You are viewing a plain text version of this content. The canonical link for it is here.

Posted to c-dev@xerces.apache.org by Vladimir Loubenski <vl...@opentext.com> on 2016/10/21 16:44:36 UTC

XERCESC-2066 (Exception handling mistake in DTDScanner)

Hi
National Vulnerability Database
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2099
tracks 
https://issues.apache.org/jira/browse/XERCESC-2066
 as a Critical Vulnerability issue.
Does somebody know when it will be fixed in official patch? 

Regards,
Vladimir.


---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

RE: XERCESC-2066 (Exception handling mistake in DTDScanner)

Posted by "Cantor, Scott" <ca...@osu.edu>.

> Does somebody know when it will be fixed in official patch?

Months ago?

http://svn.apache.org/viewvc?view=revision&revision=1747619

Red Hat still hasn't backported it to my knowledge.

-- Scott


---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

RE: XERCESC-2066 (Exception handling mistake in DTDScanner)

Posted by Vladimir Loubenski <vl...@opentext.com>.

Thank you for clarification.

Regards,
Vladimir.


-----Original Message-----
From: Cantor, Scott [mailto:cantor.2@osu.edu] 
Sent: October-21-16 1:24 PM
To: c-dev@xerces.apache.org
Subject: RE: XERCESC-2066 (Exception handling mistake in DTDScanner)

> Hi Scott,
> I checked Xerces 3.1.4  sources(
> src/xercesc/validators/DTD/DTDScanner.cpp)
> 
> The fix is missing in them.
> const XMLCh nextCh = fReaderMgr->peekNextChar(); calls without try 
> catch .

The fix I intended to aply is in 3.1.4 and I just verified that.
 
-- Scott


---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

RE: XERCESC-2066 (Exception handling mistake in DTDScanner)

Posted by "Cantor, Scott" <ca...@osu.edu>.

> Hi Scott,
> I checked Xerces 3.1.4  sources(
> src/xercesc/validators/DTD/DTDScanner.cpp)
> 
> The fix is missing in them.
> const XMLCh nextCh = fReaderMgr->peekNextChar();
> calls without try catch .

The fix I intended to aply is in 3.1.4 and I just verified that.
 
-- Scott


---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

RE: XERCESC-2066 (Exception handling mistake in DTDScanner)

Posted by Vladimir Loubenski <vl...@opentext.com>.

Hi Scott,
I checked Xerces 3.1.4  sources( src/xercesc/validators/DTD/DTDScanner.cpp)

The fix is missing in them.
const XMLCh nextCh = fReaderMgr->peekNextChar();

calls without try catch .

Does the fix will be in Xerces 3.1.5?

Regards,
Vladimir.


-----Original Message-----
From: Cantor, Scott [mailto:cantor.2@osu.edu] 
Sent: October-21-16 12:52 PM
To: c-dev@xerces.apache.org
Subject: RE: XERCESC-2066 (Exception handling mistake in DTDScanner)

> > Does somebody know when it will be fixed in official patch?
> 
> Months ago?
> 
> https://urldefense.proofpoint.com/v2/url?u=http-3A__svn.apache.org_viewvc-3Fview-3Drevision-26revision-3D1747619&d=DQIFAg&c=ZgVRmm3mf2P1-XDAyDsu4A&r=Go-zk3wwFXw3zk6IKI5viJn9Qf3N2dP8AA11tevsqfk&m=Z1iJtUb3kO64ypZrVXuv_5eWJsIAENmMp9gowKA4Kco&s=2RYr1B-G8DJYMTi7wK98HImnweDSBSo-ixJ5NOgrhp0&e= 

Meant to link to advisory.

https://urldefense.proofpoint.com/v2/url?u=http-3A__xerces.apache.org_xerces-2Dc_secadv_CVE-2D2016-2D4463.txt&d=DQIFAg&c=ZgVRmm3mf2P1-XDAyDsu4A&r=Go-zk3wwFXw3zk6IKI5viJn9Qf3N2dP8AA11tevsqfk&m=Z1iJtUb3kO64ypZrVXuv_5eWJsIAENmMp9gowKA4Kco&s=a_7XsYlyztGFIc2FHL-UqwUj0ZePqrh2W9MyMb3kotk&e= 
 
> -- Scott


---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

RE: XERCESC-2066 (Exception handling mistake in DTDScanner)

Posted by "Cantor, Scott" <ca...@osu.edu>.

> > Does somebody know when it will be fixed in official patch?
> 
> Months ago?
> 
> http://svn.apache.org/viewvc?view=revision&revision=1747619

Meant to link to advisory.

http://xerces.apache.org/xerces-c/secadv/CVE-2016-4463.txt
 
> -- Scott


---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org