Bug 18818

Packages built with the fixes.

Testing ideas in Bug 17820 and Bug 18421.

Advisory:
========================

Updated xerces-c packages fix security vulnerability:

The Xerces-C XML parser fails to successfully parse a DTD that is deeply nested,
and this causes a stack overflow, which makes a denial of service attack against
many applications possible by an unauthenticated attacker (CVE-2016-4464).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4464
http://xerces.apache.org/xerces-c/secadv/CVE-2016-4463.txt
========================

Updated packages in core/updates_testing:
========================
xerces-c-3.1.2-1.3.mga5
libxerces-c3.1-3.1.2-1.3.mga5
libxerces-c-devel-3.1.2-1.3.mga5
xerces-c-doc-3.1.2-1.3.mga5

from xerces-c-3.1.2-1.3.mga5.src.rpm

Assignee: bugsquad => qa-bugs
Whiteboard: (none) => has_procedure

Debian has issued an advisory for this on June 29:
https://www.debian.org/security/2016/dsa-3610

URL: (none) => http://lwn.net/Vulnerabilities/693102/

I could have a look at this on an x86_64 machine.  Not familiar with DTDs so am unlikely to be able to develop a PoC but can certainly check the parser on a simple XML file and use enigma to make sure it is running fine after the update.
Tomorrow maybe.

CC: (none) => tarazed25

MGA 5-32 on Acer D620 Xfce
No installation issues. Downloaded test files from bug 18421 and made parser executable
So I get:
$ ls -als
totaal 168
  4 drwxrwxr-x 2 tester5 tester5   4096 jul  1 16:59 ./
  4 drwxr-xr-x 9 tester5 tester5   4096 jul  1 16:39 ../
156 -rwxrwxr-x 1 tester5 tester5 157868 jul  1 16:59 parser*
  4 -rw-rw-r-- 1 tester5 tester5    260 jul  1 16:40 sample.xml
that is all there should be to it???
but at CLI:
]$ ./parser 
bash: ./parser: kan binair bestand Verkeerd uitvoerbaar bestand niet uitvoeren
which I would translate as: cannot execute file wrong executable file

CC: (none) => herman.viaene

Soory Herman; my fault - I compiled it for x86_64.  I should have noted that.  If you can wait I shall have a go at compiling it in i586 virtualbox, assuming I can find the code.  Have been too busy to spare the time to look at this bug. :(

Sorry again Herman.  Recompiling the original file parser.c++ against the updated library fails, as I suspected it would.  There are a lot of undefined references in the trace so I shall have to see if there is something else which will exercise the update.  On a brief look at the references yesterday I saw no hints.

The parser was just that.  It was not a PoC as far as I can recall, just something to show that a basic function continued to work.

For the time being you could install enigma and play with it.  That worked fine after the last update so you should be able to go straight in after the current update and play it.

Installed enigma and played a few levels. strace shows a.o.
open("/lib/libxerces-c-3.1.so", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000\260\16\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=3525348, ...}) = 0
mmap2(NULL, 3523036, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb718b000
mprotect(0xb74b5000, 4096, PROT_NONE)   = 0
mmap2(0xb74b6000, 200704, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x32a000) = 0xb74b6000
mmap2(0xb74e7000, 476, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb74e7000
So OK for me

Whiteboard: has_procedure => has_procedure MGA5-32-OK

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0243.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED