You are viewing a plain text version of this content. The canonical link for it is here.
Posted to c-dev@xerces.apache.org by Vinutha Nagaraju <Vi...@Sun.COM> on 2009/11/11 14:07:09 UTC
Is Security issue applicable to Xerces 2.6.0 ?
Hi,
This is regarding the security issue on Xerces-C++ which was reported by
CERT-FI.
http://www.cert.fi/en/reports/2009/vulnerability2009085.html
I have received a test case from CERT-FI which contains the sample xml
file with the faulty line which can cause a crash. I have been able to
reproduce the segmentation fault on Xerces 2.7.0. However we are using
Xerces 2.6.0 within our Web Server product. Hence tried the same steps
to reproduce it in 2.6.0 but instead of the crash I could see the
following error message printed. This was the same error message I got
after patching 2.7.0 as well.
bash-3.00$ ./SAXPrint ./xerces-crash.xml
<?xml version="1.0" encoding="LATIN1"?>
Fatal Error at file
/iws_share/vinu/xerces/2.6.0/solaris/xerces-c-src_2_6_0/bin/
xerces-crash.xml, line 2, char 65564
Message: Expected an element name
Is this vulnerability applicable to 2.6.0 or not ? Without it being
reproduced if we have to change the xerces in our product, it would mean
a lot of effort of patching and rebuilding 2.6.0 on all platforms. Hence
I kindly request someone to provide their expert comment on this.
Note: Due to security reasons I cannot attach the test case. Please
email your PGP key and I can send you the test case.
Thanks,
Vinu
Alberto Massari wrote:
> Hi Vinu,
> the security report has the link to the SVN change, that you can apply
> to the version of Xerces you are using.
>
> Alberto
>
> Vinutha Nagaraju wrote:
>> Hi,
>>
>> We are using Xerces 2.6.0 within our product and we have recently
>> read about the following security issue with Xerces.
>>
>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>
>> We would like to know in which Version of Xerces is the fix available ?
>> Can we request this to be ported to 2.x series too. Because moving
>> from 2.x to next major release would mean lot of changes at our
>> product end which is under sustaining phase. Appreciate if this
>> request could be accommodated. I am hoping this would eventually help
>> other users of xerces with similar request.
>>
>> Thanks,
>> Vinu
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org
Re: Is Security issue applicable to Xerces 2.6.0 ?
Posted by Vinutha Nagaraju <Vi...@Sun.COM>.
On 11/12/09 16:47, Alberto Massari wrote:
> I wouldn't be surprised if Xerces 2.x implemented "make distclean"
> differently from what you would expect. Have you tried adding an
> explicit "gmake clean" before distclean?
>
I use the same steps to build a fresh 2.6.0 workspace with the patch.
That works. Which means the segmentation fault which was appearing on
the fresh workspace, returns the error message after patch is applied.
But when I do the reverse the same gmake steps don't work..Don't know
how that is possible though. That is what confused me. I have tried this
already 2-3 times now..
Let me try out your suggestion.
Thanks,
Vinu
> Alberto
>
> Vinutha Nagaraju wrote:
>> On 11/11/09 19:50, Alberto Massari wrote:
>>> The security issue is in the end a stack overflow, and it's in 2.6 as
>>> well; some operating systems grow the stack on demand, and can handle
>>> such a test case with only a performance impact. Did 2.7 fail on the
>>> same system?
>>>
>> It was on the same system. I see that function where it has been fixed
>> has similar code in both 2.6.0 and 2.7.0 so, I tested with fresh
>> workspace without applying the patch and I am able to reproduce it now.
>>
>> But if I try to reproduce it on a workspace which had the patch once
>> and later rebuild without the fix. I can't reproduce the bug. I think
>> something is missing as part of build. Sorry about this confusion.
>>
>> Are the following build sequence correct?
>> 1. export XERCESCROOT=`pwd`
>> 2. export PATH=[compiler paths]
>> 2. cd src/xercesc
>> 3. ./runConfigure -p solaris -c cc -x CC
>> 4. gmake
>> 5. add the patch.
>> 6. gmake distclean
>> 7. repeat steps 3 and 4.
>>
>>
>> Thanks,
>> Vinu
>>
>>> Alberto
>>>
>>> Vinutha Nagaraju wrote:
>>>>
>>>> Hi,
>>>>
>>>> This is regarding the security issue on Xerces-C++ which was
>>>> reported by CERT-FI.
>>>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>>>
>>>> I have received a test case from CERT-FI which contains the sample
>>>> xml file with the faulty line which can cause a crash. I have been
>>>> able to reproduce the segmentation fault on Xerces 2.7.0. However we
>>>> are using Xerces 2.6.0 within our Web Server product. Hence tried
>>>> the same steps to reproduce it in 2.6.0 but instead of the crash I
>>>> could see the following error message printed. This was the same
>>>> error message I got after patching 2.7.0 as well.
>>>> bash-3.00$ ./SAXPrint ./xerces-crash.xml
>>>> <?xml version="1.0" encoding="LATIN1"?>
>>>>
>>>> Fatal Error at file
>>>> /iws_share/vinu/xerces/2.6.0/solaris/xerces-c-src_2_6_0/bin/
>>>> xerces-crash.xml, line 2, char 65564
>>>> Message: Expected an element name
>>>>
>>>> Is this vulnerability applicable to 2.6.0 or not ? Without it being
>>>> reproduced if we have to change the xerces in our product, it would
>>>> mean a lot of effort of patching and rebuilding 2.6.0 on all
>>>> platforms. Hence I kindly request someone to provide their expert
>>>> comment on this.
>>>>
>>>> Note: Due to security reasons I cannot attach the test case. Please
>>>> email your PGP key and I can send you the test case.
>>>>
>>>> Thanks,
>>>> Vinu
>>>>
>>>>
>>>> Alberto Massari wrote:
>>>>> Hi Vinu,
>>>>> the security report has the link to the SVN change, that you can
>>>>> apply to the version of Xerces you are using.
>>>>>
>>>>> Alberto
>>>>>
>>>>> Vinutha Nagaraju wrote:
>>>>>> Hi,
>>>>>>
>>>>>> We are using Xerces 2.6.0 within our product and we have recently
>>>>>> read about the following security issue with Xerces.
>>>>>>
>>>>>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>>>>>
>>>>>> We would like to know in which Version of Xerces is the fix
>>>>>> available ?
>>>>>> Can we request this to be ported to 2.x series too. Because moving
>>>>>> from 2.x to next major release would mean lot of changes at our
>>>>>> product end which is under sustaining phase. Appreciate if this
>>>>>> request could be accommodated. I am hoping this would eventually
>>>>>> help other users of xerces with similar request.
>>>>>>
>>>>>> Thanks,
>>>>>> Vinu
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
>>>> For additional commands, e-mail: c-dev-help@xerces.apache.org
>>>>
>>>>
>>>
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org
Re: Is Security issue applicable to Xerces 2.6.0 ?
Posted by Vinutha Nagaraju <Vi...@Sun.COM>.
On 11/12/09 16:47, Alberto Massari wrote:
> I wouldn't be surprised if Xerces 2.x implemented "make distclean"
> differently from what you would expect. Have you tried adding an
> explicit "gmake clean" before distclean?
>
I use the same steps to build a fresh 2.6.0 workspace with the patch.
That works. Which means the segmentation fault which was appearing on
the fresh workspace, returns the error message after patch is applied.
But when I do the reverse the same gmake steps don't work..Don't know
how that is possible though. That is what confused me. I have tried this
already 2-3 times now..
Let me try out your suggestion.
Thanks,
Vinu
> Alberto
>
> Vinutha Nagaraju wrote:
>> On 11/11/09 19:50, Alberto Massari wrote:
>>> The security issue is in the end a stack overflow, and it's in 2.6 as
>>> well; some operating systems grow the stack on demand, and can handle
>>> such a test case with only a performance impact. Did 2.7 fail on the
>>> same system?
>>>
>> It was on the same system. I see that function where it has been fixed
>> has similar code in both 2.6.0 and 2.7.0 so, I tested with fresh
>> workspace without applying the patch and I am able to reproduce it now.
>>
>> But if I try to reproduce it on a workspace which had the patch once
>> and later rebuild without the fix. I can't reproduce the bug. I think
>> something is missing as part of build. Sorry about this confusion.
>>
>> Are the following build sequence correct?
>> 1. export XERCESCROOT=`pwd`
>> 2. export PATH=[compiler paths]
>> 2. cd src/xercesc
>> 3. ./runConfigure -p solaris -c cc -x CC
>> 4. gmake
>> 5. add the patch.
>> 6. gmake distclean
>> 7. repeat steps 3 and 4.
>>
>>
>> Thanks,
>> Vinu
>>
>>> Alberto
>>>
>>> Vinutha Nagaraju wrote:
>>>>
>>>> Hi,
>>>>
>>>> This is regarding the security issue on Xerces-C++ which was
>>>> reported by CERT-FI.
>>>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>>>
>>>> I have received a test case from CERT-FI which contains the sample
>>>> xml file with the faulty line which can cause a crash. I have been
>>>> able to reproduce the segmentation fault on Xerces 2.7.0. However we
>>>> are using Xerces 2.6.0 within our Web Server product. Hence tried
>>>> the same steps to reproduce it in 2.6.0 but instead of the crash I
>>>> could see the following error message printed. This was the same
>>>> error message I got after patching 2.7.0 as well.
>>>> bash-3.00$ ./SAXPrint ./xerces-crash.xml
>>>> <?xml version="1.0" encoding="LATIN1"?>
>>>>
>>>> Fatal Error at file
>>>> /iws_share/vinu/xerces/2.6.0/solaris/xerces-c-src_2_6_0/bin/
>>>> xerces-crash.xml, line 2, char 65564
>>>> Message: Expected an element name
>>>>
>>>> Is this vulnerability applicable to 2.6.0 or not ? Without it being
>>>> reproduced if we have to change the xerces in our product, it would
>>>> mean a lot of effort of patching and rebuilding 2.6.0 on all
>>>> platforms. Hence I kindly request someone to provide their expert
>>>> comment on this.
>>>>
>>>> Note: Due to security reasons I cannot attach the test case. Please
>>>> email your PGP key and I can send you the test case.
>>>>
>>>> Thanks,
>>>> Vinu
>>>>
>>>>
>>>> Alberto Massari wrote:
>>>>> Hi Vinu,
>>>>> the security report has the link to the SVN change, that you can
>>>>> apply to the version of Xerces you are using.
>>>>>
>>>>> Alberto
>>>>>
>>>>> Vinutha Nagaraju wrote:
>>>>>> Hi,
>>>>>>
>>>>>> We are using Xerces 2.6.0 within our product and we have recently
>>>>>> read about the following security issue with Xerces.
>>>>>>
>>>>>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>>>>>
>>>>>> We would like to know in which Version of Xerces is the fix
>>>>>> available ?
>>>>>> Can we request this to be ported to 2.x series too. Because moving
>>>>>> from 2.x to next major release would mean lot of changes at our
>>>>>> product end which is under sustaining phase. Appreciate if this
>>>>>> request could be accommodated. I am hoping this would eventually
>>>>>> help other users of xerces with similar request.
>>>>>>
>>>>>> Thanks,
>>>>>> Vinu
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
>>>> For additional commands, e-mail: c-dev-help@xerces.apache.org
>>>>
>>>>
>>>
>>
>>
>
Re: Is Security issue applicable to Xerces 2.6.0 ?
Posted by Alberto Massari <am...@datadirect.com>.
I wouldn't be surprised if Xerces 2.x implemented "make distclean"
differently from what you would expect. Have you tried adding an
explicit "gmake clean" before distclean?
Alberto
Vinutha Nagaraju wrote:
> On 11/11/09 19:50, Alberto Massari wrote:
>> The security issue is in the end a stack overflow, and it's in 2.6 as
>> well; some operating systems grow the stack on demand, and can handle
>> such a test case with only a performance impact. Did 2.7 fail on the
>> same system?
>>
> It was on the same system. I see that function where it has been fixed
> has similar code in both 2.6.0 and 2.7.0 so, I tested with fresh
> workspace without applying the patch and I am able to reproduce it now.
>
> But if I try to reproduce it on a workspace which had the patch once
> and later rebuild without the fix. I can't reproduce the bug. I think
> something is missing as part of build. Sorry about this confusion.
>
> Are the following build sequence correct?
> 1. export XERCESCROOT=`pwd`
> 2. export PATH=[compiler paths]
> 2. cd src/xercesc
> 3. ./runConfigure -p solaris -c cc -x CC
> 4. gmake
> 5. add the patch.
> 6. gmake distclean
> 7. repeat steps 3 and 4.
>
>
> Thanks,
> Vinu
>
>> Alberto
>>
>> Vinutha Nagaraju wrote:
>>>
>>> Hi,
>>>
>>> This is regarding the security issue on Xerces-C++ which was
>>> reported by CERT-FI.
>>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>>
>>> I have received a test case from CERT-FI which contains the sample
>>> xml file with the faulty line which can cause a crash. I have been
>>> able to reproduce the segmentation fault on Xerces 2.7.0. However we
>>> are using Xerces 2.6.0 within our Web Server product. Hence tried
>>> the same steps to reproduce it in 2.6.0 but instead of the crash I
>>> could see the following error message printed. This was the same
>>> error message I got after patching 2.7.0 as well.
>>> bash-3.00$ ./SAXPrint ./xerces-crash.xml
>>> <?xml version="1.0" encoding="LATIN1"?>
>>>
>>> Fatal Error at file
>>> /iws_share/vinu/xerces/2.6.0/solaris/xerces-c-src_2_6_0/bin/
>>> xerces-crash.xml, line 2, char 65564
>>> Message: Expected an element name
>>>
>>> Is this vulnerability applicable to 2.6.0 or not ? Without it being
>>> reproduced if we have to change the xerces in our product, it would
>>> mean a lot of effort of patching and rebuilding 2.6.0 on all
>>> platforms. Hence I kindly request someone to provide their expert
>>> comment on this.
>>>
>>> Note: Due to security reasons I cannot attach the test case. Please
>>> email your PGP key and I can send you the test case.
>>>
>>> Thanks,
>>> Vinu
>>>
>>>
>>> Alberto Massari wrote:
>>>> Hi Vinu,
>>>> the security report has the link to the SVN change, that you can
>>>> apply to the version of Xerces you are using.
>>>>
>>>> Alberto
>>>>
>>>> Vinutha Nagaraju wrote:
>>>>> Hi,
>>>>>
>>>>> We are using Xerces 2.6.0 within our product and we have recently
>>>>> read about the following security issue with Xerces.
>>>>>
>>>>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>>>>
>>>>> We would like to know in which Version of Xerces is the fix
>>>>> available ?
>>>>> Can we request this to be ported to 2.x series too. Because moving
>>>>> from 2.x to next major release would mean lot of changes at our
>>>>> product end which is under sustaining phase. Appreciate if this
>>>>> request could be accommodated. I am hoping this would eventually
>>>>> help other users of xerces with similar request.
>>>>>
>>>>> Thanks,
>>>>> Vinu
>>>>>
>>>>>
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
>>> For additional commands, e-mail: c-dev-help@xerces.apache.org
>>>
>>>
>>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org
Re: Is Security issue applicable to Xerces 2.6.0 ?
Posted by Alberto Massari <am...@datadirect.com>.
I wouldn't be surprised if Xerces 2.x implemented "make distclean"
differently from what you would expect. Have you tried adding an
explicit "gmake clean" before distclean?
Alberto
Vinutha Nagaraju wrote:
> On 11/11/09 19:50, Alberto Massari wrote:
>> The security issue is in the end a stack overflow, and it's in 2.6 as
>> well; some operating systems grow the stack on demand, and can handle
>> such a test case with only a performance impact. Did 2.7 fail on the
>> same system?
>>
> It was on the same system. I see that function where it has been fixed
> has similar code in both 2.6.0 and 2.7.0 so, I tested with fresh
> workspace without applying the patch and I am able to reproduce it now.
>
> But if I try to reproduce it on a workspace which had the patch once
> and later rebuild without the fix. I can't reproduce the bug. I think
> something is missing as part of build. Sorry about this confusion.
>
> Are the following build sequence correct?
> 1. export XERCESCROOT=`pwd`
> 2. export PATH=[compiler paths]
> 2. cd src/xercesc
> 3. ./runConfigure -p solaris -c cc -x CC
> 4. gmake
> 5. add the patch.
> 6. gmake distclean
> 7. repeat steps 3 and 4.
>
>
> Thanks,
> Vinu
>
>> Alberto
>>
>> Vinutha Nagaraju wrote:
>>>
>>> Hi,
>>>
>>> This is regarding the security issue on Xerces-C++ which was
>>> reported by CERT-FI.
>>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>>
>>> I have received a test case from CERT-FI which contains the sample
>>> xml file with the faulty line which can cause a crash. I have been
>>> able to reproduce the segmentation fault on Xerces 2.7.0. However we
>>> are using Xerces 2.6.0 within our Web Server product. Hence tried
>>> the same steps to reproduce it in 2.6.0 but instead of the crash I
>>> could see the following error message printed. This was the same
>>> error message I got after patching 2.7.0 as well.
>>> bash-3.00$ ./SAXPrint ./xerces-crash.xml
>>> <?xml version="1.0" encoding="LATIN1"?>
>>>
>>> Fatal Error at file
>>> /iws_share/vinu/xerces/2.6.0/solaris/xerces-c-src_2_6_0/bin/
>>> xerces-crash.xml, line 2, char 65564
>>> Message: Expected an element name
>>>
>>> Is this vulnerability applicable to 2.6.0 or not ? Without it being
>>> reproduced if we have to change the xerces in our product, it would
>>> mean a lot of effort of patching and rebuilding 2.6.0 on all
>>> platforms. Hence I kindly request someone to provide their expert
>>> comment on this.
>>>
>>> Note: Due to security reasons I cannot attach the test case. Please
>>> email your PGP key and I can send you the test case.
>>>
>>> Thanks,
>>> Vinu
>>>
>>>
>>> Alberto Massari wrote:
>>>> Hi Vinu,
>>>> the security report has the link to the SVN change, that you can
>>>> apply to the version of Xerces you are using.
>>>>
>>>> Alberto
>>>>
>>>> Vinutha Nagaraju wrote:
>>>>> Hi,
>>>>>
>>>>> We are using Xerces 2.6.0 within our product and we have recently
>>>>> read about the following security issue with Xerces.
>>>>>
>>>>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>>>>
>>>>> We would like to know in which Version of Xerces is the fix
>>>>> available ?
>>>>> Can we request this to be ported to 2.x series too. Because moving
>>>>> from 2.x to next major release would mean lot of changes at our
>>>>> product end which is under sustaining phase. Appreciate if this
>>>>> request could be accommodated. I am hoping this would eventually
>>>>> help other users of xerces with similar request.
>>>>>
>>>>> Thanks,
>>>>> Vinu
>>>>>
>>>>>
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
>>> For additional commands, e-mail: c-dev-help@xerces.apache.org
>>>
>>>
>>
>
>
Re: Is Security issue applicable to Xerces 2.6.0 ?
Posted by Vinutha Nagaraju <Vi...@Sun.COM>.
On 11/11/09 19:50, Alberto Massari wrote:
> The security issue is in the end a stack overflow, and it's in 2.6 as
> well; some operating systems grow the stack on demand, and can handle
> such a test case with only a performance impact. Did 2.7 fail on the
> same system?
>
It was on the same system. I see that function where it has been fixed
has similar code in both 2.6.0 and 2.7.0 so, I tested with fresh
workspace without applying the patch and I am able to reproduce it now.
But if I try to reproduce it on a workspace which had the patch once and
later rebuild without the fix. I can't reproduce the bug. I think
something is missing as part of build. Sorry about this confusion.
Are the following build sequence correct?
1. export XERCESCROOT=`pwd`
2. export PATH=[compiler paths]
2. cd src/xercesc
3. ./runConfigure -p solaris -c cc -x CC
4. gmake
5. add the patch.
6. gmake distclean
7. repeat steps 3 and 4.
Thanks,
Vinu
> Alberto
>
> Vinutha Nagaraju wrote:
>>
>> Hi,
>>
>> This is regarding the security issue on Xerces-C++ which was reported
>> by CERT-FI.
>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>
>> I have received a test case from CERT-FI which contains the sample xml
>> file with the faulty line which can cause a crash. I have been able to
>> reproduce the segmentation fault on Xerces 2.7.0. However we are using
>> Xerces 2.6.0 within our Web Server product. Hence tried the same steps
>> to reproduce it in 2.6.0 but instead of the crash I could see the
>> following error message printed. This was the same error message I got
>> after patching 2.7.0 as well.
>> bash-3.00$ ./SAXPrint ./xerces-crash.xml
>> <?xml version="1.0" encoding="LATIN1"?>
>>
>> Fatal Error at file
>> /iws_share/vinu/xerces/2.6.0/solaris/xerces-c-src_2_6_0/bin/
>> xerces-crash.xml, line 2, char 65564
>> Message: Expected an element name
>>
>> Is this vulnerability applicable to 2.6.0 or not ? Without it being
>> reproduced if we have to change the xerces in our product, it would
>> mean a lot of effort of patching and rebuilding 2.6.0 on all
>> platforms. Hence I kindly request someone to provide their expert
>> comment on this.
>>
>> Note: Due to security reasons I cannot attach the test case. Please
>> email your PGP key and I can send you the test case.
>>
>> Thanks,
>> Vinu
>>
>>
>> Alberto Massari wrote:
>>> Hi Vinu,
>>> the security report has the link to the SVN change, that you can
>>> apply to the version of Xerces you are using.
>>>
>>> Alberto
>>>
>>> Vinutha Nagaraju wrote:
>>>> Hi,
>>>>
>>>> We are using Xerces 2.6.0 within our product and we have recently
>>>> read about the following security issue with Xerces.
>>>>
>>>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>>>
>>>> We would like to know in which Version of Xerces is the fix available ?
>>>> Can we request this to be ported to 2.x series too. Because moving
>>>> from 2.x to next major release would mean lot of changes at our
>>>> product end which is under sustaining phase. Appreciate if this
>>>> request could be accommodated. I am hoping this would eventually
>>>> help other users of xerces with similar request.
>>>>
>>>> Thanks,
>>>> Vinu
>>>>
>>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
>> For additional commands, e-mail: c-dev-help@xerces.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org
Re: Is Security issue applicable to Xerces 2.6.0 ?
Posted by Vinutha Nagaraju <Vi...@Sun.COM>.
On 11/11/09 19:50, Alberto Massari wrote:
> The security issue is in the end a stack overflow, and it's in 2.6 as
> well; some operating systems grow the stack on demand, and can handle
> such a test case with only a performance impact. Did 2.7 fail on the
> same system?
>
It was on the same system. I see that function where it has been fixed
has similar code in both 2.6.0 and 2.7.0 so, I tested with fresh
workspace without applying the patch and I am able to reproduce it now.
But if I try to reproduce it on a workspace which had the patch once and
later rebuild without the fix. I can't reproduce the bug. I think
something is missing as part of build. Sorry about this confusion.
Are the following build sequence correct?
1. export XERCESCROOT=`pwd`
2. export PATH=[compiler paths]
2. cd src/xercesc
3. ./runConfigure -p solaris -c cc -x CC
4. gmake
5. add the patch.
6. gmake distclean
7. repeat steps 3 and 4.
Thanks,
Vinu
> Alberto
>
> Vinutha Nagaraju wrote:
>>
>> Hi,
>>
>> This is regarding the security issue on Xerces-C++ which was reported
>> by CERT-FI.
>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>
>> I have received a test case from CERT-FI which contains the sample xml
>> file with the faulty line which can cause a crash. I have been able to
>> reproduce the segmentation fault on Xerces 2.7.0. However we are using
>> Xerces 2.6.0 within our Web Server product. Hence tried the same steps
>> to reproduce it in 2.6.0 but instead of the crash I could see the
>> following error message printed. This was the same error message I got
>> after patching 2.7.0 as well.
>> bash-3.00$ ./SAXPrint ./xerces-crash.xml
>> <?xml version="1.0" encoding="LATIN1"?>
>>
>> Fatal Error at file
>> /iws_share/vinu/xerces/2.6.0/solaris/xerces-c-src_2_6_0/bin/
>> xerces-crash.xml, line 2, char 65564
>> Message: Expected an element name
>>
>> Is this vulnerability applicable to 2.6.0 or not ? Without it being
>> reproduced if we have to change the xerces in our product, it would
>> mean a lot of effort of patching and rebuilding 2.6.0 on all
>> platforms. Hence I kindly request someone to provide their expert
>> comment on this.
>>
>> Note: Due to security reasons I cannot attach the test case. Please
>> email your PGP key and I can send you the test case.
>>
>> Thanks,
>> Vinu
>>
>>
>> Alberto Massari wrote:
>>> Hi Vinu,
>>> the security report has the link to the SVN change, that you can
>>> apply to the version of Xerces you are using.
>>>
>>> Alberto
>>>
>>> Vinutha Nagaraju wrote:
>>>> Hi,
>>>>
>>>> We are using Xerces 2.6.0 within our product and we have recently
>>>> read about the following security issue with Xerces.
>>>>
>>>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>>>
>>>> We would like to know in which Version of Xerces is the fix available ?
>>>> Can we request this to be ported to 2.x series too. Because moving
>>>> from 2.x to next major release would mean lot of changes at our
>>>> product end which is under sustaining phase. Appreciate if this
>>>> request could be accommodated. I am hoping this would eventually
>>>> help other users of xerces with similar request.
>>>>
>>>> Thanks,
>>>> Vinu
>>>>
>>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
>> For additional commands, e-mail: c-dev-help@xerces.apache.org
>>
>>
>
Re: Is Security issue applicable to Xerces 2.6.0 ?
Posted by Alberto Massari <am...@datadirect.com>.
The security issue is in the end a stack overflow, and it's in 2.6 as
well; some operating systems grow the stack on demand, and can handle
such a test case with only a performance impact. Did 2.7 fail on the
same system?
Alberto
Vinutha Nagaraju wrote:
>
> Hi,
>
> This is regarding the security issue on Xerces-C++ which was reported
> by CERT-FI.
> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>
> I have received a test case from CERT-FI which contains the sample xml
> file with the faulty line which can cause a crash. I have been able to
> reproduce the segmentation fault on Xerces 2.7.0. However we are using
> Xerces 2.6.0 within our Web Server product. Hence tried the same steps
> to reproduce it in 2.6.0 but instead of the crash I could see the
> following error message printed. This was the same error message I got
> after patching 2.7.0 as well.
> bash-3.00$ ./SAXPrint ./xerces-crash.xml
> <?xml version="1.0" encoding="LATIN1"?>
>
> Fatal Error at file
> /iws_share/vinu/xerces/2.6.0/solaris/xerces-c-src_2_6_0/bin/
> xerces-crash.xml, line 2, char 65564
> Message: Expected an element name
>
> Is this vulnerability applicable to 2.6.0 or not ? Without it being
> reproduced if we have to change the xerces in our product, it would
> mean a lot of effort of patching and rebuilding 2.6.0 on all
> platforms. Hence I kindly request someone to provide their expert
> comment on this.
>
> Note: Due to security reasons I cannot attach the test case. Please
> email your PGP key and I can send you the test case.
>
> Thanks,
> Vinu
>
>
> Alberto Massari wrote:
>> Hi Vinu,
>> the security report has the link to the SVN change, that you can
>> apply to the version of Xerces you are using.
>>
>> Alberto
>>
>> Vinutha Nagaraju wrote:
>>> Hi,
>>>
>>> We are using Xerces 2.6.0 within our product and we have recently
>>> read about the following security issue with Xerces.
>>>
>>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>>
>>> We would like to know in which Version of Xerces is the fix available ?
>>> Can we request this to be ported to 2.x series too. Because moving
>>> from 2.x to next major release would mean lot of changes at our
>>> product end which is under sustaining phase. Appreciate if this
>>> request could be accommodated. I am hoping this would eventually
>>> help other users of xerces with similar request.
>>>
>>> Thanks,
>>> Vinu
>>>
>>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
> For additional commands, e-mail: c-dev-help@xerces.apache.org
>
>
Re: Is Security issue applicable to Xerces 2.6.0 ?
Posted by Alberto Massari <am...@datadirect.com>.
The security issue is in the end a stack overflow, and it's in 2.6 as
well; some operating systems grow the stack on demand, and can handle
such a test case with only a performance impact. Did 2.7 fail on the
same system?
Alberto
Vinutha Nagaraju wrote:
>
> Hi,
>
> This is regarding the security issue on Xerces-C++ which was reported
> by CERT-FI.
> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>
> I have received a test case from CERT-FI which contains the sample xml
> file with the faulty line which can cause a crash. I have been able to
> reproduce the segmentation fault on Xerces 2.7.0. However we are using
> Xerces 2.6.0 within our Web Server product. Hence tried the same steps
> to reproduce it in 2.6.0 but instead of the crash I could see the
> following error message printed. This was the same error message I got
> after patching 2.7.0 as well.
> bash-3.00$ ./SAXPrint ./xerces-crash.xml
> <?xml version="1.0" encoding="LATIN1"?>
>
> Fatal Error at file
> /iws_share/vinu/xerces/2.6.0/solaris/xerces-c-src_2_6_0/bin/
> xerces-crash.xml, line 2, char 65564
> Message: Expected an element name
>
> Is this vulnerability applicable to 2.6.0 or not ? Without it being
> reproduced if we have to change the xerces in our product, it would
> mean a lot of effort of patching and rebuilding 2.6.0 on all
> platforms. Hence I kindly request someone to provide their expert
> comment on this.
>
> Note: Due to security reasons I cannot attach the test case. Please
> email your PGP key and I can send you the test case.
>
> Thanks,
> Vinu
>
>
> Alberto Massari wrote:
>> Hi Vinu,
>> the security report has the link to the SVN change, that you can
>> apply to the version of Xerces you are using.
>>
>> Alberto
>>
>> Vinutha Nagaraju wrote:
>>> Hi,
>>>
>>> We are using Xerces 2.6.0 within our product and we have recently
>>> read about the following security issue with Xerces.
>>>
>>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>>
>>> We would like to know in which Version of Xerces is the fix available ?
>>> Can we request this to be ported to 2.x series too. Because moving
>>> from 2.x to next major release would mean lot of changes at our
>>> product end which is under sustaining phase. Appreciate if this
>>> request could be accommodated. I am hoping this would eventually
>>> help other users of xerces with similar request.
>>>
>>> Thanks,
>>> Vinu
>>>
>>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
> For additional commands, e-mail: c-dev-help@xerces.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org