Bug 25661

Summary: expat security issue CVE-2019-15903 fixed upstream
Product: Mageia Reporter: Christiaan Welvaart <cjw>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, cjw, herman.viaene, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: expat-2.2.7-1.mga7.src.rpm CVE:
Status comment:

Description Christiaan Welvaart 2019-11-05 21:31:15 CET 
A buffer overflow bug was found in the expat library: https://github.com/libexpat/libexpat/issues/317 which upstream fixed in version 2.2.8. The cauldron expat package has already been updated to a new version.
Comment 1 Christiaan Welvaart 2019-11-05 23:05:14 CET 
Updated packages are available for testing:

SRPM
expat-2.2.7-1.1.mga7.src.rpm
RPMS
expat-2.2.7-1.1.mga7
lib(64)expat1-2.2.7-1.1.mga7
lib(64)expat-devel-2.2.7-1.1.mga7



Results of make check on x86-64:

For the local RPM build, I first added only the new test case for this bug:
=======================================
   expat 2.2.7: tests/test-suite.log
=======================================

# TOTAL: 2
# PASS:  0
# SKIP:  0
# XFAIL: 0
# FAIL:  2
# XPASS: 0
# ERROR: 0

.. contents:: :depth: 2

FAIL: runtests
==============

ERROR: Parsing was expected to fail but succeeded.
Expat version: expat_2.2.7
99%: Checks: 330, Failed: 1
FAIL runtests (exit status: 1)

FAIL: runtestspp
================

ERROR: Parsing was expected to fail but succeeded.
Expat version: expat_2.2.7
99%: Checks: 330, Failed: 1
FAIL runtestspp (exit status: 1)



After also adding the patch with a fix for this bug:
=======================================
   expat 2.2.7: tests/test-suite.log
=======================================

# TOTAL: 2
# PASS:  2
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0

.. contents:: :depth: 2



So the back-ported patch appears to fix the problem without breaking the other tests.
Comment 2 Christiaan Welvaart 2019-11-05 23:24:21 CET 
advisory:



It was discovered that Expat did not properly handle internal entities closing the doctype, potentially resulting in denial of service or information disclosure if a malformed XML file is processed (CVE-2019-15903).


References:

https://github.com/libexpat/libexpat/issues/317
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15903

Assignee: cjw => qa-bugs
CC: (none) => cjw

Comment 3 Herman Viaene 2019-11-06 15:04:16 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Followed tests as per https://wiki.mageia.org/en/QA_procedure:Expat
$ python testexpat.py
Tested OK
$ xmlwf /etc/xml/catalog
$ xmlwf /etc/passwd
/etc/passwd:1:16: not well-formed (invalid token)

Is OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2019-11-07 16:28:34 CET 
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-11-07 22:39:31 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 5 Mageia Robot 2019-11-08 00:38:45 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0321.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED