xerces-c-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vinutha Nagaraju <Vinutha.Nagar...@Sun.COM>
Subject Re: Is Security issue applicable to Xerces 2.6.0 ?
Date Thu, 12 Nov 2009 11:26:37 GMT
On 11/11/09 19:50, Alberto Massari wrote:
> The security issue is in the end a stack overflow, and it's in 2.6 as 
> well; some operating systems grow the stack on demand, and can handle 
> such a test case with only a performance impact. Did 2.7 fail on the 
> same system?
> 
It was on the same system. I see that function where it has been fixed 
has similar code in both 2.6.0 and 2.7.0 so, I tested with fresh 
workspace without applying the patch and I am able to reproduce it now.

But if I try to reproduce it on a workspace which had the patch once and 
later rebuild without the fix. I can't reproduce the bug. I think 
something is missing as part of build.  Sorry about this confusion.

Are the following build sequence correct?
1. export XERCESCROOT=`pwd`
2. export PATH=[compiler paths]
2. cd src/xercesc
3.  ./runConfigure -p solaris -c cc -x CC
4. gmake
5. add the patch.
6. gmake distclean
7. repeat steps 3 and 4.


Thanks,
Vinu

> Alberto
> 
> Vinutha Nagaraju wrote:
>>
>> Hi,
>>
>> This is regarding the security issue on Xerces-C++ which was reported 
>> by CERT-FI.
>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>
>> I have received a test case from CERT-FI which contains the sample xml 
>> file with the faulty line which can cause a crash. I have been able to 
>> reproduce the segmentation fault on Xerces 2.7.0. However we are using 
>> Xerces 2.6.0 within our Web Server product. Hence tried the same steps 
>> to reproduce it in 2.6.0 but instead of the crash I could see the 
>> following error message printed. This was the same error message I got 
>> after patching 2.7.0 as well.
>> bash-3.00$ ./SAXPrint ./xerces-crash.xml
>> <?xml version="1.0" encoding="LATIN1"?>
>>
>> Fatal Error at file 
>> /iws_share/vinu/xerces/2.6.0/solaris/xerces-c-src_2_6_0/bin/
>> xerces-crash.xml, line 2, char 65564
>> Message: Expected an element name
>>
>> Is this vulnerability applicable to 2.6.0 or not ? Without it being 
>> reproduced if we have to change the xerces in our product, it would 
>> mean a lot of effort of patching and rebuilding 2.6.0 on all 
>> platforms. Hence I kindly request someone to provide their expert 
>> comment on this.
>>
>> Note: Due to security reasons I cannot attach the test case. Please 
>> email your PGP key and I can send you the test case.
>>
>> Thanks,
>> Vinu
>>
>>
>> Alberto Massari wrote:
>>> Hi Vinu,
>>> the security report has the link to the SVN change, that you can 
>>> apply to the version of Xerces you are using.
>>>
>>> Alberto
>>>
>>> Vinutha Nagaraju wrote:
>>>> Hi,
>>>>
>>>> We are using Xerces 2.6.0 within our product and we have recently 
>>>> read about the following security issue with Xerces.
>>>>
>>>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>>>
>>>> We would like to know in which Version of Xerces is the fix available ?
>>>> Can we request this to be ported to 2.x series too. Because moving 
>>>> from 2.x to next major release would mean lot of changes at our 
>>>> product end which is under sustaining phase. Appreciate if this 
>>>> request could be accommodated. I am hoping this would eventually 
>>>> help other users of xerces with similar request.
>>>>
>>>> Thanks,
>>>> Vinu
>>>>
>>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
>> For additional commands, e-mail: c-dev-help@xerces.apache.org
>>
>>
> 


Mime
View raw message