Bug 15599

Summary: jakarta-taglibs-standard new security issue CVE-2015-0254
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: geiger.david68210, pterjan, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/638612/
Whiteboard: has_procedure mga4-64-ok advisory
Source RPM: jakarta-taglibs-standard-1.1.2-14.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-03-31 18:49:20 CEST 
Ubuntu has issued an advisory on March 30:
http://www.ubuntu.com/usn/usn-2551-1/

I have added Ubuntu's patch (large set of backported changes from upstream) in SVN.  I also had to patch it to not force source="1.4" for part of the build, as this breaks with the updated code.  I'm not sure how Ubuntu was able to avoid having to do the same.

The patches are in Mageia 4 and Cauldron SVN.

If this looks OK, we can push it.

However, all of this jakarta stuff is obsolete and should be removed from the distro ASAP (obviously just in Cauldron).  This package should be replaced by tomcat-taglibs-standard.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-03-31 18:49:45 CEST 
Pascal and David, please see Comment 0.

CC: (none) => geiger.david68210, pterjan
Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 2 David GEIGER 2015-03-31 19:36:08 CEST 
Ok,

I've look on your current change and your Patch6 (do-not-use-1.4.patch) is not needed you can remove it, so you have just to change/rediff the jakarta-taglibs-standard-1.1.1-build.patch and replace source="1.4" by source="1.5":


Index: jakarta-taglibs-standard-1.1.1-build.patch
===================================================================
--- jakarta-taglibs-standard-1.1.1-build.patch  (révision 819469)
+++ jakarta-taglibs-standard-1.1.1-build.patch  (copie de travail)
@@ -19,7 +19,7 @@
        deprecation="${compile.deprecation}"
 -      optimize="${compile.optimize}"/> 
 +      optimize="${compile.optimize}"
-+      source="1.4"/> 
++      source="1.5"/> 
        
      <!-- copy the TLDs in META-INF -->
      <copy todir="${build.library}/META-INF">
@@ -29,7 +29,7 @@
             deprecation="${compile.deprecation}"
 -           optimize="${compile.optimize}"/>
 +           optimize="${compile.optimize}"
-+           source="1.4"/>
++           source="1.5"/>
    
      <!-- Copy web.xml + examples TLD -->
      <copy todir="${build.examples}/WEB-INF">


This is valid for Cauldron and mga4.
Comment 3 David Walser 2015-03-31 19:41:04 CEST 
Thanks David!  I missed that patch0 had set that.  Fixed in SVN now.
Comment 4 David Walser 2015-04-01 18:48:30 CEST 
Patched packages uploaded for Mageia 4 and Cauldron.

This can be tested by just ensuring the updated packages install cleanly.

Advisory:
========================

Updated jakarta-taglibs-standard packages fix security vulnerability:

David Jorm discovered that the Apache Standard Taglibs incorrectly handled
external XML entities. A remote attacker could possibly use this issue to
execute arbitrary code or perform other external XML entity attacks
(CVE-2015-0254).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0254
http://www.ubuntu.com/usn/usn-2551-1/
========================

Updated packages in core/updates_testing:
========================
jakarta-taglibs-standard-1.1.2-12.1.mga4
jakarta-taglibs-standard-javadoc-1.1.2-12.1.mga4

from jakarta-taglibs-standard-1.1.2-12.1.mga4.src.rpm

Version: Cauldron => 4
Assignee: dmorganec => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 5 claire robinson 2015-04-08 17:41:38 CEST 
Testing complete mga4 64

Just ensured the packages update cleanly.

Whiteboard: (none) => has_procedure mga4-64-ok

Comment 6 claire robinson 2015-04-08 18:17:57 CEST 
validating. advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-64-ok advisory
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2015-04-10 00:45:07 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0140.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED