Bug 22925

Summary: freeplane new security issue CVE-2018-1000069
Product: Mageia Reporter: Zombie Ryushu <zombie_ryushu>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: geiger.david68210, marja11, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://www.debian.org/security/2018/dsa-4175
Whiteboard: MGA6-64-OK
Source RPM: freeplane-1.3.15-3.mga6.src.rpm CVE: CVE-2018-1000069
Status comment:

Description Zombie Ryushu 2018-04-18 19:26:22 CEST 
Wojciech Regula discovered an XML External Entity vulnerability in the XML Parser of the mindmap loader in freeplane, a Java program for working with mind maps, resulting in potential information disclosure if a malicious mind map file is opened.
Zombie Ryushu 2018-04-18 19:27:39 CEST

CVE: (none) => CVE-2018-1000069

Comment 1 Marja Van Waes 2018-04-18 21:47:13 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 David GEIGER 2018-04-19 09:30:53 CEST 
Fixed on Cauldron and mga6 too!

CC: (none) => geiger.david68210

Comment 3 David Walser 2018-04-21 18:31:41 CEST 
Thanks David!

Debian has issued an advisory for this on April 18:
https://www.debian.org/security/2018/dsa-4175

Advisory:
========================

Updated freeplane packages fix security vulnerability:

Wojciech Regula discovered an XML External Entity vulnerability in the XML
Parser of the mindmap loader in freeplane, a Java program for working with mind
maps, resulting in potential information disclosure if a malicious mind map
file is opened (CVE-2018-1000069).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000069
https://www.debian.org/security/2018/dsa-4175
========================

Updated packages in core/updates_testing:
========================
freeplane-1.3.15-3.1.mga6

freeplane-1.3.15-3.1.mga6.src.rpm

Version: Cauldron => 6
Summary: freeplane security vulnerabilities CVE-2018-1000069 => freeplane new security issue CVE-2018-1000069
Source RPM: freeplane => freeplane-1.3.15-3.mga6.src.rpm
Assignee: pkg-bugs => qa-bugs

Comment 4 Len Lawrence 2018-04-22 18:57:46 CEST 
Mageia 6, x86_64

Installed this and had a quick look at it before updating.
There is a built-in tutorial which I did not attempt to follow but was able to produce a primitive mind-map by tinkering with the menus, creating nodes, child nodes and child sibling nodes and entering text.  It was basically ideas for an essay.  Saved the map as a .mm file, all text in a rich-text format with XML-style delimiters and passages of HTML.  Images and other types of files can be included.  Ran freeplane again to reopen the mind-map and continue editing, then saved an printed the file on several sheets of paper.  It is pure WYSIWYG.

As far as these simple tests go the application appears to work alright after updating.

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Lewis Smith 2018-04-22 20:34:52 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2018-04-22 21:59:59 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0210.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED