Bug 21332

Summary:	perl-XML-LibXML new security issue CVE-2017-10672
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	lewyssmith, mageia, nathan95, pterjan, qa-bugs, shlomif, sysadmin-bugs, tarazed25
Version:	6	Keywords:	validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA5TOO mga6-64-ok MGA5-64-OK advisory MGA6-32-OK
Source RPM:	perl-XML-LibXML-2.12.900-2.mga7.src.rpm	CVE:
Status comment:

Description David Walser 2017-07-23 21:55:20 CEST

Fedora has issued an advisory today (July 23):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CYPWMSEV5NK2JJCTOSA6SAI4RG6MVJH5/

Mageia 5 and Mageia 6 are also affected.

David Walser 2017-07-23 21:55:27 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Nicolas Lécureuil 2017-07-26 18:42:09 CEST

pushed in updates_testing and fixed in cauldron

CC: (none) => mageia
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Assignee: shlomif => qa-bugs

Nicolas Lécureuil 2017-07-26 18:42:50 CEST

Version: Cauldron => 6

Comment 2 David Walser 2017-07-26 22:18:45 CEST

Assigning back to Nicolas.  The update for Mageia 5 hasn't been built yet.

perl-XML-LibXML-2.12.900-1.1.mga6 is the update for Mageia 6.

CC: mageia => qa-bugs
Assignee: qa-bugs => mageia

Comment 3 Nicolas Lécureuil 2017-07-27 11:14:15 CEST

patch added for mga5 but test doesn't pass.

pascal can you take a look ?

CC: (none) => pterjan

Comment 4 Pascal Terjan 2017-07-27 12:42:54 CEST

Searching the error on Google gave me https://rt.cpan.org/Ticket/Display.html?id=114638 which leads to https://github.com/shlomif/perl-XML-LibXML/commit/069d0e4431ee8b6d92e42acbe1fd1fe54e9fad71 + https://github.com/shlomif/perl-XML-LibXML/commit/059e8b81d098bbdbd2abe39fa721225457d08d4e

Pascal Terjan 2017-07-27 12:43:12 CEST

CC: (none) => shlomif

Comment 5 Rémi Verschelde 2017-07-30 13:49:13 CEST

Maybe Shlomi can help since he's the upstream maintainer :)

Assignee: mageia => shlomif
CC: (none) => mageia

Comment 6 Nicolas Lécureuil 2017-08-08 11:54:55 CEST

Build fixed in mga5 now

Assignee: shlomif => qa-bugs

Comment 7 David Walser 2017-08-08 12:04:42 CEST

Advisory:
========================

Updated perl-XML-LibXML package fixes security vulnerability:

Use-after-free in the XML-LibXML module through 2.0129 for Perl allows
attackers to execute arbitrary code by controlling the arguments to a
replaceChild call (CVE-2017-10672).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10672
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CYPWMSEV5NK2JJCTOSA6SAI4RG6MVJH5/
========================

Updated packages in core/updates_testing:
========================
perl-XML-LibXML-2.12.100-1.1.mga5
perl-XML-LibXML-2.12.900-1.1.mga6

from SRPMS:
perl-XML-LibXML-2.12.100-1.1.mga5.src.rpm
perl-XML-LibXML-2.12.900-1.1.mga6.src.rpm

Comment 8 Len Lawrence 2017-08-08 21:51:35 CEST

Testing on maga6, x86_64.

CVE-2017-10672

poc.pl available at https://rt.cpan.org/Public/Bug/Display.html?id=122246

$ perl poc.pl
<mipu94><pwn4fun><��{><text>��5F</text></��{></pwn4fun></mipu94>heap: 0x7be1c0
libc: 0x0
i'm still ok and go more far!
Segmentation fault (core dumped)
$

An strace contained a complaint about a "Malformed UTF-8 character" in the specimen XML code, trapped by the print statement at line 14.

After the update:

$ perl poc.pl
<mipu94><pwn4fun><>-------------------------------------------------------tadinhsung-at-gmail-dot-com-----------------------------------------------------</></pwn4fun></mipu94>heap: 0x2d2d3e
libc: 0x0
i'm still ok and go more far!
$

The post-update trace does not complain and finishes with what looks like a complete run-through of the signal handlers, starting with SIGHUP and all returning 0.  I guess that must be normal.

Functionality tests for this package are beyond my scope so I am giving it an OK based on the result of the PoC test and a clean install.

CC: (none) => tarazed25

Len Lawrence 2017-08-08 21:52:03 CEST

Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK

Comment 9 Len Lawrence 2017-08-08 22:53:44 CEST

Testing on mga5, x86_64.

Ran the same tests as in comment 8 using the downloaded PoC file and also strace.
Before the update, the contained XML string is printed, followed by a segfault.
$ strace perl poc.pl 2> trace.1
<mipu94><pwn4fun><��)><text>(��</text></��)></pwn4fun></mipu94>heap: 0x299990
libc: 0x0
i'm still ok and go more far!
Segmentation fault

In this case the trace does not show any concern about malformed characters.

Installed perl-XML-LibXML-2.12.100-1.1.mga5
and tried the test again.
$ perl poc.pl
<mipu94><pwn4fun><>-------------------------------------------------------tadinhsung-at-gmail-dot-com-----------------------------------------------------</></pwn4fun></mipu94>heap: 0x2d2d3e
libc: 0x0
i'm still ok and go more far!
$
An strace file shows that there is a 176 character write to SDOUT and finishes with the signal handler checks.

Passing this for 64-bits.

Len Lawrence 2017-08-08 22:54:21 CEST

Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO has_procedure mga6-64-ok MGA5-64-OK

Lewis Smith 2017-08-09 09:02:10 CEST

CC: (none) => lewyssmith
Whiteboard: MGA5TOO has_procedure mga6-64-ok MGA5-64-OK => MGA5TOO has_procedure mga6-64-ok MGA5-64-OK advisory

nathan giovannini 2017-08-09 19:32:43 CEST

Whiteboard: MGA5TOO has_procedure mga6-64-ok MGA5-64-OK advisory => MGA5TOO has_procedure mga6-64-ok MGA5-64-OK advisory MGA6-32-OK
CC: (none) => nathan95

Comment 10 Len Lawrence 2017-08-09 20:09:32 CEST

Not sure how that has_procedure got in there.  A PoC is not necessarily a procedure because it more often than not only applies to the current bug and does not help with functionality testing.

Whiteboard: MGA5TOO has_procedure mga6-64-ok MGA5-64-OK advisory MGA6-32-OK => MGA5TOO mga6-64-ok MGA5-64-OK advisory MGA6-32-OK

Comment 11 David Walser 2017-08-10 00:31:34 CEST

The has_procedure was added by Len.  If all we're doing is patching a particular issue and we have a PoC for it, as long as it's clear how to use it, it is a procedure as it's all you need to test.

Comment 12 Len Lawrence 2017-08-10 08:28:26 CEST

I think it was finger trouble on my part.  The point is, as far as I understand it, procedures are general ways to test the functionality of the package(s) irrespective of the bug issues, so are worth recording or noting.

Comment 13 David Walser 2017-08-10 14:56:40 CEST

No, has_procedure means that we have figured out a way to test that particular bug and documented it, so even someone unfamiliar can jump right in and test.  When we don't have that tag, it means that testers will have to figure out how to test it.

Comment 14 Len Lawrence 2017-08-10 18:56:54 CEST

OK David.  So the procedure applies to the specific bug and if the package(s) comes up again with a different issue the procedure no longer applies.

Thanks.

Comment 15 Len Lawrence 2017-08-10 19:00:49 CEST

Should have said "might no longer apply".  Obviously it does not exclude general testing procedures.

Len Lawrence 2017-08-10 21:38:00 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 16 Mageia Robot 2017-08-10 22:26:41 CEST

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0254.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 17 Shlomi Fish 2017-11-22 22:47:27 CET

*** Bug 22069 has been marked as a duplicate of this bug. ***