Security bug in XMLTooling-C before 1.6.3 [CVE-2018-0486]

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Here's a debdiff for Xenial. It is my understanding that Trusty can get a fakesync from Jessie.

Debian is working on patches for all of its stable repositories. See https://lists.alioth.debian.org/pipermail/pkg-shibboleth-devel/2018-January/thread.html for details.

The attachment "CVE-2018-0486.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

This bug was fixed in the package xmltooling - 1.5.3-2+deb8u2build0.14.04.1

---------------
xmltooling (1.5.3-2+deb8u2build0.14.04.1) trusty-security; urgency=medium

  * fake sync from Debian (LP: #1743762)

xmltooling (1.5.3-2+deb8u2) jessie-security; urgency=high

  * [5c2845b] Add gbp.conf for jessie
  * [0ffc343] Convert our single patch into a proper patch queue
  * [91e7acb] New patch: CVE-2018-0486: vulnerability to forged user attribute
    data
    The Service Provider software relies on a generic XML parser to process
    SAML responses and there are limitations in older versions of the parser
    that make it impossible to fully disable Document Type Definition (DTD)
    processing.
    Through addition/manipulation of a DTD, it's possible to make changes
    to an XML document that do not break a digital signature but are
    mishandled by the SP and its libraries. These manipulations can alter
    the user data passed through to applications behind the SP and result
    in impersonation attacks and exposure of protected information.
    While the use of XML Encryption can serve as a mitigation for this bug,
    it may still be possible to construct attacks in such cases, and the SP
    does not provide a means to enforce its use.
    CPPXT-127 - Block entity reference nodes during unmarshalling.
    https://issues.shibboleth.net/jira/browse/CPPXT-127
    Thanks to Scott Cantor
  * [49b7352] Update Uploaders: add Etienne, remove Russ, update myself

 -- Steve Beattie <email address hidden> Wed, 17 Jan 2018 14:38:30 -0800

This bug was fixed in the package xmltooling - 1.5.6-2ubuntu0.1

---------------
xmltooling (1.5.6-2ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Upstream patch to fix CVE-2018-0486 (LP: #1743762)
    - d/p/CVE-2018-0486-Block-entity-reference-nodes-during-unmarshalling.patch:
      Block entity reference nodes during unmarshalling.

 -- Ray Link <email address hidden> Wed, 17 Jan 2018 17:48:31 -0500

I am unsubscribing ubuntu-security-sponsors for now since there is no artful debdiff to review. Please subscribe ubuntu-security-sponsors again once an appropriate debdiff is available. Thanks!