Bug 14176

Summary: xerces-j2 new security issue CVE-2013-4002
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: ftg, oe, sysadmin-bugs, wilcal.int
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/570812/
Whiteboard: MGA3TOO advisory MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
Source RPM: xerces-j2-2.11.0-11.mga5.src.rpm CVE:
Status comment:

Description David Walser 2014-09-25 21:24:04 CEST 
Fedora has issued an advisory on September 11:
https://lists.fedoraproject.org/pipermail/package-announce/2014-September/138667.html

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-09-25 21:24:12 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 Oden Eriksson 2014-10-01 14:40:55 CEST 
Fixed with xerces-j2-2.11.0-8.1.mga3, xerces-j2-2.11.0-10.1.mga4 & xerces-j2-2.11.0-12.mga5.

CC: (none) => oe

Comment 2 David Walser 2014-10-01 16:19:28 CEST 
Thanks Oden!

Advisory:
========================

Updated xerces-j2 packages fix security vulnerability:

A resource consumption issue was found in the way Xerces-J handled
XML declarations. A remote attacker could use an XML document with
a specially crafted declaration using a long pseudo-attribute name
that, when parsed by an application using Xerces-J, would cause that
application to use an excessive amount of CPU (CVE-2013-4002).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002
https://rhn.redhat.com/errata/RHSA-2014-1319.html
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2014%3A193/
========================

Updated packages in core/updates_testing:
========================
xerces-j2-2.11.0-8.1.mga3
xerces-j2-javadoc-2.11.0-8.1.mga3
xerces-j2-demo-2.11.0-8.1.mga3
xerces-j2-2.11.0-10.1.mga4
xerces-j2-javadoc-2.11.0-10.1.mga4
xerces-j2-demo-2.11.0-10.1.mga4

from SRPMS:
xerces-j2-2.11.0-8.1.mga3.src.rpm
xerces-j2-2.11.0-10.1.mga4.src.rpm

Version: Cauldron => 4
Assignee: dmorganec => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 3 claire robinson 2014-10-01 18:45:22 CEST 
Adding Frank in CC. Frank, this comes with a demo package and some samples, do you know how to use them please? Seems like it shouldn't be too difficult if you know what you're doing.

It would be good if we can test java packages beyond ensuring they install ok.

CC: (none) => ftg

Comment 4 William Kenney 2014-10-03 22:20:11 CEST 
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
xerces-j2 xerces-j2-demo

default install of xerces-j2 & xerces-j2-demo

[root@localhost wilcal]# urpmi xerces-j2
Package xerces-j2-2.11.0-8.mga3.noarch is already installed
[root@localhost wilcal]# urpmi xerces-j2-demo
Package xerces-j2-demo-2.11.0-8.mga3.noarch is already installed

xerces-j2 & xerces-j2-demo install with no reported errors

install xerces-j2 & xerces-j2-demo from updates_testing

[root@localhost wilcal]# urpmi xerces-j2
Package xerces-j2-2.11.0-8.1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi xerces-j2-demo
Package xerces-j2-demo-2.11.0-8.1.mga3.noarch is already installed

xerces-j2 & xerces-j2-demo install with no reported errors

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

Comment 5 William Kenney 2014-10-03 22:34:07 CEST 
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
xerces-j2 xerces-j2-demo

default install of xerces-j2 & xerces-j2-demo

[root@localhost wilcal]# urpmi xerces-j2
Package xerces-j2-2.11.0-8.mga3.noarch is already installed
[root@localhost wilcal]# urpmi xerces-j2-demo
Package xerces-j2-demo-2.11.0-8.mga3.noarch is already installed

xerces-j2 & xerces-j2-demo install with no reported errors

install xerces-j2 & xerces-j2-demo from updates_testing

[root@localhost wilcal]# urpmi xerces-j2
Package xerces-j2-2.11.0-8.1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi xerces-j2-demo
Package xerces-j2-demo-2.11.0-8.1.mga3.noarch is already installed

xerces-j2 & xerces-j2-demo install with no reported errors

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 6 William Kenney 2014-10-03 22:58:04 CEST 
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
xerces-j2 xerces-j2-demo

default install of xerces-j2 & xerces-j2-demo

[root@localhost wilcal]# urpmi xerces-j2
Package xerces-j2-2.11.0-10.mga4.noarch is already installed
[root@localhost wilcal]# urpmi xerces-j2-demo
Package xerces-j2-demo-2.11.0-10.mga4.noarch is already installed

xerces-j2 & xerces-j2-demo install with no reported errors

install xerces-j2 & xerces-j2-demo from updates_testing

[root@localhost wilcal]# urpmi xerces-j2
Package xerces-j2-2.11.0-10.1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi xerces-j2-demo
Package xerces-j2-demo-2.11.0-10.1.mga4.noarch is already installed

xerces-j2 & xerces-j2-demo install with no reported errors

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 7 William Kenney 2014-10-03 23:08:05 CEST 
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
xerces-j2 xerces-j2-demo

default install of xerces-j2 & xerces-j2-demo

[root@localhost wilcal]# urpmi xerces-j2
Package xerces-j2-2.11.0-10.mga4.noarch is already installed
[root@localhost wilcal]# urpmi xerces-j2-demo
Package xerces-j2-demo-2.11.0-10.mga4.noarch is already installed

xerces-j2 & xerces-j2-demo install with no reported errors

install xerces-j2 & xerces-j2-demo from updates_testing

[root@localhost wilcal]# urpmi xerces-j2
Package xerces-j2-2.11.0-10.1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi xerces-j2-demo
Package xerces-j2-demo-2.11.0-10.1.mga4.noarch is already installed

xerces-j2 & xerces-j2-demo install with no reported errors

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 8 William Kenney 2014-10-03 23:10:25 CEST 
For me this update installs just fine for me.
I wish xerces-j2-demo was an easy to run demo.
If no one objects I'll validtate this update in 24-hours.
Testing complete for mga3 32-bit & 64-bit
Testing complete for mga4 32-bit & 64-bit

Whiteboard: MGA3TOO => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK

Comment 9 William Kenney 2014-10-04 18:54:48 CEST 
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 claire robinson 2014-10-06 18:52:39 CEST 
Advisory uploaded.

Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO advisory MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK

Comment 11 Mageia Robot 2014-10-07 11:23:33 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0398.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED