Is Security issue applicable to Xerces 2.6.0 ?

[Vinutha Nagaraju <Vi...@Sun.COM>]

Hi,

This is regarding the security issue on Xerces-C++ which was reported by 
CERT-FI.
http://www.cert.fi/en/reports/2009/vulnerability2009085.html

I have received a test case from CERT-FI which contains the sample xml 
file with the faulty line which can cause a crash. I have been able to 
reproduce the segmentation fault on Xerces 2.7.0. However we are using 
Xerces 2.6.0 within our Web Server product. Hence tried the same steps 
to reproduce it in 2.6.0 but instead of the crash I could see the 
following error message printed. This was the same error message I got 
after patching 2.7.0 as well.
bash-3.00$ ./SAXPrint ./xerces-crash.xml
<?xml version="1.0" encoding="LATIN1"?>

Fatal Error at file 
/iws_share/vinu/xerces/2.6.0/solaris/xerces-c-src_2_6_0/bin/
xerces-crash.xml, line 2, char 65564
 Message: Expected an element name

Is this vulnerability applicable to 2.6.0 or not ? Without it being 
reproduced if we have to change the xerces in our product, it would mean 
a lot of effort of patching and rebuilding 2.6.0 on all platforms. Hence 
I kindly request someone to provide their expert comment on this.

Note: Due to security reasons I cannot attach the test case. Please 
email your PGP key and I can send you the test case.

Thanks,
Vinu


Alberto Massari wrote:
> Hi Vinu,
> the security report has the link to the SVN change, that you can apply 
> to the version of Xerces you are using.
>
> Alberto
>
> Vinutha Nagaraju wrote:
>> Hi,
>>
>> We are using Xerces 2.6.0 within our product and we have recently 
>> read about the following security issue with Xerces.
>>
>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>
>> We would like to know in which Version of Xerces is the fix available ?
>> Can we request this to be ported to 2.x series too. Because moving 
>> from 2.x to next major release would mean lot of changes at our 
>> product end which is under sustaining phase. Appreciate if this 
>> request could be accommodated. I am hoping this would eventually help 
>> other users of xerces with similar request.
>>
>> Thanks,
>> Vinu
>>
>>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

Re: Is Security issue applicable to Xerces 2.6.0 ?

[Vinutha Nagaraju <Vi...@Sun.COM>]

On 11/12/09 16:47, Alberto Massari wrote:
> I wouldn't be surprised if Xerces 2.x implemented "make distclean" 
> differently from what you would expect. Have you tried adding an 
> explicit "gmake clean" before distclean?
> 

I use the same steps to build a fresh 2.6.0 workspace with the patch.
That works. Which means the segmentation fault which was appearing on 
the fresh workspace, returns the error message after patch is applied.
But when I do the reverse the same gmake steps don't work..Don't know 
how that is possible though. That is what confused me. I have tried this 
already 2-3 times now..
Let me try out your suggestion.


Thanks,
Vinu

> Alberto
> 
> Vinutha Nagaraju wrote:
>> On 11/11/09 19:50, Alberto Massari wrote:
>>> The security issue is in the end a stack overflow, and it's in 2.6 as 
>>> well; some operating systems grow the stack on demand, and can handle 
>>> such a test case with only a performance impact. Did 2.7 fail on the 
>>> same system?
>>>
>> It was on the same system. I see that function where it has been fixed 
>> has similar code in both 2.6.0 and 2.7.0 so, I tested with fresh 
>> workspace without applying the patch and I am able to reproduce it now.
>>
>> But if I try to reproduce it on a workspace which had the patch once 
>> and later rebuild without the fix. I can't reproduce the bug. I think 
>> something is missing as part of build.  Sorry about this confusion.
>>
>> Are the following build sequence correct?
>> 1. export XERCESCROOT=`pwd`
>> 2. export PATH=[compiler paths]
>> 2. cd src/xercesc
>> 3.  ./runConfigure -p solaris -c cc -x CC
>> 4. gmake
>> 5. add the patch.
>> 6. gmake distclean
>> 7. repeat steps 3 and 4.
>>
>>
>> Thanks,
>> Vinu
>>
>>> Alberto
>>>
>>> Vinutha Nagaraju wrote:
>>>>
>>>> Hi,
>>>>
>>>> This is regarding the security issue on Xerces-C++ which was 
>>>> reported by CERT-FI.
>>>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>>>
>>>> I have received a test case from CERT-FI which contains the sample 
>>>> xml file with the faulty line which can cause a crash. I have been 
>>>> able to reproduce the segmentation fault on Xerces 2.7.0. However we 
>>>> are using Xerces 2.6.0 within our Web Server product. Hence tried 
>>>> the same steps to reproduce it in 2.6.0 but instead of the crash I 
>>>> could see the following error message printed. This was the same 
>>>> error message I got after patching 2.7.0 as well.
>>>> bash-3.00$ ./SAXPrint ./xerces-crash.xml
>>>> <?xml version="1.0" encoding="LATIN1"?>
>>>>
>>>> Fatal Error at file 
>>>> /iws_share/vinu/xerces/2.6.0/solaris/xerces-c-src_2_6_0/bin/
>>>> xerces-crash.xml, line 2, char 65564
>>>> Message: Expected an element name
>>>>
>>>> Is this vulnerability applicable to 2.6.0 or not ? Without it being 
>>>> reproduced if we have to change the xerces in our product, it would 
>>>> mean a lot of effort of patching and rebuilding 2.6.0 on all 
>>>> platforms. Hence I kindly request someone to provide their expert 
>>>> comment on this.
>>>>
>>>> Note: Due to security reasons I cannot attach the test case. Please 
>>>> email your PGP key and I can send you the test case.
>>>>
>>>> Thanks,
>>>> Vinu
>>>>
>>>>
>>>> Alberto Massari wrote:
>>>>> Hi Vinu,
>>>>> the security report has the link to the SVN change, that you can 
>>>>> apply to the version of Xerces you are using.
>>>>>
>>>>> Alberto
>>>>>
>>>>> Vinutha Nagaraju wrote:
>>>>>> Hi,
>>>>>>
>>>>>> We are using Xerces 2.6.0 within our product and we have recently 
>>>>>> read about the following security issue with Xerces.
>>>>>>
>>>>>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>>>>>
>>>>>> We would like to know in which Version of Xerces is the fix 
>>>>>> available ?
>>>>>> Can we request this to be ported to 2.x series too. Because moving 
>>>>>> from 2.x to next major release would mean lot of changes at our 
>>>>>> product end which is under sustaining phase. Appreciate if this 
>>>>>> request could be accommodated. I am hoping this would eventually 
>>>>>> help other users of xerces with similar request.
>>>>>>
>>>>>> Thanks,
>>>>>> Vinu
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
>>>> For additional commands, e-mail: c-dev-help@xerces.apache.org
>>>>
>>>>
>>>
>>
>>
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

Re: Is Security issue applicable to Xerces 2.6.0 ?

[Vinutha Nagaraju <Vi...@Sun.COM>]

On 11/12/09 16:47, Alberto Massari wrote:
> I wouldn't be surprised if Xerces 2.x implemented "make distclean" 
> differently from what you would expect. Have you tried adding an 
> explicit "gmake clean" before distclean?
> 

I use the same steps to build a fresh 2.6.0 workspace with the patch.
That works. Which means the segmentation fault which was appearing on 
the fresh workspace, returns the error message after patch is applied.
But when I do the reverse the same gmake steps don't work..Don't know 
how that is possible though. That is what confused me. I have tried this 
already 2-3 times now..
Let me try out your suggestion.


Thanks,
Vinu

> Alberto
> 
> Vinutha Nagaraju wrote:
>> On 11/11/09 19:50, Alberto Massari wrote:
>>> The security issue is in the end a stack overflow, and it's in 2.6 as 
>>> well; some operating systems grow the stack on demand, and can handle 
>>> such a test case with only a performance impact. Did 2.7 fail on the 
>>> same system?
>>>
>> It was on the same system. I see that function where it has been fixed 
>> has similar code in both 2.6.0 and 2.7.0 so, I tested with fresh 
>> workspace without applying the patch and I am able to reproduce it now.
>>
>> But if I try to reproduce it on a workspace which had the patch once 
>> and later rebuild without the fix. I can't reproduce the bug. I think 
>> something is missing as part of build.  Sorry about this confusion.
>>
>> Are the following build sequence correct?
>> 1. export XERCESCROOT=`pwd`
>> 2. export PATH=[compiler paths]
>> 2. cd src/xercesc
>> 3.  ./runConfigure -p solaris -c cc -x CC
>> 4. gmake
>> 5. add the patch.
>> 6. gmake distclean
>> 7. repeat steps 3 and 4.
>>
>>
>> Thanks,
>> Vinu
>>
>>> Alberto
>>>
>>> Vinutha Nagaraju wrote:
>>>>
>>>> Hi,
>>>>
>>>> This is regarding the security issue on Xerces-C++ which was 
>>>> reported by CERT-FI.
>>>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>>>
>>>> I have received a test case from CERT-FI which contains the sample 
>>>> xml file with the faulty line which can cause a crash. I have been 
>>>> able to reproduce the segmentation fault on Xerces 2.7.0. However we 
>>>> are using Xerces 2.6.0 within our Web Server product. Hence tried 
>>>> the same steps to reproduce it in 2.6.0 but instead of the crash I 
>>>> could see the following error message printed. This was the same 
>>>> error message I got after patching 2.7.0 as well.
>>>> bash-3.00$ ./SAXPrint ./xerces-crash.xml
>>>> <?xml version="1.0" encoding="LATIN1"?>
>>>>
>>>> Fatal Error at file 
>>>> /iws_share/vinu/xerces/2.6.0/solaris/xerces-c-src_2_6_0/bin/
>>>> xerces-crash.xml, line 2, char 65564
>>>> Message: Expected an element name
>>>>
>>>> Is this vulnerability applicable to 2.6.0 or not ? Without it being 
>>>> reproduced if we have to change the xerces in our product, it would 
>>>> mean a lot of effort of patching and rebuilding 2.6.0 on all 
>>>> platforms. Hence I kindly request someone to provide their expert 
>>>> comment on this.
>>>>
>>>> Note: Due to security reasons I cannot attach the test case. Please 
>>>> email your PGP key and I can send you the test case.
>>>>
>>>> Thanks,
>>>> Vinu
>>>>
>>>>
>>>> Alberto Massari wrote:
>>>>> Hi Vinu,
>>>>> the security report has the link to the SVN change, that you can 
>>>>> apply to the version of Xerces you are using.
>>>>>
>>>>> Alberto
>>>>>
>>>>> Vinutha Nagaraju wrote:
>>>>>> Hi,
>>>>>>
>>>>>> We are using Xerces 2.6.0 within our product and we have recently 
>>>>>> read about the following security issue with Xerces.
>>>>>>
>>>>>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>>>>>
>>>>>> We would like to know in which Version of Xerces is the fix 
>>>>>> available ?
>>>>>> Can we request this to be ported to 2.x series too. Because moving 
>>>>>> from 2.x to next major release would mean lot of changes at our 
>>>>>> product end which is under sustaining phase. Appreciate if this 
>>>>>> request could be accommodated. I am hoping this would eventually 
>>>>>> help other users of xerces with similar request.
>>>>>>
>>>>>> Thanks,
>>>>>> Vinu
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
>>>> For additional commands, e-mail: c-dev-help@xerces.apache.org
>>>>
>>>>
>>>
>>
>>
> 

Re: Is Security issue applicable to Xerces 2.6.0 ?

[Alberto Massari <am...@datadirect.com>]

I wouldn't be surprised if Xerces 2.x implemented "make distclean" 
differently from what you would expect. Have you tried adding an 
explicit "gmake clean" before distclean?

Alberto

Vinutha Nagaraju wrote:
> On 11/11/09 19:50, Alberto Massari wrote:
>> The security issue is in the end a stack overflow, and it's in 2.6 as 
>> well; some operating systems grow the stack on demand, and can handle 
>> such a test case with only a performance impact. Did 2.7 fail on the 
>> same system?
>>
> It was on the same system. I see that function where it has been fixed 
> has similar code in both 2.6.0 and 2.7.0 so, I tested with fresh 
> workspace without applying the patch and I am able to reproduce it now.
>
> But if I try to reproduce it on a workspace which had the patch once 
> and later rebuild without the fix. I can't reproduce the bug. I think 
> something is missing as part of build.  Sorry about this confusion.
>
> Are the following build sequence correct?
> 1. export XERCESCROOT=`pwd`
> 2. export PATH=[compiler paths]
> 2. cd src/xercesc
> 3.  ./runConfigure -p solaris -c cc -x CC
> 4. gmake
> 5. add the patch.
> 6. gmake distclean
> 7. repeat steps 3 and 4.
>
>
> Thanks,
> Vinu
>
>> Alberto
>>
>> Vinutha Nagaraju wrote:
>>>
>>> Hi,
>>>
>>> This is regarding the security issue on Xerces-C++ which was 
>>> reported by CERT-FI.
>>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>>
>>> I have received a test case from CERT-FI which contains the sample 
>>> xml file with the faulty line which can cause a crash. I have been 
>>> able to reproduce the segmentation fault on Xerces 2.7.0. However we 
>>> are using Xerces 2.6.0 within our Web Server product. Hence tried 
>>> the same steps to reproduce it in 2.6.0 but instead of the crash I 
>>> could see the following error message printed. This was the same 
>>> error message I got after patching 2.7.0 as well.
>>> bash-3.00$ ./SAXPrint ./xerces-crash.xml
>>> <?xml version="1.0" encoding="LATIN1"?>
>>>
>>> Fatal Error at file 
>>> /iws_share/vinu/xerces/2.6.0/solaris/xerces-c-src_2_6_0/bin/
>>> xerces-crash.xml, line 2, char 65564
>>> Message: Expected an element name
>>>
>>> Is this vulnerability applicable to 2.6.0 or not ? Without it being 
>>> reproduced if we have to change the xerces in our product, it would 
>>> mean a lot of effort of patching and rebuilding 2.6.0 on all 
>>> platforms. Hence I kindly request someone to provide their expert 
>>> comment on this.
>>>
>>> Note: Due to security reasons I cannot attach the test case. Please 
>>> email your PGP key and I can send you the test case.
>>>
>>> Thanks,
>>> Vinu
>>>
>>>
>>> Alberto Massari wrote:
>>>> Hi Vinu,
>>>> the security report has the link to the SVN change, that you can 
>>>> apply to the version of Xerces you are using.
>>>>
>>>> Alberto
>>>>
>>>> Vinutha Nagaraju wrote:
>>>>> Hi,
>>>>>
>>>>> We are using Xerces 2.6.0 within our product and we have recently 
>>>>> read about the following security issue with Xerces.
>>>>>
>>>>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>>>>
>>>>> We would like to know in which Version of Xerces is the fix 
>>>>> available ?
>>>>> Can we request this to be ported to 2.x series too. Because moving 
>>>>> from 2.x to next major release would mean lot of changes at our 
>>>>> product end which is under sustaining phase. Appreciate if this 
>>>>> request could be accommodated. I am hoping this would eventually 
>>>>> help other users of xerces with similar request.
>>>>>
>>>>> Thanks,
>>>>> Vinu
>>>>>
>>>>>
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
>>> For additional commands, e-mail: c-dev-help@xerces.apache.org
>>>
>>>
>>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

Re: Is Security issue applicable to Xerces 2.6.0 ?

[Alberto Massari <am...@datadirect.com>]

I wouldn't be surprised if Xerces 2.x implemented "make distclean" 
differently from what you would expect. Have you tried adding an 
explicit "gmake clean" before distclean?

Alberto

Vinutha Nagaraju wrote:
> On 11/11/09 19:50, Alberto Massari wrote:
>> The security issue is in the end a stack overflow, and it's in 2.6 as 
>> well; some operating systems grow the stack on demand, and can handle 
>> such a test case with only a performance impact. Did 2.7 fail on the 
>> same system?
>>
> It was on the same system. I see that function where it has been fixed 
> has similar code in both 2.6.0 and 2.7.0 so, I tested with fresh 
> workspace without applying the patch and I am able to reproduce it now.
>
> But if I try to reproduce it on a workspace which had the patch once 
> and later rebuild without the fix. I can't reproduce the bug. I think 
> something is missing as part of build.  Sorry about this confusion.
>
> Are the following build sequence correct?
> 1. export XERCESCROOT=`pwd`
> 2. export PATH=[compiler paths]
> 2. cd src/xercesc
> 3.  ./runConfigure -p solaris -c cc -x CC
> 4. gmake
> 5. add the patch.
> 6. gmake distclean
> 7. repeat steps 3 and 4.
>
>
> Thanks,
> Vinu
>
>> Alberto
>>
>> Vinutha Nagaraju wrote:
>>>
>>> Hi,
>>>
>>> This is regarding the security issue on Xerces-C++ which was 
>>> reported by CERT-FI.
>>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>>
>>> I have received a test case from CERT-FI which contains the sample 
>>> xml file with the faulty line which can cause a crash. I have been 
>>> able to reproduce the segmentation fault on Xerces 2.7.0. However we 
>>> are using Xerces 2.6.0 within our Web Server product. Hence tried 
>>> the same steps to reproduce it in 2.6.0 but instead of the crash I 
>>> could see the following error message printed. This was the same 
>>> error message I got after patching 2.7.0 as well.
>>> bash-3.00$ ./SAXPrint ./xerces-crash.xml
>>> <?xml version="1.0" encoding="LATIN1"?>
>>>
>>> Fatal Error at file 
>>> /iws_share/vinu/xerces/2.6.0/solaris/xerces-c-src_2_6_0/bin/
>>> xerces-crash.xml, line 2, char 65564
>>> Message: Expected an element name
>>>
>>> Is this vulnerability applicable to 2.6.0 or not ? Without it being 
>>> reproduced if we have to change the xerces in our product, it would 
>>> mean a lot of effort of patching and rebuilding 2.6.0 on all 
>>> platforms. Hence I kindly request someone to provide their expert 
>>> comment on this.
>>>
>>> Note: Due to security reasons I cannot attach the test case. Please 
>>> email your PGP key and I can send you the test case.
>>>
>>> Thanks,
>>> Vinu
>>>
>>>
>>> Alberto Massari wrote:
>>>> Hi Vinu,
>>>> the security report has the link to the SVN change, that you can 
>>>> apply to the version of Xerces you are using.
>>>>
>>>> Alberto
>>>>
>>>> Vinutha Nagaraju wrote:
>>>>> Hi,
>>>>>
>>>>> We are using Xerces 2.6.0 within our product and we have recently 
>>>>> read about the following security issue with Xerces.
>>>>>
>>>>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>>>>
>>>>> We would like to know in which Version of Xerces is the fix 
>>>>> available ?
>>>>> Can we request this to be ported to 2.x series too. Because moving 
>>>>> from 2.x to next major release would mean lot of changes at our 
>>>>> product end which is under sustaining phase. Appreciate if this 
>>>>> request could be accommodated. I am hoping this would eventually 
>>>>> help other users of xerces with similar request.
>>>>>
>>>>> Thanks,
>>>>> Vinu
>>>>>
>>>>>
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
>>> For additional commands, e-mail: c-dev-help@xerces.apache.org
>>>
>>>
>>
>
>

Re: Is Security issue applicable to Xerces 2.6.0 ?

[Vinutha Nagaraju <Vi...@Sun.COM>]

On 11/11/09 19:50, Alberto Massari wrote:
> The security issue is in the end a stack overflow, and it's in 2.6 as 
> well; some operating systems grow the stack on demand, and can handle 
> such a test case with only a performance impact. Did 2.7 fail on the 
> same system?
> 
It was on the same system. I see that function where it has been fixed 
has similar code in both 2.6.0 and 2.7.0 so, I tested with fresh 
workspace without applying the patch and I am able to reproduce it now.

But if I try to reproduce it on a workspace which had the patch once and 
later rebuild without the fix. I can't reproduce the bug. I think 
something is missing as part of build.  Sorry about this confusion.

Are the following build sequence correct?
1. export XERCESCROOT=`pwd`
2. export PATH=[compiler paths]
2. cd src/xercesc
3.  ./runConfigure -p solaris -c cc -x CC
4. gmake
5. add the patch.
6. gmake distclean
7. repeat steps 3 and 4.


Thanks,
Vinu

> Alberto
> 
> Vinutha Nagaraju wrote:
>>
>> Hi,
>>
>> This is regarding the security issue on Xerces-C++ which was reported 
>> by CERT-FI.
>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>
>> I have received a test case from CERT-FI which contains the sample xml 
>> file with the faulty line which can cause a crash. I have been able to 
>> reproduce the segmentation fault on Xerces 2.7.0. However we are using 
>> Xerces 2.6.0 within our Web Server product. Hence tried the same steps 
>> to reproduce it in 2.6.0 but instead of the crash I could see the 
>> following error message printed. This was the same error message I got 
>> after patching 2.7.0 as well.
>> bash-3.00$ ./SAXPrint ./xerces-crash.xml
>> <?xml version="1.0" encoding="LATIN1"?>
>>
>> Fatal Error at file 
>> /iws_share/vinu/xerces/2.6.0/solaris/xerces-c-src_2_6_0/bin/
>> xerces-crash.xml, line 2, char 65564
>> Message: Expected an element name
>>
>> Is this vulnerability applicable to 2.6.0 or not ? Without it being 
>> reproduced if we have to change the xerces in our product, it would 
>> mean a lot of effort of patching and rebuilding 2.6.0 on all 
>> platforms. Hence I kindly request someone to provide their expert 
>> comment on this.
>>
>> Note: Due to security reasons I cannot attach the test case. Please 
>> email your PGP key and I can send you the test case.
>>
>> Thanks,
>> Vinu
>>
>>
>> Alberto Massari wrote:
>>> Hi Vinu,
>>> the security report has the link to the SVN change, that you can 
>>> apply to the version of Xerces you are using.
>>>
>>> Alberto
>>>
>>> Vinutha Nagaraju wrote:
>>>> Hi,
>>>>
>>>> We are using Xerces 2.6.0 within our product and we have recently 
>>>> read about the following security issue with Xerces.
>>>>
>>>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>>>
>>>> We would like to know in which Version of Xerces is the fix available ?
>>>> Can we request this to be ported to 2.x series too. Because moving 
>>>> from 2.x to next major release would mean lot of changes at our 
>>>> product end which is under sustaining phase. Appreciate if this 
>>>> request could be accommodated. I am hoping this would eventually 
>>>> help other users of xerces with similar request.
>>>>
>>>> Thanks,
>>>> Vinu
>>>>
>>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
>> For additional commands, e-mail: c-dev-help@xerces.apache.org
>>
>>
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

Re: Is Security issue applicable to Xerces 2.6.0 ?

[Vinutha Nagaraju <Vi...@Sun.COM>]

On 11/11/09 19:50, Alberto Massari wrote:
> The security issue is in the end a stack overflow, and it's in 2.6 as 
> well; some operating systems grow the stack on demand, and can handle 
> such a test case with only a performance impact. Did 2.7 fail on the 
> same system?
> 
It was on the same system. I see that function where it has been fixed 
has similar code in both 2.6.0 and 2.7.0 so, I tested with fresh 
workspace without applying the patch and I am able to reproduce it now.

But if I try to reproduce it on a workspace which had the patch once and 
later rebuild without the fix. I can't reproduce the bug. I think 
something is missing as part of build.  Sorry about this confusion.

Are the following build sequence correct?
1. export XERCESCROOT=`pwd`
2. export PATH=[compiler paths]
2. cd src/xercesc
3.  ./runConfigure -p solaris -c cc -x CC
4. gmake
5. add the patch.
6. gmake distclean
7. repeat steps 3 and 4.


Thanks,
Vinu

> Alberto
> 
> Vinutha Nagaraju wrote:
>>
>> Hi,
>>
>> This is regarding the security issue on Xerces-C++ which was reported 
>> by CERT-FI.
>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>
>> I have received a test case from CERT-FI which contains the sample xml 
>> file with the faulty line which can cause a crash. I have been able to 
>> reproduce the segmentation fault on Xerces 2.7.0. However we are using 
>> Xerces 2.6.0 within our Web Server product. Hence tried the same steps 
>> to reproduce it in 2.6.0 but instead of the crash I could see the 
>> following error message printed. This was the same error message I got 
>> after patching 2.7.0 as well.
>> bash-3.00$ ./SAXPrint ./xerces-crash.xml
>> <?xml version="1.0" encoding="LATIN1"?>
>>
>> Fatal Error at file 
>> /iws_share/vinu/xerces/2.6.0/solaris/xerces-c-src_2_6_0/bin/
>> xerces-crash.xml, line 2, char 65564
>> Message: Expected an element name
>>
>> Is this vulnerability applicable to 2.6.0 or not ? Without it being 
>> reproduced if we have to change the xerces in our product, it would 
>> mean a lot of effort of patching and rebuilding 2.6.0 on all 
>> platforms. Hence I kindly request someone to provide their expert 
>> comment on this.
>>
>> Note: Due to security reasons I cannot attach the test case. Please 
>> email your PGP key and I can send you the test case.
>>
>> Thanks,
>> Vinu
>>
>>
>> Alberto Massari wrote:
>>> Hi Vinu,
>>> the security report has the link to the SVN change, that you can 
>>> apply to the version of Xerces you are using.
>>>
>>> Alberto
>>>
>>> Vinutha Nagaraju wrote:
>>>> Hi,
>>>>
>>>> We are using Xerces 2.6.0 within our product and we have recently 
>>>> read about the following security issue with Xerces.
>>>>
>>>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>>>
>>>> We would like to know in which Version of Xerces is the fix available ?
>>>> Can we request this to be ported to 2.x series too. Because moving 
>>>> from 2.x to next major release would mean lot of changes at our 
>>>> product end which is under sustaining phase. Appreciate if this 
>>>> request could be accommodated. I am hoping this would eventually 
>>>> help other users of xerces with similar request.
>>>>
>>>> Thanks,
>>>> Vinu
>>>>
>>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
>> For additional commands, e-mail: c-dev-help@xerces.apache.org
>>
>>
> 

Re: Is Security issue applicable to Xerces 2.6.0 ?

[Alberto Massari <am...@datadirect.com>]

The security issue is in the end a stack overflow, and it's in 2.6 as 
well; some operating systems grow the stack on demand, and can handle 
such a test case with only a performance impact. Did 2.7 fail on the 
same system?

Alberto

Vinutha Nagaraju wrote:
>
> Hi,
>
> This is regarding the security issue on Xerces-C++ which was reported 
> by CERT-FI.
> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>
> I have received a test case from CERT-FI which contains the sample xml 
> file with the faulty line which can cause a crash. I have been able to 
> reproduce the segmentation fault on Xerces 2.7.0. However we are using 
> Xerces 2.6.0 within our Web Server product. Hence tried the same steps 
> to reproduce it in 2.6.0 but instead of the crash I could see the 
> following error message printed. This was the same error message I got 
> after patching 2.7.0 as well.
> bash-3.00$ ./SAXPrint ./xerces-crash.xml
> <?xml version="1.0" encoding="LATIN1"?>
>
> Fatal Error at file 
> /iws_share/vinu/xerces/2.6.0/solaris/xerces-c-src_2_6_0/bin/
> xerces-crash.xml, line 2, char 65564
> Message: Expected an element name
>
> Is this vulnerability applicable to 2.6.0 or not ? Without it being 
> reproduced if we have to change the xerces in our product, it would 
> mean a lot of effort of patching and rebuilding 2.6.0 on all 
> platforms. Hence I kindly request someone to provide their expert 
> comment on this.
>
> Note: Due to security reasons I cannot attach the test case. Please 
> email your PGP key and I can send you the test case.
>
> Thanks,
> Vinu
>
>
> Alberto Massari wrote:
>> Hi Vinu,
>> the security report has the link to the SVN change, that you can 
>> apply to the version of Xerces you are using.
>>
>> Alberto
>>
>> Vinutha Nagaraju wrote:
>>> Hi,
>>>
>>> We are using Xerces 2.6.0 within our product and we have recently 
>>> read about the following security issue with Xerces.
>>>
>>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>>
>>> We would like to know in which Version of Xerces is the fix available ?
>>> Can we request this to be ported to 2.x series too. Because moving 
>>> from 2.x to next major release would mean lot of changes at our 
>>> product end which is under sustaining phase. Appreciate if this 
>>> request could be accommodated. I am hoping this would eventually 
>>> help other users of xerces with similar request.
>>>
>>> Thanks,
>>> Vinu
>>>
>>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
> For additional commands, e-mail: c-dev-help@xerces.apache.org
>
>

Re: Is Security issue applicable to Xerces 2.6.0 ?

[Alberto Massari <am...@datadirect.com>]

The security issue is in the end a stack overflow, and it's in 2.6 as 
well; some operating systems grow the stack on demand, and can handle 
such a test case with only a performance impact. Did 2.7 fail on the 
same system?

Alberto

Vinutha Nagaraju wrote:
>
> Hi,
>
> This is regarding the security issue on Xerces-C++ which was reported 
> by CERT-FI.
> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>
> I have received a test case from CERT-FI which contains the sample xml 
> file with the faulty line which can cause a crash. I have been able to 
> reproduce the segmentation fault on Xerces 2.7.0. However we are using 
> Xerces 2.6.0 within our Web Server product. Hence tried the same steps 
> to reproduce it in 2.6.0 but instead of the crash I could see the 
> following error message printed. This was the same error message I got 
> after patching 2.7.0 as well.
> bash-3.00$ ./SAXPrint ./xerces-crash.xml
> <?xml version="1.0" encoding="LATIN1"?>
>
> Fatal Error at file 
> /iws_share/vinu/xerces/2.6.0/solaris/xerces-c-src_2_6_0/bin/
> xerces-crash.xml, line 2, char 65564
> Message: Expected an element name
>
> Is this vulnerability applicable to 2.6.0 or not ? Without it being 
> reproduced if we have to change the xerces in our product, it would 
> mean a lot of effort of patching and rebuilding 2.6.0 on all 
> platforms. Hence I kindly request someone to provide their expert 
> comment on this.
>
> Note: Due to security reasons I cannot attach the test case. Please 
> email your PGP key and I can send you the test case.
>
> Thanks,
> Vinu
>
>
> Alberto Massari wrote:
>> Hi Vinu,
>> the security report has the link to the SVN change, that you can 
>> apply to the version of Xerces you are using.
>>
>> Alberto
>>
>> Vinutha Nagaraju wrote:
>>> Hi,
>>>
>>> We are using Xerces 2.6.0 within our product and we have recently 
>>> read about the following security issue with Xerces.
>>>
>>> http://www.cert.fi/en/reports/2009/vulnerability2009085.html
>>>
>>> We would like to know in which Version of Xerces is the fix available ?
>>> Can we request this to be ported to 2.x series too. Because moving 
>>> from 2.x to next major release would mean lot of changes at our 
>>> product end which is under sustaining phase. Appreciate if this 
>>> request could be accommodated. I am hoping this would eventually 
>>> help other users of xerces with similar request.
>>>
>>> Thanks,
>>> Vinu
>>>
>>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
> For additional commands, e-mail: c-dev-help@xerces.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org