Bug 5141

Summary: expat new security issues CVE-2012-1147, CVE-2012-1148, CVE-2012-0876
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, guillomovitch, mageia, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://sourceforge.net/projects/expat/files/expat/2.1.0/
Whiteboard:
Source RPM: expat-2.0.1-14.mga1.src.rpm CVE:
Status comment:

Description David Walser 2012-03-27 23:17:06 CEST 
The ChangeLog found at:
http://sourceforge.net/projects/expat/files/expat/2.1.0/

references 5 CVEs fixed in that release,
- CVE-2012-1147
- CVE-2009-3720
- CVE-2009-3560
- CVE-2012-1148
- CVE-2012-0876

The two CVEs from 2009 were fixed by Mandriva before the package was imported into Mageia.  Mageia 1 and Mageia 2 (Cauldron) are vulnerable to the others.

Mandriva has issued this advisory today (March 27):
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:041

It references CVE-2012-1148 and CVE-2012-0876, but not CVE-2012-1147.

Patches are here:
http://svn.mandriva.com/svn/packages/updates/2010.1/expat/current/SOURCES/expat-2.0.1-CVE-2012-0876.diff
http://svn.mandriva.com/svn/packages/updates/2010.1/expat/current/SOURCES/expat-2.0.1-CVE-2012-1148.diff
David Walser 2012-03-27 23:18:51 CEST

CC: (none) => mageia

David Walser 2012-03-27 23:28:09 CEST

Blocks: (none) => 5046

Guillaume Rousse 2012-03-28 21:57:17 CEST

Status: NEW => ASSIGNED
CC: (none) => guillomovitch
Assignee: bugsquad => guillomovitch

Comment 2 Guillaume Rousse 2012-03-29 19:57:57 CEST 
2.1.0 version submitted for cauldron.
Comment 3 Guillaume Rousse 2012-03-29 20:12:04 CEST 
expat-2.0.1-14.1.mga submitted for updates_testing.
Comment 4 David Walser 2012-03-29 20:31:21 CEST 
Did the Cauldron update get blocked by the version freeze?
Comment 5 David Walser 2012-03-29 20:36:12 CEST 
Oh, I see.  Freeze push requested.
Comment 6 David Walser 2012-03-29 20:47:38 CEST 
Advisory
========================

Updated expat packages fix security vulnerabilities:

A memory leak and a hash table collision flaw in expat could cause
denial of service (DoS) attacks (CVE-2012-0876, CVE-2012-1148).

A resource leak was caused by file descriptors not being closed in
readfilemap.c, which could also cause a denial of service (CVE-2012-1147).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0876
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1147
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1148
http://sourceforge.net/projects/expat/files/expat/2.1.0/
http://www.net-security.org/vuln.php?id=16267
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:041
========================

Updated packages in core/updates_testing:
========================
expat-2.0.1-14.1.mga1
libexpat1-2.0.1-14.1.mga1
libexpat1-devel-2.0.1-14.1.mga1

from expat-2.0.1-14.1.mga1.src.rpm

Assignee: guillomovitch => qa-bugs

David Walser 2012-03-29 23:23:09 CEST

Blocks: 5046 => (none)

Comment 7 Dave Hodgins 2012-03-30 04:57:49 CEST 
Testing complete on i586 for the srpm
expat-2.0.1-14.1.mga1.src.rpm

No POC, so just testing that it works ...
$ xmlwf /etc/xml/catalog
$ xmlwf /etc/passwd
/etc/passwd:1:16: not well-formed (invalid token)

CC: (none) => davidwhodgins

Comment 8 claire robinson 2012-04-02 00:05:58 CEST 
tested ok x86_64

Advisory in comment 6

Could sysadmin please push from core/updates_testing to core/updates

Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Hardware: i586 => All

Comment 9 Thomas Backlund 2012-04-03 05:08:10 CEST 
Update pushed

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED