Bug 18479

Summary: expat new security issue CVE-2016-0718
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, lewyssmith, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/687860/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK advisory
Source RPM: expat-2.1.1-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2016-05-18 02:02:49 CEST 
A security issue in expat has been announced today (May 17):
http://openwall.com/lists/oss-security/2016/05/17/12

A suggested patch is included in the message above.

Mageia 5 is also affected.
David Walser 2016-05-18 02:02:56 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2016-05-18 18:38:59 CEST 
Debian has issued an advisory for this today (May 18):
https://www.debian.org/security/2016/dsa-3582
David Walser 2016-05-18 19:24:47 CEST

URL: (none) => http://lwn.net/Vulnerabilities/687860/

Comment 2 David Walser 2016-05-19 00:39:31 CEST 
Patched packages uploaded for Mageia 5 and Cauldron.

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=5141#c7

Advisory:
========================

Updated expat packages fix security vulnerability:

Gustavo Grieco discovered that Expat does not properly handle certain kinds of
malformed input documents, resulting in buffer overflows during processing and
error reporting. A remote attacker can take advantage of this flaw to cause an
application using the Expat library to crash, or potentially, to execute
arbitrary code with the privileges of the user running the application
(CVE-2016-0718).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718
https://www.debian.org/security/2016/dsa-3582
========================

Updated packages in core/updates_testing:
========================
expat-2.1.0-9.2.mga5
libexpat1-2.1.0-9.2.mga5
libexpat-devel-2.1.0-9.2.mga5

from expat-2.1.0-9.2.mga5.src.rpm

Version: Cauldron => 5
Whiteboard: MGA5TOO => has_procedure

Comment 3 David Walser 2016-05-19 00:51:44 CEST 
Advisory, package list, testing info in Comment 2.

Assignee: bugsquad => qa-bugs

Comment 4 David Walser 2016-05-19 06:30:36 CEST 
This python test case:
import xml.etree.ElementTree
x = xml.etree.ElementTree.ElementTree(file='testdata.xml')
allcases = x.findall(".//testcase")
cases = [c for c in allcases if c.get('classname') == 'TestOne' and
c.get('name') == 'VHDL_BUILD_Passthrough']
print cases[0].attrib['status']

with testdata.xml file:
<?xml version="1.0" encoding="UTF-8"?>
<testsuites tests="10" failures="0" disabled="0" errors="0" time="0.001" name="AllTests">
  <testsuite name="TestOne" tests="5" failures="0" disabled="0" errors="0" time="0.001">
    <testcase name="DefaultConstructor" status="run" time="0" classname="TestOne" />
    <testcase name="DefaultDestructor" status="run" time="0" classname="TestOne" />
    <testcase name="VHDL_EMIT_Passthrough" status="run" time="0" classname="TestOne" />
    <testcase name="VHDL_BUILD_Passthrough" status="Tested OK" time="0" classname="TestOne" />
    <testcase name="VHDL_SIMULATE_Passthrough" status="run" time="0.001" classname="TestOne" />
</testsuite>
</testsuites>

currently listed here:
https://wiki.mageia.org/en/QA_procedure:Libxml2

actually uses expat instead of libxml2.  You can use that to test this as well.
Comment 5 David Walser 2016-05-19 06:31:08 CEST 
Tested OK on Mageia 5 i586.

Whiteboard: has_procedure => has_procedure MGA5-32-OK

Comment 6 Lewis Smith 2016-05-19 11:14:04 CEST 
Testing M5 x64

Thanks David for the good pointers.
But "actually uses expat instead of libxml2" - how does one know that?
And "You can use that to test this as well" is enigmatic; does it test libxml2 (its declared aim) and/or expat? How to direct it one way or the other?

Created the two given files testxml.py & testdata.xml .

PRE-update.
 $ python testxml.py
 Tested OK
but I discovered that I had only:
 lib64expat1-2.1.0-9.1.mga5
 lib64expat-devel-2.1.0-9.1.mga5
and *not* expat-2.1.0-9.1.mga5 . Installed that, the test ran the same. But it was clearly not involved. Does this matter?

POST-update.
 expat-2.1.0-9.2.mga5
 lib64expat1-2.1.0-9.2.mga5
 lib64expat-devel-2.1.0-9.2.mga5
Same satisfactory test result:
 $ python testxml.py
 Tested OK

Validating the update.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK
CC: (none) => lewyssmith, sysadmin-bugs

Comment 7 David Walser 2016-05-19 12:57:37 CEST 
That particular script only tests expat.  I posted an equivalent script to the current libxml2 bug that uses that library instead, so we'll need to update that wiki page.  I determined that the existing script uses expat first by looking at Python documentation and seeing which package owned the libraries it used, and then I verified that using strace.
Dave Hodgins 2016-05-20 11:12:49 CEST

CC: (none) => davidwhodgins
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory

Comment 8 Mageia Robot 2016-05-20 13:39:34 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0193.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 9 David Walser 2016-06-20 19:38:37 CEST 
In this update I also added a patch from Debian that corrected an issue in the previous fix for CVE-2015-1283.  That correction ended up being assigned CVE-2016-4472:
http://lwn.net/Vulnerabilities/692028/