Bug 12707 - springframework new security issues CVE-2013-6429 and CVE-2013-6430
: springframework new security issues CVE-2013-6429 and CVE-2013-6430
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/585188/
: MGA3TOO has_procedure MGA3-32-OK MGA...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-02-10 20:10 CET by David Walser
Modified: 2014-02-25 23:20 CET (History)
6 users (show)

See Also:
Source RPM: springframework-3.1.4-2.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-02-10 20:10:04 CET
Debian has issued an advisory on February 8:
http://www.debian.org/security/2014/dsa-2857

The fix for CVE-2013-4152 was incomplete, and an XSS issue was found.

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-02-25 05:09:04 CET
Upstream commits are linked in this post:
https://lists.debian.org/debian-java/2014/01/msg00052.html

As it says, the CVE-2013-6430 patch applies cleanly, the CVE-2013-6429 patch needs some work.
Comment 2 David Walser 2014-02-25 15:52:44 CET
Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated springframework packages fix security vulnerabilities:

It was discovered by the Spring development team that the fix for the XML
External Entity (XXE) Injection (CVE-2013-4152) in the Spring Framework was
incomplete. Spring MVC's SourceHttpMessageConverter also processed user
provided XML and neither disabled XML external entities nor provided an option
to disable them. SourceHttpMessageConverter has been modified to provide an
option to control the processing of XML external entities and that processing
is now disabled by default (CVE-2013-6429).

In addition Jon Passki discovered a possible XSS vulnerability: The
JavaScriptUtils.javaScriptEscape() method did not escape all characters that
are sensitive within either a JS single quoted string, JS double quoted
string, or HTML script data context. In most cases this will result in an
unexploitable parse error but in some cases it could result in an XSS
vulnerability (CVE-2013-6430).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6429
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6430
http://www.debian.org/security/2014/dsa-2857
========================

Updated packages in core/updates_testing:
========================
springframework-3.1.1-21.2.mga3
springframework-javadoc-3.1.1-21.2.mga3
springframework-aop-3.1.1-21.2.mga3
springframework-beans-3.1.1-21.2.mga3
springframework-context-3.1.1-21.2.mga3
springframework-context-support-3.1.1-21.2.mga3
springframework-expression-3.1.1-21.2.mga3
springframework-instrument-3.1.1-21.2.mga3
springframework-jdbc-3.1.1-21.2.mga3
springframework-jms-3.1.1-21.2.mga3
springframework-orm-3.1.1-21.2.mga3
springframework-oxm-3.1.1-21.2.mga3
springframework-struts-3.1.1-21.2.mga3
springframework-tx-3.1.1-21.2.mga3
springframework-web-3.1.1-21.2.mga3
springframework-webmvc-3.1.1-21.2.mga3
springframework-webmvc-portlet-3.1.1-21.2.mga3
springframework-3.1.4-2.1.mga4
springframework-javadoc-3.1.4-2.1.mga4
springframework-aop-3.1.4-2.1.mga4
springframework-beans-3.1.4-2.1.mga4
springframework-context-3.1.4-2.1.mga4
springframework-context-support-3.1.4-2.1.mga4
springframework-expression-3.1.4-2.1.mga4
springframework-instrument-3.1.4-2.1.mga4
springframework-instrument-tomcat-3.1.4-2.1.mga4
springframework-jdbc-3.1.4-2.1.mga4
springframework-jms-3.1.4-2.1.mga4
springframework-orm-3.1.4-2.1.mga4
springframework-oxm-3.1.4-2.1.mga4
springframework-struts-3.1.4-2.1.mga4
springframework-test-3.1.4-2.1.mga4
springframework-tx-3.1.4-2.1.mga4
springframework-web-3.1.4-2.1.mga4
springframework-webmvc-3.1.4-2.1.mga4
springframework-webmvc-portlet-3.1.4-2.1.mga4

from SRPMS:
springframework-3.1.1-21.2.mga3.src.rpm
springframework-3.1.4-2.1.mga4.src.rpm
Comment 3 claire robinson 2014-02-25 16:49:48 CET
To test, just ensure the packages install and update cleanly.
Comment 4 Marc Lattemann 2014-02-25 18:50:10 CET
Installed on mga4 32bit:

[root@localhost marc]#rpm -qa | grep springframework:
springframework-jdbc-3.1.4-2.mga4
springframework-webmvc-portlet-3.1.4-2.mga4
springframework-context-3.1.4-2.mga4
springframework-web-3.1.4-2.mga4
springframework-orm-3.1.4-2.mga4
springframework-beans-3.1.4-2.mga4
springframework-aop-3.1.4-2.mga4
springframework-tx-3.1.4-2.mga4
springframework-javadoc-3.1.4-2.mga4
springframework-struts-3.1.4-2.mga4
springframework-expression-3.1.4-2.mga4
springframework-context-support-3.1.4-2.mga4
springframework-jms-3.1.4-2.mga4
springframework-instrument-3.1.4-2.mga4
springframework-instrument-tomcat-3.1.4-2.mga4
springframework-oxm-3.1.4-2.mga4
springframework-webmvc-3.1.4-2.mga4
springframework-test-3.1.4-2.mga4
springframework-3.1.4-2.mga4

after update:
[root@localhost marc]# rpm -qa | grep springframe
springframework-oxm-3.1.4-2.1.mga4
springframework-jdbc-3.1.4-2.1.mga4
springframework-3.1.4-2.1.mga4
springframework-orm-3.1.4-2.1.mga4
springframework-expression-3.1.4-2.1.mga4
springframework-aop-3.1.4-2.1.mga4
springframework-context-support-3.1.4-2.1.mga4
springframework-struts-3.1.4-2.1.mga4
springframework-context-3.1.4-2.1.mga4
springframework-jms-3.1.4-2.1.mga4
springframework-instrument-3.1.4-2.1.mga4
springframework-webmvc-portlet-3.1.4-2.1.mga4
springframework-web-3.1.4-2.1.mga4
springframework-javadoc-3.1.4-2.1.mga4
springframework-instrument-tomcat-3.1.4-2.1.mga4
springframework-beans-3.1.4-2.1.mga4
springframework-test-3.1.4-2.1.mga4
springframework-tx-3.1.4-2.1.mga4
springframework-webmvc-3.1.4-2.1.mga4

everything installed and updated smoothly.

going on with 64bit
Comment 5 William Kenney 2014-02-25 18:51:42 CET
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
springframework

default install of springframework

[root@localhost wilcal]# urpmi springframework
Package springframework-3.1.1-21.1.mga3.noarch is already installed

installs as expected

[root@localhost wilcal]# urpmi springframework
Package springframework-3.1.1-21.2.mga3.noarch is already installed

installs as expected

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm
Comment 6 William Kenney 2014-02-25 18:58:00 CET
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
springframework

437 other related packages install from updates_testing as expected

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm
Comment 7 William Kenney 2014-02-25 19:19:11 CET
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
springframework

[root@localhost wilcal]# uname -a
Linux localhost 3.10.28-desktop-1.mga3 #1 SMP Sat Feb 1 16:15:10 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

default install of springframework

[root@localhost wilcal]# urpmi springframework
Package springframework-3.1.1-21.1.mga3.noarch is already installed

installs as expected

install springframework from update_testing

[root@localhost wilcal]# urpmi springframework
Package springframework-3.1.1-21.2.mga3.noarch is already installed

installs as expected

437 other related packages install as expected

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm
Comment 8 Marc Lattemann 2014-02-25 19:31:24 CET
in my comment #4 seems that are not all packages installed as listed in comment #2 - depends probably on pre-selection when 'urpmi -ay springframework'? Or is there another way to install all packages?
However in mga4 64bit same result with same packages installed. If this is OK, then it can be validated?
Comment 9 William Kenney 2014-02-25 19:37:25 CET
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
springframework

[wilcal@localhost ~]$ uname -a
Linux localhost 3.12.9-desktop-1.mga4 #1 SMP Sat Feb 1 18:16:06 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

default install of springframework

[root@localhost wilcal]# urpmi springframework
Package springframework-3.1.4-2.mga4.noarch is already installed

installs as expected

install springframework from update_testing

[root@localhost wilcal]# urpmi springframework
Package springframework-3.1.4-2.1.mga4.noarch is already installed

installs as expected

431 other related packages install as expected

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm
Comment 10 Rémi Verschelde 2014-02-25 19:41:20 CET
Advisory uploaded.
Comment 11 Thomas Backlund 2014-02-25 23:20:36 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0096.html

Note You need to log in before you can comment on or make changes to this bug.