Bug 23677

Summary: dom4j new security issue CVE-2018-1000632
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, geiger.david68210, herman.viaene, marja11, pterjan, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK
Source RPM: dom4j-2.0.0-3.mga7.src.rpm CVE:
Status comment:

Description David Walser 2018-10-13 00:13:33 CEST 
openSUSE has issued an advisory on September 28:
https://lists.opensuse.org/opensuse-updates/2018-09/msg00174.html

The issue is fixed upstream in 2.1.1.

Mageia 6 is also affected.
David Walser 2018-10-13 00:13:40 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-10-13 08:33:10 CEST 
Assigning to the registered maintainer.

Also CC'ing some committers.

Assignee: bugsquad => mageia
CC: (none) => geiger.david68210, marja11, pterjan

Comment 2 David Walser 2019-02-03 02:17:27 CET 
Upstream patch applies to 2.0.0, but package doesn't build:
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20190203011009.luigiwalser.duvel.37065/log/dom4j-2.0.0-4.mga7/build.0.20190203011109.log

All but one hunk of openSUSE patch applies to Mageia 6 version if you run dos2unix on the Java files, so it should be fixable there.

Status comment: (none) => Fixed upstream in 2.1.1

Comment 3 David GEIGER 2019-02-03 10:03:19 CET 
Fixed for Cauldron!
Comment 4 David GEIGER 2019-02-03 11:02:16 CET 
Now fixed for mga6!
Comment 5 David Walser 2019-02-03 17:48:17 CET 
Thanks David!

Advisory:
========================

Updated dom4j packages fix security vulnerability:

dom4j version prior to version 2.1.1 contains an XML Injection vulnerability in
Class: Element. Methods: addElement, addAttribute that can result in an
attacker tampering with XML documents through XML injection. This attack
appears to be exploitable via an attacker specifying attributes or elements in
the XML document (CVE-2018-1000632).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000632
https://lists.opensuse.org/opensuse-updates/2018-09/msg00174.html
========================

Updated packages in core/updates_testing:
========================
dom4j-1.6.1-28.1.mga6
dom4j-demo-1.6.1-28.1.mga6
dom4j-manual-1.6.1-28.1.mga6
dom4j-javadoc-1.6.1-28.1.mga6

from dom4j-1.6.1-28.1.mga6.src.rpm

Assignee: mageia => qa-bugs
Status comment: Fixed upstream in 2.1.1 => (none)
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 6 Herman Viaene 2019-02-06 17:17:43 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Trying to find some example of usage, but I keep running into problems. I guess some more java stuff is needed to compile one of those, I keep getting errors like:
$ javac dom4j.java 
dom4j.java:7: error: class Foo is public, should be declared in a file named Foo.java
public class Foo {
       ^
dom4j.java:3: error: package org.dom4j does not exist
import org.dom4j.Document;
                ^
dom4j.java:4: error: package org.dom4j does not exist
import org.dom4j.DocumentException;
At least it installs cleanly.

CC: (none) => herman.viaene

Comment 7 David Walser 2019-02-06 19:18:18 CET 
Clean upgrades are a sufficient test for Java stack packages.
Herman Viaene 2019-02-07 08:28:35 CET

Whiteboard: (none) => MGA6-32-OK

Dave Hodgins 2019-02-14 07:55:02 CET

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 8 Mageia Robot 2019-02-14 09:40:14 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0077.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED