Bug 17820

Summary:	xerces-c new security issue CVE-2016-0729
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	sysadmin-bugs, tarazed25
Version:	5	Keywords:	validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/677608/
Whiteboard:	has_procedure advisory MGA5-64-OK MGA5-32-OK
Source RPM:	xerces-c-3.1.2-1.mga5.src.rpm	CVE:
Status comment:
Attachments:	Utility for stripping line numbers from code files. Utility for stripping n leading characters from each line of a file. Margin removal utility for text files

Description David Walser 2016-02-25 15:42:46 CET

Upstream has issued an advisory today (February 25):
http://openwall.com/lists/oss-security/2016/02/25/7

It should be posted here shortly:
http://xerces.apache.org/xerces-c/secadv/CVE-2016-0729.txt

The issue is fixed upstream in 3.1.3.  Updated package uploaded for Cauldron.

Patched package uploaded for Mageia 5.

Advisory:
========================

Updated xerces-c packages fix security vulnerability:

The Xerces-C XML parser mishandles certain kinds of malformed input documents,
resulting in buffer overlows during processing and error reporting. The
overflows can manifest as a segmentation fault or as memory corruption during
a parse operation. The bugs allow for a denial of service attack in many
applications by an unauthenticated attacker, and could conceivably result in
remote code execution (CVE-2016-0729).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0729
http://xerces.apache.org/xerces-c/secadv/CVE-2016-0729.txt
========================

Updated packages in core/updates_testing:
========================
xerces-c-3.1.2-1.1.mga5
libxerces-c3.1-3.1.2-1.1.mga5
libxerces-c-devel-3.1.2-1.1.mga5
xerces-c-doc-3.1.2-1.1.mga5

from xerces-c-3.1.2-1.1.mga5.src.rpm

Comment 1 David Walser 2016-02-25 15:43:11 CET

Testing ideas in Bug 15538.

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2016-02-26 17:32:48 CET

Debian has issued an advisory for this on February 25:
https://www.debian.org/security/2016/dsa-3493

URL: (none) => http://lwn.net/Vulnerabilities/677608/

Comment 3 Len Lawrence 2016-02-27 01:10:24 CET

mga5  x86_64  Mate

The links and information provided through the link referenced in comment #1 are invaluable.

Before updating:

1) Played around with Enigma for half an hour - working through four levels in   tutorial mode.
2) Installed the -devel package
3) Obtained the parser files from the link.  There did not seem to be a download link so I cut and pasted the three files into an editor and saved them.  They included line numbers so I wrote a quick ruby script to eliminate those because I was not sure if g++ can deal with them (script attached).
4) Compiled and linked the parser files to produce an executable.
$ g++ -g -Wall -pedantic -lxerces-c parser.c++ -DMAIN_TEST -o parser
5) Ran the unit test on parser.
$ ./parser
Application option A=10
Application option B=24

There are other applications, like sigil, depending on xerces-c.  sigil opened an editing screen with file manager but I could take it no further, not having any ebooks.

After update launched sigil and then enigma.
Within my limitations they work fine.
Recompiled and linked the parser utility.  It produced the expected output on parsing the test file.

CC: (none) => tarazed25

Len Lawrence 2016-02-27 01:10:48 CET

Whiteboard: has_procedure => has_procedure MGA5-64-OK

Comment 4 Len Lawrence 2016-02-27 01:14:28 CET

Created attachment 7498 [details]
Utility for stripping line numbers from code files.

Included this only because of my ignorance of how g++ views line-numbered code.

Comment 5 Len Lawrence 2016-02-27 12:04:05 CET

mga5  i586 in virtualbox  Mate

Installed sigil, enigma and xerces-c libraries before the update.
Updated to xerces-c-3.1.2-1.1.mga5 and added the libraries.
Compiled the parser test program and ran it on the sample XML file.
That worked fine.
Opened sigil but took it no further.
enigma started; chose tutorial mode and started at a low level and immediately ran into problems with the mouse.  Could not capture the mouse even with Right Ctrl so had to crash the machine via reset.

Inclined to give xerces-c the OK but shall wait for any responses.

Len Lawrence 2016-02-27 16:58:27 CET

Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OK

Len Lawrence 2016-02-27 18:00:32 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 claire robinson 2016-02-27 21:21:53 CET

advisory uploaded

Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK

Comment 7 Mageia Robot 2016-03-02 19:30:16 CET

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0088.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 8 Len Lawrence 2018-03-18 21:13:27 CET

Created attachment 10056 [details]
Utility for stripping n leading characters from each line of a file.

Either run using ruby explicitly or make the script executable.  Either way, ruby should be installed first.

$ ruby stripe.rb ....

or

$ chmod +x stripe.rb
$ mv stripe.rb stripe
$ ./stripe textfile <n> > newtext

Attachment 7498 is obsolete: 0 => 1

Comment 9 Len Lawrence 2018-03-18 22:07:49 CET

Created attachment 10057 [details]
Margin removal utility for text files

A slight improvement.

Attachment 10056 is obsolete: 0 => 1