Bug 32970

Summary: expat new security issues CVE-2023-52425 and CVE-2024-28757
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, geiger.david68210, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: expat-2.6.1-1.mga10.src.rpm CVE: CVE-2023-52425, CVE-2024-28757
Status comment: Fixed upstream in 2.6.2 and patches available from Ubuntu

Description Nicolas Salguero 2024-03-15 10:28:42 CET 
Ubuntu has issued an advisory on March 14:
https://ubuntu.com/security/notices/USN-6694-1

Mageia 9 is affected by both CVEs but Cauldron is only affected by CVE-2024-28757 and should be updated to version 2.6.2.
Nicolas Salguero 2024-03-15 10:29:38 CET

Source RPM: (none) => expat-2.6.1-1.mga10.src.rpm
CVE: (none) => CVE-2023-52425, CVE-2024-28757
Status comment: (none) => Fixed upstream in 2.6.2 and patches available from Ubuntu
Whiteboard: (none) => MGA9TOO

Comment 1 Lewis Smith 2024-03-15 21:40:12 CET 
v2.6.1 is only just in Cauldron ! (Thanks to DavidG).

Another case of "Should/Can we similarly update M9?".

CVE 28757 has links to these 2 expat patches:
https://github.com/libexpat/libexpat/commit/1d50b80cf31de87750103656f6eb693746854aa8
https://github.com/libexpat/libexpat/commit/072eca0b72373da103ce15f8f62d1d7b52695454
libexpat1 is also impled.

CVE 52425 leads to no patch.

Different people have updated this, so assigning it globally.

Assignee: bugsquad => pkg-bugs
CC: (none) => geiger.david68210

Comment 2 David GEIGER 2024-03-16 09:52:42 CET 
Assigning to QA,

Packages in 9/Core/Updates_testing:
======================
expat-2.6.2-1.mga9
lib64expat-devel-2.6.2-1.mga9
lib64expat1-2.6.2-1.mga9
libexpat-devel-2.6.2-1.mga9
libexpat1-2.6.2-1.mga9

From SRPMS:
expat-2.6.2-1.mga9.src.rpm

Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Assignee: pkg-bugs => qa-bugs

Comment 3 Thomas Andrews 2024-03-17 03:08:56 CET 
MGA9-64 Plasma,i5-7500. No installation issues.

Followed the procedure from the wiki, as was used in bug 31057 comment 2 (needed test files are attached to bug 31057)

[tom@localhost ~]$  python testexpat.py
Tested OK
[tom@localhost ~]$ python3 testexpat.py
Tested OK
[tom@localhost ~]$ xmlwf /etc/xml/catalog
[tom@localhost ~]$ xmlwf /etc/passwd
/etc/passwd:1:16: not well-formed (invalid token)

Looks OK. Validating.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

katnatek 2024-03-17 03:17:21 CET

Keywords: (none) => advisory

Comment 4 Mageia Robot 2024-03-18 17:13:33 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0072.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED