Bug 22779

Summary: xerces-c new security issue CVE-2017-12627
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, lewyssmith, sysadmin-bugs, tarazed25
Version: 5Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-32-OK MGA5-64-OK
Source RPM: xerces-c-3.1.2-1.3.mga5.src.rpm CVE:
Status comment:
Bug Depends on: 22677    
Bug Blocks:    
Attachments: xerces-c test script set

Description David Walser 2018-03-15 20:54:01 CET 
+++ This bug was initially created as a clone of Bug #22677 +++

Apache has issued an advisory today (March 1):
http://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt

The issue is fixed upstream in 3.2.1 and the message above contains a link to the commit that fixed the issue.

Updated package uploaded for Mageia 5.  See the previous bug for testing hints.

Advisory:
========================

Updated xerces-c packages fix security vulnerability:

The Xerces-C XML parser mishandles certain kinds of external DTD references,
resulting in dereference of a NULL pointer while processing the path to the
DTD. The bug allows for a denial of service attack in applications that allow
DTD processing and do not prevent external DTD usage, and could conceivably
result in remote code execution (CVE-2017-12627).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12627
http://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt
========================

Updated packages in core/updates_testing:
========================
xerces-c-3.1.2-1.4.mga5
libxerces-c3.1-3.1.2-1.4.mga5
libxerces-c-devel-3.1.2-1.4.mga5
xerces-c-doc-3.1.2-1.4.mga5

from xerces-c-3.1.2-1.4.mga5.src.rpm
Comment 1 Herman Viaene 2018-03-17 14:08:10 CET 
MGA5-32 on Dell Latitude D600 Xfce
No installation issues
Ref to bug 17820 e.a for tests
I had to recompile the parser, since Len had his on a 64-bit installation.
But then both the parser test and playing enigma a little was all OK.

Whiteboard: (none) => MGA5-32-OK
CC: (none) => herman.viaene

Lewis Smith 2018-03-17 20:45:39 CET

Keywords: (none) => advisory

Comment 2 Lewis Smith 2018-03-18 11:34:55 CET 
Testing M5/64
partly to assemble all in one place - here - the various nested references from previous testing; and provide the formatted test scripts, to aid future testing:

1) The several parser test source files, in section "Programming with Xerces-C":
 http://www.yolinux.com/TUTORIALS/XML-Xerces-C.html
- sample.xml
- parser.hpp     C++ file included in...
- parser.cpp     C++ Program file; -> parser.c++ for backward compatibility!
These need copying & re-formatting to be usable.

2) Len's Ruby script to strip the line numbers from them:
 https://bugs.mageia.org/attachment.cgi?id=7498
I could not get this to work - did not know what it wanted nor why it was complaining. Ended up using simple Unix commands grep & sed (could have just used the latter with a bit more savvy).
Will combine the results of 1 + 2 into a single attachment to this bug, so the prior two references will not then be necessary.

3) Claire's original test pointers:
 https://bugs.mageia.org/show_bug.cgi?id=15538 #c7 & #c8
> Testing with enigma and megaglest which are both games
> and sigil which is an epub ebook editor
> ... and also compiled and ran the example from the link
> (with the -devel package installed)

4) Len's advice for compiling & running the parser test:
 https://bugs.mageia.org/show_bug.cgi?id=17820#c3
> 4) Compiled and linked the parser files to produce an executable.
> $ g++ -g -Wall -pedantic -lxerces-c parser.c++ -DMAIN_TEST -o parser
> 5) Ran the unit test on parser.
> $ ./parser
> Application option A=10
> Application option B=24

Made sure I had for starters:
 xerces-c-3.1.2-1.3.mga5
 lib64xerces-c3.1-3.1.2-1.3.mga5
 lib64xerces-c-devel-3.1.2-1.3.mga5
+ enigma and megaglest (*big* downloads). There are 3 applications for the second:
- MegaGlest
- MegaGlest Map Editor
- MegaGlest Model Viewer
I ensured that these all nominally worked (no playing).
And having tidied the test scripts in ref 1 above, ref 4 above steps 4 & 5 worked as shown.

AFTER update to:
- lib64xerces-c-devel-3.1.2-1.4.mga5.x86_64
- lib64xerces-c3.1-3.1.2-1.4.mga5.x86_64
- xerces-c-3.1.2-1.4.mga5.x86_64

 $ g++ -g -Wall -pedantic -lxerces-c parser.c++ -DMAIN_TEST -o parser
 $ ./parser
 Application option A=10
 Application option B=24
OK

Enigma & MegaGlest seemed to function within the limits of my total ignorance; equally MegaGlest Map Editor & MegaGlest Model Viewer. OK for me, validating.

Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 3 Lewis Smith 2018-03-18 11:43:12 CET 
Created attachment 10053 [details]
xerces-c test script set

Contains:
 parser.c++, parser.hpp, sample.xml
To compile:
 $ g++ -g -Wall -pedantic -lxerces-c parser.c++ -DMAIN_TEST -o parser
To run:
 $ ./parser
Expected output:
 Application option A=10
 Application option B=24
Comment 4 Len Lawrence 2018-03-18 21:21:06 CET 
Sorry about the stripe.rb file for removing line-numbers; it was totally mangled and not the one I actually used.  Has been replaced.

CC: (none) => tarazed25

Comment 5 Mageia Robot 2018-03-19 13:14:31 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0178.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED