xerces-c-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vinutha Nagaraju <Vinutha.Nagar...@Sun.COM>
Subject Re: Is Security issue applicable to Xerces 2.6.0 ?
Date Thu, 12 Nov 2009 12:12:00 GMT
On 11/12/09 16:47, Alberto Massari wrote:
> I wouldn't be surprised if Xerces 2.x implemented "make distclean" 
> differently from what you would expect. Have you tried adding an 
> explicit "gmake clean" before distclean?
> 

I use the same steps to build a fresh 2.6.0 workspace with the patch.
That works. Which means the segmentation fault which was appearing on 
the fresh workspace, returns the error message after patch is applied.
But when I do the reverse the same gmake steps don't work..Don't know 
how that is possible though. That is what confused me. I have tried this 
already 2-3 times now..
Let me try out your suggestion.


Thanks,
Vinu

> Alberto
> 
> Vinutha Nagaraju wrote:
>> On 11/11/09 19:50, Alberto Massari wrote:
>>> The security issue is in the end a stack overflow, and it's in 2.6 as 
>>> well; some operating systems grow the stack on demand, and can handle 
>>> such a test case with only a performance impact. Did 2.7 fail on the 
>>> same system?
>>>
>> It was on the same system. I see that function where it has been fixed 
>> has similar code in both 2.6.0 and 2.7.0 so, I tested with fresh 
>> workspace without applying the patch and I am able to reproduce it now.
>>
>> But if I try to reproduce it on a workspace which had the patch once 
>> and later rebuild without the fix. I can't reproduce the bug. I think 
>> something is missing as part of build.  Sorry about this confusion.
>>
>> Are the following build sequence correct?
>> 1. export XERCESCROOT=`pwd`
>> 2. export PATH=[compiler paths]
>> 2. cd src/xercesc
>> 3.  ./runConfigure -p solaris -c cc -x CC
>> 4. gmake
>> 5. add the patch.
>> 6. gmake distclean
>> 7. repeat steps 3 and 4.
>>
>>
>> Thanks,
>> Vinu
>>
>>> Alberto
>>>
>>> Vinutha Nagaraju wrote:
>>>>
>>>> Hi,
>>>>
>>>> This is regarding the security issue on Xerces-C++ which was 
>>>> reported by CERT-FI.
>>>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>>>
>>>> I have received a test case from CERT-FI which contains the sample 
>>>> xml file with the faulty line which can cause a crash. I have been 
>>>> able to reproduce the segmentation fault on Xerces 2.7.0. However we 
>>>> are using Xerces 2.6.0 within our Web Server product. Hence tried 
>>>> the same steps to reproduce it in 2.6.0 but instead of the crash I 
>>>> could see the following error message printed. This was the same 
>>>> error message I got after patching 2.7.0 as well.
>>>> bash-3.00$ ./SAXPrint ./xerces-crash.xml
>>>> <?xml version="1.0" encoding="LATIN1"?>
>>>>
>>>> Fatal Error at file 
>>>> /iws_share/vinu/xerces/2.6.0/solaris/xerces-c-src_2_6_0/bin/
>>>> xerces-crash.xml, line 2, char 65564
>>>> Message: Expected an element name
>>>>
>>>> Is this vulnerability applicable to 2.6.0 or not ? Without it being 
>>>> reproduced if we have to change the xerces in our product, it would 
>>>> mean a lot of effort of patching and rebuilding 2.6.0 on all 
>>>> platforms. Hence I kindly request someone to provide their expert 
>>>> comment on this.
>>>>
>>>> Note: Due to security reasons I cannot attach the test case. Please 
>>>> email your PGP key and I can send you the test case.
>>>>
>>>> Thanks,
>>>> Vinu
>>>>
>>>>
>>>> Alberto Massari wrote:
>>>>> Hi Vinu,
>>>>> the security report has the link to the SVN change, that you can 
>>>>> apply to the version of Xerces you are using.
>>>>>
>>>>> Alberto
>>>>>
>>>>> Vinutha Nagaraju wrote:
>>>>>> Hi,
>>>>>>
>>>>>> We are using Xerces 2.6.0 within our product and we have recently

>>>>>> read about the following security issue with Xerces.
>>>>>>
>>>>>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>>>>>
>>>>>> We would like to know in which Version of Xerces is the fix 
>>>>>> available ?
>>>>>> Can we request this to be ported to 2.x series too. Because moving

>>>>>> from 2.x to next major release would mean lot of changes at our 
>>>>>> product end which is under sustaining phase. Appreciate if this 
>>>>>> request could be accommodated. I am hoping this would eventually

>>>>>> help other users of xerces with similar request.
>>>>>>
>>>>>> Thanks,
>>>>>> Vinu
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
>>>> For additional commands, e-mail: c-dev-help@xerces.apache.org
>>>>
>>>>
>>>
>>
>>
> 


Mime
View raw message