CVE-2019-9628 XML parser class fails to trap exceptions on malformed XML declaration

Bug #1819912 reported by Kolargol00 on 2019-03-13
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
xmltooling (Debian)
Fix Released
Unknown
xmltooling (Ubuntu)
High
Unassigned
Trusty
Undecided
Eduardo dos Santos Barretto
Xenial
Undecided
Eduardo dos Santos Barretto
Bionic
High
Eduardo dos Santos Barretto

CVE References

Kolargol00 (kolargol00) on 2019-03-13
information type: Private Security → Public Security
Changed in xmltooling (Debian):
status: Unknown → Confirmed
Changed in xmltooling (Debian):
status: Confirmed → Fix Released
Kolargol00 (kolargol00) wrote :

Here's a patch for bionic's xmltooling. It can also be applied to older versions.

Sebastien Bacher (seb128) wrote :

This bug was fixed in the package xmltooling - 3.0.4-1

---------------
xmltooling (3.0.4-1) unstable; urgency=high

  * [f185b26] New upstream security release: 3.0.4
    DSA-4407-1, CVE-2019-9628: uncaught exception on malformed XML
    declaration.
    Invalid data in the XML declaration causes an exception of a type
    that was not handled properly in the parser class and propagates an
    unexpected exception type.
    This generally manifests as a crash in the calling code, which in the
    Service Provider software's case is usually the shibd daemon process,
    but can be Apache in some cases. Note that the crash occurs prior to
    evaluation of a message's authenticity, so can be exploited by an
    untrusted attacker.
    https://shibboleth.net/community/advisories/secadv_20190311.txt
    https://issues.shibboleth.net/jira/browse/CPPXT-143
    Thanks to Scott Cantor (Closes: #924346)

 -- Ferenc Wágner <email address hidden> Thu, 14 Mar 2019 14:58:36 +0100

Changed in xmltooling (Ubuntu):
importance: Undecided → High
status: New → Fix Released
Changed in xmltooling (Ubuntu Bionic):
importance: Undecided → High
Changed in xmltooling (Ubuntu):
assignee: nobody → Eduardo dos Santos Barretto (ebarretto)

Here is a patch for xmltooling in xenial. Can someone review and sponsor it please?

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in xmltooling (Ubuntu Bionic):
status: New → Confirmed
Changed in xmltooling (Ubuntu):
status: Fix Released → In Progress
Changed in xmltooling (Ubuntu Bionic):
assignee: nobody → Eduardo dos Santos Barretto (ebarretto)
status: Confirmed → In Progress
Changed in xmltooling (Ubuntu Trusty):
status: New → In Progress
Changed in xmltooling (Ubuntu Xenial):
status: New → In Progress
Changed in xmltooling (Ubuntu Trusty):
assignee: nobody → Eduardo dos Santos Barretto (ebarretto)
Changed in xmltooling (Ubuntu Xenial):
assignee: nobody → Eduardo dos Santos Barretto (ebarretto)
Changed in xmltooling (Ubuntu):
status: In Progress → Fix Released
assignee: Eduardo dos Santos Barretto (ebarretto) → nobody

Hi Etienne,

Thanks for taking the time to report this bug and helping to make Ubuntu better.

I will be sponsoring it.
I will be back to you later today and I would appreciate if you could run some tests on the built .debs.

Thanks again

Hi Etienne,

I would appreciate if you could run some tests with the binaries that you can find below:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=xmltooling&field.status_filter=published&field.series_filter=

Thanks

Hi Eduardo,

I downloaded the debs from bionic's amd64 build and successfully ran piupart (install-purge and install-upgrade-purge tests) on them. Is that the level of testing you expected? If yes, then I'll do the same with debs for xenial and trusty.

Hi Etienne,

Yes it helps, also any other usage cases that you can run will be much appreciated.

Thanks,
Eduardo

So I tested the following on bionic, xenial and trusty (amd64):
a) piuparts install-purge and install-upgrade-purge tests
b) In the corresponding Docker container:
  1. Install the whole Shibboleth SPv2 from the distribution's repositories
     apt install libapache2-mod-shib2 libxmltooling-dev
  2. Test shibd's configuration with
     cd /etc/shibboleth; shib-keygen; shibd -t
  3. service shibd start, then check that there are no errors in /var/log/shibboleth/shibd.log
  4. Download the new xmltooling packages and install them (apt-get install ./*.deb)
  5. service shibd restart, then check that there are no errors in /var/log/shibboleth/shibd.log

=> For me, the fixed xmltooling packages for bionic, xenial and trusty are OK :)

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xmltooling - 1.6.4-1ubuntu2.1

---------------
xmltooling (1.6.4-1ubuntu2.1) bionic-security; urgency=high

  * SECURITY UPDATE: uncaught exception on malformed XML declaration
    Invalid data in the XML declaration causes an exception of a type that
    was not handled properly in the parser class and propagates an
    unexpected exception type.
    This generally manifests as a crash in the calling code, which in the
    Service Provider software's case is usually the shibd daemon process,
    but can be Apache in some cases. Note that the crash occurs prior to
    evaluation of a message's authenticity, so can be exploited by an
    untrusted attacker.
    - debian/patches/CVE-2019-9628.patch
    - CVE-2019-9628
    - https://shibboleth.net/community/advisories/secadv_20190311.txt
    - LP: #1819912

 -- Etienne Dysli Metref <email address hidden> Thu, 14 Mar 2019 11:56:34 +0100

Changed in xmltooling (Ubuntu Bionic):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xmltooling - 1.5.6-2ubuntu0.3

---------------
xmltooling (1.5.6-2ubuntu0.3) xenial-security; urgency=high

  * SECURITY UPDATE: uncaught exception on malformed XML declaration
    Invalid data in the XML declaration causes an exception of a type that
    was not handled properly in the parser class and propagates an
    unexpected exception type.
    This generally manifests as a crash in the calling code, which in the
    Service Provider software's case is usually the shibd daemon process,
    but can be Apache in some cases. Note that the crash occurs prior to
    evaluation of a message's authenticity, so can be exploited by an
    untrusted attacker.
    - debian/patches/CVE-2019-9628.patch
    - CVE-2019-9628
    - https://shibboleth.net/community/advisories/secadv_20190311.txt
    - LP: #1819912

 -- Etienne Dysli Metref <email address hidden> Thu, 14 Mar 2019 11:56:34 +0100

Changed in xmltooling (Ubuntu Xenial):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xmltooling - 1.5.3-2+deb8u3ubuntu0.1

---------------
xmltooling (1.5.3-2+deb8u3ubuntu0.1) trusty-security; urgency=high

  * SECURITY UPDATE: uncaught exception on malformed XML declaration
    Invalid data in the XML declaration causes an exception of a type that
    was not handled properly in the parser class and propagates an
    unexpected exception type.
    This generally manifests as a crash in the calling code, which in the
    Service Provider software's case is usually the shibd daemon process,
    but can be Apache in some cases. Note that the crash occurs prior to
    evaluation of a message's authenticity, so can be exploited by an
    untrusted attacker.
    - debian/patches/CVE-2019-9628.patch
    - CVE-2019-9628
    - https://shibboleth.net/community/advisories/secadv_20190311.txt
    - LP: #1819912

 -- Etienne Dysli Metref <email address hidden> Thu, 14 Mar 2019 11:56:34 +0100

Changed in xmltooling (Ubuntu Trusty):
status: In Progress → Fix Released

Thanks Etienne,

Updated version was released for trusty, xenial, bionic and cosmic.

Thanks again for the testing and for providing the debdiffs.

Any problems just let us know.

Thank you for your help Eduardo! :D

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.