Bug 7276

I will take care of that.

Status: NEW => ASSIGNED
Assignee: bugsquad => pierre-malo.denielou

I believe Malo fixed this in Cauldron, but it still needs fixed for Mageia 1/2.

Version: Cauldron => 2
Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO

Yes, I'm on it. I just wanted to test the patch on Cauldron a little. The security threat is not very big anyway.

Patched package for Mageia 1 and Mageia 2 uploaded by Malo.

Thanks Malo!

Advisory:
========================

Updated ocaml-xml-light packages fix security vulnerability:

OCaml Xml-Light Library before r234 computes hash values without
restricting the ability to trigger hash collisions predictably, which
allows context-dependent attackers to cause a denial of service (CPU
consumption) via unspecified vectors (CVE-2012-3514).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3514
http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085828.html
========================

Updated packages in core/updates_testing:
========================
ocaml-xml-light-2.2-18.1.mga1
ocaml-xml-light-devel-2.2-18.1.mga1
ocaml-xml-light-2.2-19.1.mga2
ocaml-xml-light-devel-2.2-19.1.mga2

from SRPMS:
ocaml-xml-light-2.2-18.1.mga1.src.rpm
ocaml-xml-light-2.2-19.1.mga2.src.rpm

Assignee: pierre-malo.denielou => qa-bugs

Thanks David for the advisory. Only one package in Mageia uses ocaml-xml-light. It is ocaml-dose3, so it should be rebuilt against this patched version.

Do the changes in the patch require ocaml-dose3 to be rebuilt, or does ocaml-dose3 include an internal copy of ocaml-xml-light?

The ocaml-dose3 package includes some executables, like distcheck, that contain built in copies of ocaml-xml-light. I just pushed the ocaml-dose3 package to updates_testing for mga1 and mga2.

OK, thanks Malo.

Malo has submitted these packages to the build system.
I'll update the advisory when they are built.

ocaml-dose3-2.9.2-2.2457.2.1.mga1
ocaml-dose3-2.9.10-3.1.mga2

ocaml-dose3 packages are now built.

Advisory:
========================

Updated ocaml-xml-light packages fix security vulnerability:

OCaml Xml-Light Library before r234 computes hash values without
restricting the ability to trigger hash collisions predictably, which
allows context-dependent attackers to cause a denial of service (CPU
consumption) via unspecified vectors (CVE-2012-3514).

Additionally, ocaml-dose3 has been rebuilt to include the updated
ocaml-xml-light.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3514
http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085828.html
========================

Updated packages in core/updates_testing:
========================
ocaml-xml-light-2.2-18.1.mga1
ocaml-xml-light-devel-2.2-18.1.mga1
ocaml-dose3-2.9.2-2.2457.2.1.mga1
ocaml-dose3-devel-2.9.2-2.2457.2.1.mga1
ocaml-xml-light-2.2-19.1.mga2
ocaml-xml-light-devel-2.2-19.1.mga2
ocaml-dose3-2.9.10-3.1.mga2
ocaml-dose3-devel-2.9.10-3.1.mga2

from SRPMS:
ocaml-xml-light-2.2-18.1.mga1.src.rpm
ocaml-dose3-2.9.2-2.2457.2.1.mga1.src.rpm
ocaml-xml-light-2.2-19.1.mga2.src.rpm
ocaml-dose3-2.9.10-3.1.mga2.src.rpm

Possibly useful links:

http://tech.motion-twin.com/xmllight

http://xahlee.info/ocaml/ocaml_basics.html

$ urpmf ocaml-dose3 | grep bin
ocaml-dose3:/usr/bin/apt-cudf
ocaml-dose3:/usr/bin/ceve
ocaml-dose3:/usr/bin/challenged
ocaml-dose3:/usr/bin/deb-buildcheck
ocaml-dose3:/usr/bin/debcheck
ocaml-dose3:/usr/bin/distcheck
ocaml-dose3:/usr/bin/eclipsecheck
ocaml-dose3:/usr/bin/outdated
ocaml-dose3:/usr/bin/rpmcheck

Unable to install ocaml-dose3 from Release due to it having a strictly versioned rpm require and Testing (and so QA) having a newer version. Limiting regression testing to checking the new version.

# urpmi ocaml-dose3
The following packages can't be installed because they depend on packages
that are older than the installed ones:
lib64rpm-devel-4.9.1.3-2.mga2
ocaml-dose3-2.9.10-3.mga2
Continue installation anyway? (Y/n) n

"the more recent rpm-4.9.1.3-2.1.mga2.x86_64 is installed, but does not provide rpm[== 1:4.9.1.3-2.mga2] whereas rpm-4.9.1.3-2.mga2.x86_64 does"

It seems this a result of the new rpm in Testing (with no bug :P) but not in the way I initially thought.

Installing ocaml-dose3 requires librpm-devel which for the Testing version of rpm is not available with Testing disabled.

The workaround is to install from Release with Testing enabled using:

# urpmi --searchmedia Release ocaml-dose3

The side effect is that it installs further rpm libs from Testing for which we have no bug yet and could give misleading results.

From Release version, some dangling links:

$ ll /usr/bin/eclipsecheck
lrwxrwxrwx 1 root root 81 Sep 10 13:05 /usr/bin/eclipsecheck -> ../../home/iurt/rpm/BUILDROOT/ocaml-dose3-2.9.10-3.mga2.x86_64//usr/bin/distcheck

$ ll /usr/bin/debcheck
lrwxrwxrwx 1 root root 81 Sep 10 13:05 /usr/bin/debcheck -> ../../home/iurt/rpm/BUILDROOT/ocaml-dose3-2.9.10-3.mga2.x86_64//usr/bin/distcheck

$ ll /usr/bin/rpmcheck
lrwxrwxrwx 1 root root 81 Sep 10 13:05 /usr/bin/rpmcheck -> ../../home/iurt/rpm/BUILDROOT/ocaml-dose3-2.9.10-3.mga2.x86_64//usr/bin/distcheck

Not sure how to use this, testing first with Release version..

Looking at /usr/share/doc/ocaml-xml-light/README

Following the simple sample..

$ ocaml
        Objective Caml version 3.12.1

# let x = Xml.parse_string "<a href='url'>TEXT<begin/><end/></a>" in
  Printf.printf "XML formated = \n%s" (Xml.to_string_fmt x);
  ;;
Error: Unbound module Xml

Testing mga2 64

Some success, following here http://rosettacode.org/wiki/XML/Input#OCaml

 #directory "+xml-light" (* or maybe "+site-lib/xml-light" *) ;;
 #load "xml-light.cma" ;;
 
 let x = Xml.parse_string "
  <Students>
    <Student Name='April' Gender='F' DateOfBirth='1989-01-02' />
    <Student Name='Bob' Gender='M'  DateOfBirth='1990-03-04' />
    <Student Name='Chad' Gender='M'  DateOfBirth='1991-05-06' />
    <Student Name='Dave' Gender='M'  DateOfBirth='1992-07-08'>
      <Pet Type='dog' Name='Rover' />
    </Student>
    <Student DateOfBirth='1993-09-10' Gender='F' Name='&#x00C9;mily' />
  </Students>"
  in
  Xml.iter (function
    Xml.Element ("Student", attrs, _) ->
       List.iter (function ("Name", name) -> print_endline name | _ -> ()) attrs
  | _ -> ()) x
  ;;

By doing this I get the output it lists..

April
Bob
Chad
Dave
&#x00C9;mily
- : unit = ()

This is the same after updating so there doesn't appear to be any obvious regression with ocaml-xml-light.

ocaml-dose3 however still has the same dangling links in the update ..

$ ll /usr/bin/rpmcheck
lrwxrwxrwx 1 root root 83 Sep 10 15:15 /usr/bin/rpmcheck -> ../../home/iurt/rpm/BUILDROOT/ocaml-dose3-2.9.10-3.1.mga2.x86_64//usr/bin/distcheck

$ ll /usr/bin/debcheck
lrwxrwxrwx 1 root root 83 Sep 10 15:15 /usr/bin/debcheck -> ../../home/iurt/rpm/BUILDROOT/ocaml-dose3-2.9.10-3.1.mga2.x86_64//usr/bin/distcheck

$ ll /usr/bin/eclipsecheck
lrwxrwxrwx 1 root root 83 Sep 10 15:15 /usr/bin/eclipsecheck -> ../../home/iurt/rpm/BUILDROOT/ocaml-dose3-2.9.10-3.1.mga2.x86_64//usr/bin/distcheck

the binaries in ocaml-dose3 seem oriented towards debian rather than mageia, is this really a mageia package?

Thankyou to malo for a testing procedure for ocaml-dose3 and confirming the procedure in comment 16 is OK for ocaml-xml-light.

He is busy this week but going to take a look at dose3 so has suggested we can test distcheck and create a new bug for the dangling links which I will do later.

Download hdlist.cz for say Core Updates Testing..
wget http://your/mirror/here/distrib/2/x86_64/media/core/updates_testing/media_info/hdlist.cz

Obviously change it to suit your mirror

$ distcheck -vvv hdlist://hdlist.cz
(I)Boilerplate: Parsing and normalizing...
(I)Rpm: Parsing hdlist.cz...
(I)Rpm: total packages 0
(I)Rpm: total packages 0
(I)Distcheck: Solving...
(D)Depsolver_int: n. disjunctions 0
(D)Depsolver_int: n. dependencies 0
(D)Depsolver_int: n. conflicts 0
background-packages: 0
foreground-packages: 0
total-packages: 0
broken-packages: 0

Testing complete for ocaml-xml-light & ocaml-dose3 on Mageia 2 x86_64

Whiteboard: MGA1TOO feedback => MGA1TOO has_procedure mga2-64-OK

Testing complete mga1 32

Following procedures in comment 16 and comment 17

Bug 7448 created for the dangling links on Mageia 2

Testing complete mga1 64

Whiteboard: MGA1TOO has_procedure mga1-32-OK mga2-64-OK => MGA1TOO has_procedure mga1-32-OK mga1-64-OK mga2-64-OK

Testing complete on Mageia 2 i586.  Thanks for the procedures.

Could someone from the sysadmin team please push the srpms
ocaml-xml-light-2.2-19.1.mga2.src.rpm
ocaml-dose3-2.9.10-3.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpms
ocaml-xml-light-2.2-18.1.mga1.src.rpm
ocaml-dose3-2.9.2-2.2457.2.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated ocaml-xml-light packages fix security vulnerability:

OCaml Xml-Light Library before r234 computes hash values without
restricting the ability to trigger hash collisions predictably, which
allows context-dependent attackers to cause a denial of service (CPU
consumption) via unspecified vectors (CVE-2012-3514).

Additionally, ocaml-dose3 has been rebuilt to include the updated
ocaml-xml-light.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3514
http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085828.html

https://bugs.mageia.org/show_bug.cgi?id=7276

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: MGA1TOO has_procedure mga1-32-OK mga1-64-OK mga2-64-OK => MGA1TOO has_procedure mga1-32-OK mga1-64-OK mga2-64-OK mga2-32-OK

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0266

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED