Bug 15538

Summary: xerces-c new security issue CVE-2015-0252
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: geiger.david68210, pterjan, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/637571/
Whiteboard: has_procedure mga4-64-ok advisory
Source RPM: xerces-c-3.1.1-16.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-03-20 15:50:55 CET 
Upstream has issued an advisory on March 19:
http://xerces.apache.org/xerces-c/secadv/CVE-2015-0252.txt

The issue is fixed upstream in 3.1.2.

Mageia 4 and Mageia 5 are affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-03-20 15:51:09 CET

CC: (none) => geiger.david68210, pterjan
Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David GEIGER 2015-03-20 21:07:06 CET 
Fixed on svn for Cauldron with new fixes 3.1.2 release and freeze_push requested and also fixed for mga4.

packages awaiting upload.
Comment 2 David Walser 2015-03-23 15:10:22 CET 
shibboleth-sp is one of the applications affected by this.  See Bug 15556 for more information.
David Walser 2015-03-23 18:51:38 CET

URL: (none) => http://lwn.net/Vulnerabilities/637571/

Comment 3 David Walser 2015-03-23 18:52:13 CET 
Debian has issued an advisory for this on March 20:
https://www.debian.org/security/2015/dsa-3199
Comment 4 David Walser 2015-03-23 20:49:49 CET 
xerces-c-3.1.2-1.mga5 uploaded for Cauldron.

Version: Cauldron => 4
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 5 David Walser 2015-03-23 21:08:33 CET 
Updated package uploaded for Mageia 4.

Advisory:
========================

Updated xerces-c packages fix security vulnerability:

Anton Rager and Jonathan Brossard from the Salesforce.com Product Security
Team and Ben Laurie of Google discovered a denial of service vulnerability in
xerces-c. The parser mishandles certain kinds of malformed input documents,
resulting in a segmentation fault during a parse operation. An
unauthenticated attacker could use this flaw to cause an application using
the xerces-c library to crash (CVE-2015-0252).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0252
http://xerces.apache.org/xerces-c/secadv/CVE-2015-0252.txt
https://www.debian.org/security/2015/dsa-3199
========================

Updated packages in core/updates_testing:
========================
xerces-c-3.1.2-1.mga4
libxerces-c3.1-3.1.2-1.mga4
libxerces-c-devel-3.1.2-1.mga4
xerces-c-doc-3.1.2-1.mga4

from xerces-c-3.1.2-1.mga4.src.rpm

Assignee: dmorganec => qa-bugs

Comment 6 claire robinson 2015-04-07 17:02:57 CEST 
No PoC. Some possible scripts for testing here:
http://www.yolinux.com/TUTORIALS/XML-Xerces-C.html
Comment 7 claire robinson 2015-04-07 17:15:17 CEST 
Easy way to test..

$ urpmq --whatrequires lib64xerces-c3.1
apache-mod_shib
enigma
lib64cegui0.7.7
lib64digidocpp0
lib64flightcrew0.7.2
lib64gdal1
lib64kolabxml0
lib64opensaml8
lib64shibboleth-sp6
lib64xerces-c-devel
lib64xerces-c3.1
lib64xmltooling6
megaglest
megaglest
opensaml-bin
shibboleth-sp
sigil
xerces-c
xml-security-c
xsd


Testing with enigma and megaglest which are both games and sigil which is an epub ebook editor..

Whiteboard: (none) => has_procedure

Comment 8 claire robinson 2015-04-07 17:53:50 CEST 
Testing complete mga4 64

Tested the two games and also compiled and ran the example from the link (with the -devel package installed)

Whiteboard: has_procedure => has_procedure mga4-64-ok

Comment 9 claire robinson 2015-04-08 17:29:32 CEST 
validating. advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-64-ok advisory
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2015-04-10 00:44:59 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0136.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED