could argue that enabling multiarch has the potential to cause problems, but if that were the case, I think we'd have seen it by now, in Debian or in later Ubuntu releases. While I'm all for being conservative about what goes into security releases, IMHO in this case community is best served by getting the security fix out quickly (it's already been three weeks since upstream released the fix) and incidentally paving the way for promptly releasing any future fixes. Thus, I'd recommend abandoning any attempt to pull in only 95% of the changes since 1.6.1-1, and instead just sync 1.6.1-7 from Debian.

Converting a package to multiarch is unacceptable as a security update in a stable release as it changes file locations and introduces the possibility of impacting software users have installed, and impacting other software which may subsequently fail to build in the archive.

We will not be syncing 1.6.1-7 from Debian.

Please submit a proper debdiff with only the security fixes.

Thanks.

When fixing these issues, please also fix CVE-2013-2210 which was caused by and incomplete fix for CVE-2013-2154.

This debdiff takes care of both this bug (1192874) and 1199969 (https://bugs.launchpad.net/ubuntu/precise/+source/xml-security-c/+bug/1199969) for Ubuntu Precise.

I got some errors when building the source package and had to modify debian/control and debian/copyright accordingly.

W: xml-security-c source: obsolete-field-in-dep5-copyright format-specification format (paragraph at line 1)
W: xml-security-c source: out-of-date-standards-version 3.9.2 (current is 3.9.3)

When I changed the value "Format-Specification" to "Format" in debian/copyright, I still got this error:

W: xml-security-c source: out-of-date-standards-version 3.9.2 (current is 3.9.3)

So I set "Standards-Version" to 3.9.3 in debian/control, and no more errors occured.

Tell me if this was unnecessary, and if that's the case, how I could build without changing these values.

After this, I could build both source and binary packages.

Thanks for the precise debdiff. ACK.

I'm building it now, along with a few minor formatting changes to the changelog file.

It will get released today.

Thanks!

This bug was fixed in the package xml-security-c - 1.6.1-1ubuntu0.1

---------------
xml-security-c (1.6.1-1ubuntu0.1) precise-security; urgency=low

  * SECURITY UPDATE: (LP: #1192874).
    - Apply upstream patch to fix a spoofing vulnerability that allows an
      attacker to reuse existing signatures with arbitrary content.
      (CVE-2013-2153)
    - Apply upstream patch to fix a stack overflow in the processing of
      malformed XPointer expressions in the XML Signature Reference
      processing code. (CVE-2013-2154)
    - Apply upstream patch to fix processing of the output length of an
      HMAC-based XML Signature that could cause a denial of service when
      processing specially chosen input. (CVE-2013-2155)
    - Apply upstream patch to fix a heap overflow in the processing of the
      PrefixList attribute optionally used in conjunction with Exclusive
      Canonicalization, potentially allowing arbitrary code execution.
      (CVE-2013-2156)
  * SECURITY UPDATE: The attempted fix to address CVE-2013-2154 introduced
    the possibility of a heap overflow, possibly leading to arbitrary code
    execution, in the processing of malformed XPointer expressions in the
    XML Signature Reference processing code (LP: #1199969).
    - Apply upstream patch to fix that heap overflow. (CVE-2013-2210)
 -- Christian Biamont <email address hidden> Wed, 25 Sep 2013 10:27:27 +0200