CVE-2019-9628 XML parser class fails to trap exceptions on malformed XML declaration

Bug #1819912 reported by Kolargol00
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
xmltooling (Debian)
Fix Released
Unknown
xmltooling (Ubuntu)
Fix Released
High
Unassigned
Trusty
Fix Released
Undecided
Eduardo Barretto
Xenial
Fix Released
Undecided
Eduardo Barretto
Bionic
Fix Released
High
Eduardo Barretto

CVE References

Kolargol00 (kolargol00)
information type: Private Security → Public Security
Changed in xmltooling (Debian):
status: Unknown → Confirmed
Changed in xmltooling (Debian):
status: Confirmed → Fix Released
Revision history for this message
Kolargol00 (kolargol00) wrote :

Here's a patch for bionic's xmltooling. It can also be applied to older versions.

Revision history for this message
Sebastien Bacher (seb128) wrote :

This bug was fixed in the package xmltooling - 3.0.4-1

---------------
xmltooling (3.0.4-1) unstable; urgency=high

  * [f185b26] New upstream security release: 3.0.4
    DSA-4407-1, CVE-2019-9628: uncaught exception on malformed XML
    declaration.
    Invalid data in the XML declaration causes an exception of a type
    that was not handled properly in the parser class and propagates an
    unexpected exception type.
    This generally manifests as a crash in the calling code, which in the
    Service Provider software's case is usually the shibd daemon process,
    but can be Apache in some cases. Note that the crash occurs prior to
    evaluation of a message's authenticity, so can be exploited by an
    untrusted attacker.
    https://shibboleth.net/community/advisories/secadv_20190311.txt
    https://issues.shibboleth.net/jira/browse/CPPXT-143
    Thanks to Scott Cantor (Closes: #924346)

 -- Ferenc Wágner <email address hidden> Thu, 14 Mar 2019 14:58:36 +0100

Changed in xmltooling (Ubuntu):
importance: Undecided → High
status: New → Fix Released
Mathew Hodson (mhodson)
Changed in xmltooling (Ubuntu Bionic):
importance: Undecided → High
Changed in xmltooling (Ubuntu):
assignee: nobody → Eduardo dos Santos Barretto (ebarretto)
Revision history for this message
Etienne Dysli Metref (etienne-dysli-metref) wrote :

Here is a patch for xmltooling in xenial. Can someone review and sponsor it please?

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in xmltooling (Ubuntu Bionic):
status: New → Confirmed
Changed in xmltooling (Ubuntu):
status: Fix Released → In Progress
Changed in xmltooling (Ubuntu Bionic):
assignee: nobody → Eduardo dos Santos Barretto (ebarretto)
status: Confirmed → In Progress
Changed in xmltooling (Ubuntu Trusty):
status: New → In Progress
Changed in xmltooling (Ubuntu Xenial):
status: New → In Progress
Changed in xmltooling (Ubuntu Trusty):
assignee: nobody → Eduardo dos Santos Barretto (ebarretto)
Changed in xmltooling (Ubuntu Xenial):
assignee: nobody → Eduardo dos Santos Barretto (ebarretto)
Changed in xmltooling (Ubuntu):
status: In Progress → Fix Released
assignee: Eduardo dos Santos Barretto (ebarretto) → nobody
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Hi Etienne,

Thanks for taking the time to report this bug and helping to make Ubuntu better.

I will be sponsoring it.
I will be back to you later today and I would appreciate if you could run some tests on the built .debs.

Thanks again

Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Hi Etienne,

I would appreciate if you could run some tests with the binaries that you can find below:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=xmltooling&field.status_filter=published&field.series_filter=

Thanks

Revision history for this message
Etienne Dysli Metref (etienne-dysli-metref) wrote :

Hi Eduardo,

I downloaded the debs from bionic's amd64 build and successfully ran piupart (install-purge and install-upgrade-purge tests) on them. Is that the level of testing you expected? If yes, then I'll do the same with debs for xenial and trusty.

Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Hi Etienne,

Yes it helps, also any other usage cases that you can run will be much appreciated.

Thanks,
Eduardo

Revision history for this message
Etienne Dysli Metref (etienne-dysli-metref) wrote :

So I tested the following on bionic, xenial and trusty (amd64):
a) piuparts install-purge and install-upgrade-purge tests
b) In the corresponding Docker container:
  1. Install the whole Shibboleth SPv2 from the distribution's repositories
     apt install libapache2-mod-shib2 libxmltooling-dev
  2. Test shibd's configuration with
     cd /etc/shibboleth; shib-keygen; shibd -t
  3. service shibd start, then check that there are no errors in /var/log/shibboleth/shibd.log
  4. Download the new xmltooling packages and install them (apt-get install ./*.deb)
  5. service shibd restart, then check that there are no errors in /var/log/shibboleth/shibd.log

=> For me, the fixed xmltooling packages for bionic, xenial and trusty are OK :)

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xmltooling - 1.6.4-1ubuntu2.1

---------------
xmltooling (1.6.4-1ubuntu2.1) bionic-security; urgency=high

  * SECURITY UPDATE: uncaught exception on malformed XML declaration
    Invalid data in the XML declaration causes an exception of a type that
    was not handled properly in the parser class and propagates an
    unexpected exception type.
    This generally manifests as a crash in the calling code, which in the
    Service Provider software's case is usually the shibd daemon process,
    but can be Apache in some cases. Note that the crash occurs prior to
    evaluation of a message's authenticity, so can be exploited by an
    untrusted attacker.
    - debian/patches/CVE-2019-9628.patch
    - CVE-2019-9628
    - https://shibboleth.net/community/advisories/secadv_20190311.txt
    - LP: #1819912

 -- Etienne Dysli Metref <email address hidden> Thu, 14 Mar 2019 11:56:34 +0100

Changed in xmltooling (Ubuntu Bionic):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xmltooling - 1.5.6-2ubuntu0.3

---------------
xmltooling (1.5.6-2ubuntu0.3) xenial-security; urgency=high

  * SECURITY UPDATE: uncaught exception on malformed XML declaration
    Invalid data in the XML declaration causes an exception of a type that
    was not handled properly in the parser class and propagates an
    unexpected exception type.
    This generally manifests as a crash in the calling code, which in the
    Service Provider software's case is usually the shibd daemon process,
    but can be Apache in some cases. Note that the crash occurs prior to
    evaluation of a message's authenticity, so can be exploited by an
    untrusted attacker.
    - debian/patches/CVE-2019-9628.patch
    - CVE-2019-9628
    - https://shibboleth.net/community/advisories/secadv_20190311.txt
    - LP: #1819912

 -- Etienne Dysli Metref <email address hidden> Thu, 14 Mar 2019 11:56:34 +0100

Changed in xmltooling (Ubuntu Xenial):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xmltooling - 1.5.3-2+deb8u3ubuntu0.1

---------------
xmltooling (1.5.3-2+deb8u3ubuntu0.1) trusty-security; urgency=high

  * SECURITY UPDATE: uncaught exception on malformed XML declaration
    Invalid data in the XML declaration causes an exception of a type that
    was not handled properly in the parser class and propagates an
    unexpected exception type.
    This generally manifests as a crash in the calling code, which in the
    Service Provider software's case is usually the shibd daemon process,
    but can be Apache in some cases. Note that the crash occurs prior to
    evaluation of a message's authenticity, so can be exploited by an
    untrusted attacker.
    - debian/patches/CVE-2019-9628.patch
    - CVE-2019-9628
    - https://shibboleth.net/community/advisories/secadv_20190311.txt
    - LP: #1819912

 -- Etienne Dysli Metref <email address hidden> Thu, 14 Mar 2019 11:56:34 +0100

Changed in xmltooling (Ubuntu Trusty):
status: In Progress → Fix Released
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Thanks Etienne,

Updated version was released for trusty, xenial, bionic and cosmic.

Thanks again for the testing and for providing the debdiffs.

Any problems just let us know.

Revision history for this message
Etienne Dysli Metref (etienne-dysli-metref) wrote :

Thank you for your help Eduardo! :D

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.