Bug 17877

Summary: exempi (and exiv2 which bundles it) vulnerable to XML entity-expansion attack
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, lewyssmith, sysadmin-bugs, tmb, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/678822/
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Source RPM: exempi-2.2.2-14.mga5.src.rpm, exiv2-0.24-5.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-03-04 19:02:31 CET 
Fedora has issued an advisory on March 3:
https://lists.fedoraproject.org/pipermail/package-announce/2016-March/178378.html

Corrected packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated exempi and exiv2 packages fix security vulnerability:

exempi contains code to protect against a denial-service-attack related to XML
entity expansion ("billion laughs attack"), but it was not compiled into the
Mageia package because BanAllEntityUsage was not defined when the package was
compiled.

This has been corrected by recompiling it with the BanAllEntityUsage macro
defined.  The exiv2 package contains a bundled copy of the same code and has
also been recompiled with the macro defined.

References:
https://lists.fedoraproject.org/pipermail/package-announce/2016-March/178378.html
========================

Updated packages in core/updates_testing:
========================
libexempi3-2.2.2-14.1.mga5
libexempi-devel-2.2.2-14.1.mga5
exiv2-0.24-5.1.mga5
libexiv2_13-0.24-5.1.mga5
libexiv2-devel-0.24-5.1.mga5
exiv2-doc-0.24-5.1.mga5

from SRPMS:
exempi-2.2.2-14.1.mga5.src.rpm
exiv2-0.24-5.1.mga5.src.rpm
Comment 1 William Kenney 2016-03-06 18:52:23 CET 
Procedure:
use test image from: http://www.exiv2.org/sample.html
man page is here: http://www.exiv2.org/manpage.html
Also used test images from my Canon EOS camera ( jpg & CR2/RAW )

In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
exiv2

default install of exiv2

[root@localhost wilcal]# urpmi exiv2
Package exiv2-0.24-5.mga5.i586 is already installed

[wilcal@localhost images_test]$ exiv2 image_file.xxx
returns image metadata from jpg, gif, CR2, png, tif, bmp files
exiv2 -pt image_file.xxx
 returns a massive amount of metadata
exiv2 -M"add Exif.Image.Artist bkenney" mynotes.jpg
 adds "bkenney" to Exif.Image.Artist field


install evix2 from updates_testing

[root@localhost wilcal]# urpmi exiv2
Package exiv2-0.24-5.1.mga5.i586 is already installed

[wilcal@localhost images_test]$ exiv2 image_file.xxx
returns image metadata from jpg, gif, CR2, png, tif, bmp files
exiv2 -pt image_file.xxx
 returns a massive amount of metadata
exiv2 -M"add Exif.Image.Artist bkenney" mynotes.jpg
 adds "bkenney" to Exif.Image.Artist field

CC: (none) => wilcal.int
Whiteboard: (none) => MGA5-32-OK

Comment 2 William Kenney 2016-03-06 19:23:08 CET 
In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
exiv2

default install of exiv2

[root@localhost wilcal]# urpmi exiv2
Package exiv2-0.24-5.mga5.x86_64 is already installed

[wilcal@localhost images_test]$ exiv2 image_file.xxx
returns image metadata from jpg, gif, CR2, png, tif, bmp files
exiv2 -pt image_file.xxx
 returns a massive amount of metadata
exiv2 -M"add Exif.Image.Artist bkenney" mynotes.jpg
 adds "bkenney" to Exif.Image.Artist field

install evix2 from updates_testing

[root@localhost wilcal]# urpmi exiv2
Package exiv2-0.24-5.1.mga5.x86_64 is already installed

[wilcal@localhost images_test]$ exiv2 image_file.xxx
returns image metadata from jpg, gif, CR2, png, tif, bmp files
exiv2 -pt image_file.xxx
 returns a massive amount of metadata if it's there.
exiv2 -M"add Exif.Image.Artist bkenney" mynotes.jpg
 adds "bkenney" to Exif.Image.Artist field
William Kenney 2016-03-06 19:23:28 CET

Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK

Comment 3 William Kenney 2016-03-06 19:24:08 CET 
This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 Lewis Smith 2016-03-07 13:53:00 CET 
Advisory uploaded, but lacks CVEs.

CC: (none) => lewyssmith
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory

Comment 5 David Walser 2016-03-07 19:25:41 CET 
(In reply to Lewis Smith from comment #4)
> Advisory uploaded, but lacks CVEs.

You may want to double-check it, as the updates bot just ran and didn't push this.
Comment 6 Dave Hodgins 2016-03-07 20:09:24 CET 
(In reply to Lewis Smith from comment #4)
> Advisory uploaded, but lacks CVEs.

Not sure if this is why it failed to push, but I've removed the line
'Advisory text to describe the update.', and the duplication of the subject
line. Also removed a trailing blank line.

The srpms etc, all look correct as far as I can see.

CC: (none) => davidwhodgins

Comment 7 Lewis Smith 2016-03-07 20:25:25 CET 
(In reply to Dave Hodgins from comment #6)
> Not sure if this is why it failed to push, but I've removed the line
> 'Advisory text to describe the update.', and the duplication of the subject
> line. Also removed a trailing blank line.
> The srpms etc, all look correct as far as I can see.
Thanks Dave. This looks better.
This happens to be the first Advisory I have done which has 2 SRPMs - in case that had a bearing.
Comment 8 Thomas Backlund 2016-03-07 20:53:46 CET 
The reason it failed tp get pushed was wrong srpm names... (no "src.rpm" allowed)

I fixed it with:
--- 17877.adv	(revision 4316)
+++ 17877.adv	(working copy)
@@ -3,8 +3,8 @@
 src:
   5:
    core:
-     - exempi-2.2.2-14.1.mga5.src.rpm
-     - exiv2-0.24-5.1.mga5.src.rpm
+     - exempi-2.2.2-14.1.mga5
+     - exiv2-0.24-5.1.mga5

CC: (none) => tmb

Comment 9 Mageia Robot 2016-03-07 20:59:28 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0101.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED