Bug 23401

Summary: xml-security-c new security issue
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, marja11, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: xml-security-c-1.7.3-3.mga7.src.rpm CVE:
Status comment:

Description David Walser 2018-08-06 21:54:08 CEST 
Debian has issued an advisory on August 5:
https://www.debian.org/security/2018/dsa-4265

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-08-06 21:54:21 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-08-07 07:37:24 CEST 
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => mageia

Comment 2 Sander Lepik 2018-09-12 10:33:15 CEST 
I have uploaded a patched package for Mageia 6 (cauldron was fixed by new version from guillomovitch).

I have no idea how to test the patch...

Suggested advisory:
========================

Updated xml-security-c packages fix security vulnerability:

It was discovered that the Apache XML Security for C++ library performed insufficient validation of KeyInfo hints, which could result in denial of service via NULL pointer dereferences when processing malformed XML data.

https://issues.apache.org/jira/projects/SANTUARIO/issues/SANTUARIO-491
========================

Updated packages in core/updates_testing:
========================
xml-security-c-1.7.3-2.1.mga6

Source RPM:
xml-security-c-1.7.3-2.1.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6
Assignee: mageia => qa-bugs

Comment 3 Len Lawrence 2018-09-12 15:52:05 CEST 
Mageia 6, x86_64

No idea about testing the patch either.  Nothing upstream.

Installed qdigidoc and ran strace on the gui via qdigidocclient.
$ strace -o trace.qdig qdigidocclient
This presented the DigiDoc3 interface where documents can be signed or opened.  There is a third option which looks like an opportunity to encrypt the signage:
"Open DigiDoc3 Crypto"
Pressed "Open signed document" which led to a file manager.
Retreated - just giving the application something to do.
The language options work.
Closed down and checked the trace file.
$ grep xml-security trace.qdig
open("/lib64/libxml-security-c.so.17", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libxml-security-c.so.17.0.3", O_RDONLY) = 3
open("/usr/lib64/libxml-security-c.so.17.0.3", O_RDONLY) = 24

Updated xml-security-c and tinkered with qdigidocclient.
Picked a PDF document rather than XML and the DigiDoc stated that PDF signing would be forwarded to the Estonian authority and a form was presented for the user to enter details.  Backed out at that point.
Just have to assume that it is all working.  No crashes or errors reported.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

Comment 4 Thomas Andrews 2018-09-19 03:56:25 CEST 
Sounds like the best we can do. Validating...

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2018-09-21 16:51:23 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2018-09-21 18:27:38 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0381.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED