Bug 21108

Summary: expat new security issues CVE-2016-9063 and CVE-2017-9233
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, lewyssmith, marja11, shlomif, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-32-OK advisory MGA5-64-OK
Source RPM: expat-2.1.0-9.3.mga5.src.rpm CVE:
Status comment:

Description David Walser 2017-06-18 21:16:29 CEST 
Expat 2.2.1 has been announced on June 17:
http://openwall.com/lists/oss-security/2017/06/17/7

There's also a further addressing of CVE-2012-0876 and other security fixes.

Updated package uploaded for Cauldron by Shlomi.
Comment 1 Marja Van Waes 2017-06-19 15:18:59 CEST 
Thanks for fixing this in Cauldron, Shlomi.

Assigning to you for Mga5, because you are the registered maintainer of expat.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Comment 2 David Walser 2017-06-26 12:05:34 CEST 
Debian has issued an advisory for this on June 25:
https://www.debian.org/security/2017/dsa-3898
Comment 3 David Walser 2017-07-08 21:56:05 CEST 
Patched package uploaded for Mageia 5.

Advisory:
========================

Updated expat packages fix security vulnerabilities:

Gustavo Grieco discovered an integer overflow flaw during parsing of XML. An
attacker can take advantage of this flaw to cause a denial of service against
an application using the Expat library (CVE-2016-9063).

Rhodri James discovered an infinite loop vulnerability within the
entityValueInitProcessor() function while parsing malformed XML in an external
entity. An attacker can take advantage of this flaw to cause a denial of
service against an application using the Expat library (CVE-2017-9233).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9063
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9233
https://www.debian.org/security/2017/dsa-3898
========================

Updated packages in core/updates_testing:
========================
expat-2.1.0-9.5.mga5
libexpat1-2.1.0-9.5.mga5
libexpat-devel-2.1.0-9.5.mga5

from expat-2.1.0-9.5.mga5.src.rpm

Assignee: shlomif => qa-bugs
CC: (none) => shlomif

Comment 4 Herman Viaene 2017-07-19 11:23:07 CEST 
MGA5-32 on Asus A6000VM Xfce
No installation issues
Followed procedure as per https://wiki.mageia.org/en/QA_procedure:Expat resulting at CLI:
$ python testexpat.py
Tested OK
and
$ strace -o expattest1.txt xmlwf /etc/xml/catalog
no feedback as expected
and
$ strace -o expattest2.txt xmlwf /etc/passwd     
/etc/passwd:1:16: not well-formed (invalid token)
 Each of the traces showing a call to libexpat.

Whiteboard: (none) => MGA5-32-OK
CC: (none) => herman.viaene

Lewis Smith 2017-07-20 20:41:04 CEST

CC: (none) => lewyssmith
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory

Comment 5 Lewis Smith 2017-07-23 08:52:51 CEST 
Testing M5 64-bit - OK
Updated the pkgs to:
 expat-2.1.0-9.5.mga5
 lib64expat1-2.1.0-9.5.mga5
 lib64expat-devel-2.1.0-9.5.mga5

From procedure https://wiki.mageia.org/en/QA_procedure:Expat created 'testdata.xml' and 'testexpat.py', ran the tests:

 $ python testexpat.py
 Tested OK

 $ xmlwf /etc/xml/catalog
 $                       [no ouput correct]

 $ xmlwf /etc/passwd
 /etc/passwd:1:16: not well-formed (invalid token)       [expected]

All three commands showed via strace that the library was called:
 open("/lib64/libexpat.so.1", O_RDONLY|O_CLOEXEC) = 3

Validating.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2017-07-23 22:05:57 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0214.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED