Bug 13554

Summary: castor new security issue CVE-2014-3004
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: herman.viaene, mageia, pterjan, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/603009/
Whiteboard: has_procedure advisory MGA4-32-OK MGA4-64-OK
Source RPM: castor-1.3.2-10.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-06-20 16:44:26 CEST 
OpenSuSE has issued an advisory today (June 20):
http://lists.opensuse.org/opensuse-updates/2014-06/msg00043.html

The issue is fixed upstream in 1.3.2.

Since we have version 1.3.2 in Mageia 3, Mageia 4, and Cauldron, it may be easier to update it.  Otherwise, OpenSuSE's patch for 0.9.5 may be adaptable.  I haven't found any reference to the upstream commit.

Reproducible: 

Steps to Reproduce:
David Walser 2014-06-20 16:44:35 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

David Walser 2014-06-20 18:54:09 CEST

URL: (none) => http://lwn.net/Vulnerabilities/603009/

Comment 1 David Walser 2014-07-09 00:57:06 CEST 
(In reply to David Walser from comment #0)
> The issue is fixed upstream in 1.3.2.

Whoops, I meant 1.3.3.

The patch OpenSuSE added for 0.9.5 doesn't look forward-portable to 1.3.2.  Fedora has yet to address this issue, so I guess we'll wait for them.
Comment 2 Sander Lepik 2014-10-04 16:06:03 CEST 
Ping..

CC: (none) => mageia

Comment 3 David Walser 2014-12-15 20:02:01 CET 
Fedora has finally updated to 1.3.3 to fix this:
https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146246.html

Blocks: (none) => 14674

Comment 4 David Walser 2014-12-24 20:52:51 CET 
Removing Mageia 3 from the whiteboard due to EOL.

I've checked the update into Mageia 4 and Cauldron SVN.  It needs to be submitted (and hopefully it can be built).

CC: (none) => pterjan
Whiteboard: MGA4TOO, MGA3TOO => MGA4TOO

Comment 5 David Walser 2014-12-24 21:26:55 CET 
It looks like it needs some of the removed packages (in Cauldron) to build; at least apache-poi that I noticed.  That'll need to resynced with Fedora before it's re-imported to fix the issues in Bug 14128.
Comment 6 David Walser 2014-12-24 23:04:36 CET 
apache-poi has indeed been resynced with Fedora in SVN.  Sophie says it isn't in Cauldron, but I tried to submit it to Cauldron and mgarepo/youri says that it's already there.
Comment 7 Pascal Terjan 2014-12-24 23:10:19 CET 
Things are still in progress restoring things in cauldron but it should be there.

I hope to finish to building eclipse-* in the next few hours (almost there) then I'll have a look.
Comment 8 David Walser 2014-12-27 23:07:37 CET 
Updated packages uploaded for Mageia 4 and Cauldron.

Verifying that the updated packages install cleanly is sufficient for testing this update.

Advisory:
========================

Updated castor packages fix security vulnerability:

The default configuration for the Xerces SAX Parser in Castor before 1.3.3
allows context-dependent attackers to conduct XML External Entity (XXE)
attacks via a crafted XML document (CVE-2014-3004).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3004
https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146246.html
========================

Updated package in core/updates_testing:
========================
castor-1.3.3-1.mga4
castor-javadoc-1.3.3-1.mga4

from castor-1.3.3-1.mga4.src.rpm

Whiteboard: MGA4TOO => (none)
Version: Cauldron => 4
Assignee: dmorganec => qa-bugs

Comment 9 Herman Viaene 2014-12-28 22:33:59 CET 
MGA4-64 on HP Probook 6555b
Version castor-1.3.3-1.mga4 installs without problems pver existing version 1.3.2, castor-javadoc-1.3.3-1.mga4 also OK (did not exist before).

Whiteboard: (none) => MGA4-64-OK
CC: (none) => herman.viaene

Comment 10 Herman Viaene 2014-12-29 10:44:00 CET 
MGA4-32 on Acer D620 Xfce
Version castor-1.3.3-1.mga4 installs without problems pver existing version 1.3.2, castor-javadoc-1.3.3-1.mga4 also OK (did not exist before).

Whiteboard: MGA4-64-OK => MGA4-32-OK MGA4-64-OK

Comment 11 claire robinson 2014-12-29 20:52:46 CET 
Validating. Advisory uploaded.

Please push to updates

Thanks

CC: (none) => sysadmin-bugs
Whiteboard: MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
Keywords: (none) => validated_update

Comment 12 Mageia Robot 2014-12-31 13:28:37 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0556.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-12-31 13:36:05 CET

Blocks: 14674 => (none)