Bug 38207

Summary: xerces-c: Denial of service (4.1)
Product: UCS Reporter: Arvid Requate <requate>
Component: Security updatesAssignee: Janek Walkenhorst <walkenhorst>
Status: CLOSED FIXED QA Contact: Arvid Requate <requate>
Severity: normal    
Priority: P2 CC: gohmann
Version: UCS 4.1Flags: requate: Patch_Available+
Target Milestone: UCS 4.1-3-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: Security Issue What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): Security
Max CVSS v3 score:

Description Arvid Requate univentionstaff 2015-04-07 14:43:12 CEST 
Denial of service in internal/XMLReader.cpp via crafted XML data (CVE-2015-0252)
Comment 1 Arvid Requate univentionstaff 2015-05-06 16:42:21 CEST 
Fixed in upstream Debian package version 3.1.1-3+deb7u1
Comment 2 Arvid Requate univentionstaff 2016-02-29 16:55:27 CET 
Fixed in upstream Debian package version 3.1.1-3+deb7u2:

* Apache Xerces-C XML Parser Crashes on Malformed Input (CVE-2016-0729)
Comment 3 Arvid Requate univentionstaff 2016-05-23 15:10:57 CEST 
Fixed in upstream Debian package version 3.1.1-3+deb7u3:

* Use-after-free vulnerability in validators/DTD/DTDScanner.cpp in Apache Xerces C++ 3.1.3 and earlier does not properly handle exceptions raised in the XMLReader class, which allows context-dependent attackers to have unspecified impact via an invalid character in an XML document. (CVE-2016-2099)
Comment 4 Janek Walkenhorst univentionstaff 2016-07-01 18:53:48 CEST 
Package        : xerces-c
Version        : 3.1.1-3+deb7u4
CVE ID         : CVE-2016-4463
Debian Bug     : 828990

Brandon Perry discovered that xerces-c, a validating XML parser library
for C++, fails to successfully parse a DTD that is deeply nested,
causing a stack overflow. A remote unauthenticated attacker can take
advantage of this flaw to cause a denial of service against applications
using the xerces-c library.

Additionally this update includes an enhancement to enable applications
to fully disable DTD processing through the use of an environment
variable (XERCES_DISABLE_DTD).

For Debian 7 "Wheezy", these problems have been fixed in version
3.1.1-3+deb7u4.
Comment 5 Janek Walkenhorst univentionstaff 2016-08-26 13:04:45 CEST 
Tests (i386): OK
Advisory: xerces-c.yaml
Comment 6 Arvid Requate univentionstaff 2016-09-05 18:03:15 CEST 
Verified:
* 3.1.1-3+deb7u4 imported and built
* No UCS patches
* Package update Ok (amd64) (tested with open-vm-tools)
* Advisory Ok
Comment 7 Janek Walkenhorst univentionstaff 2016-09-07 18:41:36 CEST 
<http://errata.software-univention.de/ucs/4.1/242.html>