Bug 18277

Summary: xstream new security issue CVE-2016-3674
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: geiger.david68210, herman.viaene, marja11, pterjan, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/685290/
Whiteboard: has_procedure advisory MGA5-32-OK
Source RPM: xstream-1.4.8-3.mga6.src.rpm CVE:
Status comment:

Description David Walser 2016-04-27 18:09:40 CEST 
Fedora has issued an advisory on April 26:
https://lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html

The issue is fixed in version 1.4.9.

Mageia 5 is also affected.
David Walser 2016-04-27 18:09:57 CEST

CC: (none) => geiger.david68210, pterjan
Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2016-04-27 19:44:13 CEST 
Fixed in xstream-1.4.9-1.mga6 for Cauldron by David.

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 2 David GEIGER 2016-04-27 20:28:49 CEST 
Hmmm! mga5 java stack seems a bit broken now!

I can't build xstream 1.4.9 and even the current one I get this error:


+ python /usr/share/java-utils/pom_editor.py pom_xpath_set 'pom:project/pom:dependencies/pom:dependency[pom:groupId = '\''org.codehaus.woodstox'\'' ]/pom:artifactId' woodstox-core-asl xstream
Error in processing xstream/pom.xml
Syntax error in injected XML: attributes construct error, line 1, column 48.
Usage: %pom_xpath_set <XPath> <new contents> [POM location]



Same error if I test with another java package.


@pterjan: have you any idea what can be broke now on mga5?
Comment 3 Marja Van Waes 2016-04-28 20:05:56 CEST 
@ daviddavid

Assigning to you, since you're already working on it

CC: (none) => marja11
Assignee: bugsquad => geiger.david68210

Comment 4 David GEIGER 2016-05-03 12:37:26 CEST 
Done for mga5 too!

Note that I had to update javapackages-tools adding a patch to fix missing space between xmlns declarations reported in comment 2.

http://svnweb.mageia.org/packages?view=revision&revision=1008935
Comment 5 David GEIGER 2016-05-03 15:43:54 CEST 
Assigning to QA,

Advisory:
========================

Updated xstream packages fix security vulnerability:

XStream (x-stream.github.io) is a Java library to marshal Java objects into 
XML and back. For this purpose it supports a lot of different XML parsers. 
Some of those can also process external entities which was enabled by 
default.

An attacker could therefore provide manipulated XML as input to access data 
on the file system, see 
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3674
https://lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html
========================

Updated packages in 5/core/updates_testing:
========================
xstream-1.4.9-1.mga5
xstream-benchmark-1.4.9-1.mga5
xstream-hibernate-1.4.9-1.mga5
xstream-javadoc-1.4.9-1.mga5
xstream-parent-1.4.9-1.mga5

javapackages-tools-4.1.0-15.1.mga5
javapackages-tools-doc-4.1.0-15.1.mga5
javapackages-local-4.1.0-15.1.mga5
python-javapackages-4.1.0-15.1.mga5
maven-local-4.1.0-15.1.mga5
ivy-local-4.1.0-15.1.mga5

Source RPM: 
========================
xstream-1.4.9-1.mga5.src.rpm
javapackages-tools-4.1.0-15.1.mga5.src.rpm

Assignee: geiger.david68210 => qa-bugs

Comment 6 David Walser 2016-05-03 15:58:22 CEST 
Thanks David!

I would recommend tightening up the advisory as follows.

Advisory:
========================

Updated xstream packages fix security vulnerability:

XStream (x-stream.github.io) is a Java library to marshal Java objects into XML
and back. For this purpose it supports a lot of different XML parsers. Some of
those can also process external entities which was enabled by default. An
attacker could therefore provide manipulated XML as input to access data on the
file system (CVE-2016-3674).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3674
https://lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html
Comment 7 Herman Viaene 2016-05-05 10:27:19 CEST 
MGA5-32 on AcerD620 Xfce
No installation issues.
No test procedure found and bug 12874 agreed on just a clean install would be sufficient, so OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Comment 8 claire robinson 2016-05-05 17:32:37 CEST 
Validating.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK => has_procedure MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 9 claire robinson 2016-05-05 18:08:20 CEST 
Advisory uploaded.

Whiteboard: has_procedure MGA5-32-OK => has_procedure advisory MGA5-32-OK

Comment 10 Mageia Robot 2016-05-05 18:27:24 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0164.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED