| Summary: | xerces-c new security issue CVE-2017-12627 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | lewyssmith, marja11, mhrambo3501, sysadmin-bugs, tarazed25 |
| Version: | 6 | Keywords: | advisory, has_procedure, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-64-OK | ||
| Source RPM: | xerces-c-3.1.4-3.mga7.src.rpm | CVE: | |
| Status comment: | Fixed upstream in 3.2.1 | ||
| Bug Depends on: | |||
| Bug Blocks: | 22779 | ||
|
Description
David Walser
2018-03-01 14:32:45 CET
David Walser
2018-03-01 14:32:59 CET
Status comment:
(none) =>
Fixed upstream in 3.2.1 Assigning to all packagers collectively, since there is no registered maintainer for this package. Assignee:
bugsquad =>
pkg-bugs Updated packages built for cauldron and Mageia 6. Testing ideas in Bug 17820 and Bug 18421. Advisory: ======================== Updated xerces-c packages fix security vulnerability: The Xerces-C XML parser mishandles certain kinds of external DTD references, resulting in dereference of a NULL pointer while processing the path to the DTD. The bug allows for a denial of service attack in applications that allow DTD processing and do not prevent external DTD usage, and could conceivably result in remote code execution. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12627 http://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt ======================== Updated packages in core/updates_testing: ======================== xerces-c-3.1.4-2.1.mga6 libxerces-c3.1-3.1.4-2.1.mga6 libxerces-c-devel-3.1.4-2.1.mga6 from xerces-c-3.1.4-2.1.mga6.src.rpm Version:
Cauldron =>
6
Mike Rambo
2018-03-02 17:28:25 CET
Assignee:
pkg-bugs =>
qa-bugs Advisory uploaded. Added cve to text and markup. Keywords:
(none) =>
advisory Mageia 6 :: x86_64 The reference identifies external Document Type Definitions as a possible source of problems for the xml parser. Installed the the packages from Updates. Bug 18421 mentions enigma: $ urpmq --requires enigma | grep xerces libxerces-c-3.1.so()(64bit) Installed enigma and played a bit. It looks like sigil no longer needs xerces-c. $ urpmq --requires-recursive sigil | grep xerces $ urpmq --whatrequires-recursive lib64xerces-c3.1 | grep sigil $ http://www.yolinux.com/TUTORIALS/XML-Xerces-C.html This link provides the code for an XML parser along with a sample document. $ cat sample.xml <?xml version="1.0" encoding="UTF-8" standalone="no"?> <root> <ApplicationSettings option_a = "10" option_b = "24" > </ApplicationSettings> <OtherStuff option_x = "500" > </OtherStuff> </root> Compiled parser.h++ and parser.c++ and ran parser against the sample. $ g++ -g -Wall -pedantic -I/opt/include -L/opt/lib -lxerces-c parser.c++ -DMAIN_TEST -o parser $ ./parser sample.xml Application option A=10 Application option B=24 So, all is OK before the updates. Installed the updates and played with enigma and recompiled the test parser. $ ./parser sample.xml Application option A=10 Application option B=24 This all looks fine. OK for x86_64. CC:
(none) =>
tarazed25
Lewis Smith
2018-03-06 07:15:39 CET
Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0158.html Resolution:
(none) =>
FIXED
David Walser
2018-03-15 20:54:01 CET
Blocks:
(none) =>
22779 |