Bug 12874 - xstream new security issue CVE-2013-7285
: xstream new security issue CVE-2013-7285
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/588035/
: MGA3TOO has_procedure advisory mga3-3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-02-24 23:01 CET by David Walser
Modified: 2014-02-25 23:23 CET (History)
4 users (show)

See Also:
Source RPM: xstream-1.4.5-1.mga4.src.rpm
CVE:


Attachments

Description David Walser 2014-02-24 23:01:47 CET
Fedora has issued an advisory on February 12:
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128807.html

The issue appears to be fixed upstream in 1.4.7.

Fedora has a patch for 1.3.1 (which we have in Mageia 3):
http://pkgs.fedoraproject.org/cgit/xstream.git/commit/?h=f20&id=7711271576d9b9d1c4345ddf10ce843a1a2841bb

Upstream reference:
http://xstream.codehaus.org/security.html

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-02-24 23:34:55 CET
I added the patch for Mageia 3 in SVN.

For Cauldron and Mageia 4, I synced the package with Fedora.  It adds a new BuildRequires (kxml2-min) that requires the kxml package to be updated, which I also synced with Fedora in SVN to fix this.  However, kxml does not build in Cauldron:
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20140224223117.luigiwalser.valstar.11244/log/kxml-2.3.0-6.mga5/build.0.20140224223203.log
Comment 2 David Walser 2014-02-25 00:05:07 CET
D Morgan noticed a typo in my kxml commit, so things are building now.
Comment 3 David Walser 2014-02-25 00:12:29 CET
Updated packages uploaded for Mageia 4 and Cauldron.

Patched package uploaded for Mageia 3.

Note to QA: verifying that the updated packages install correctly should be sufficient for testing this update.  They're also noarch, so should only require testing on one arch.

Advisory:
========================

Updated xstream packages fix security vulnerability:

It was found that XStream would deserialize arbitrary user-supplied XML
content, representing objects of any type. A remote attacker able to pass XML
to XStream could use this flaw to perform a variety of attacks, including
remote code execution in the context of the server running the XStream
application (CVE-2013-7285).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7285
http://xstream.codehaus.org/security.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128807.html
========================

Updated packages in core/updates_testing:
========================
xstream-1.3.1-6.1.mga3
xstream-javadoc-1.3.1-6.1.mga3
kxml-2.3.0-5.1.mga4
kxml-javadoc-2.3.0-5.1.mga4
xstream-1.4.7-1.mga4
xstream-javadoc-1.4.7-1.mga4

from SRPMS:
xstream-1.3.1-6.1.mga3.src.rpm
kxml-2.3.0-5.1.mga4.src.rpm
xstream-1.4.7-1.mga4.src.rpm
Comment 4 claire robinson 2014-02-25 07:53:29 CET
Testing complete mga3 32 & 64

Just ensuring the packages update cleanly.
Comment 5 Anne Nicolas 2014-02-25 09:06:50 CET
Testing complete on mageia 4 32 and 64
Comment 6 Anne Nicolas 2014-02-25 09:08:27 CET
Update validated.
Thanks.

Advisory:
Updated xstream packages fix security vulnerability:

It was found that XStream would deserialize arbitrary user-supplied XML
content, representing objects of any type. A remote attacker able to pass XML
to XStream could use this flaw to perform a variety of attacks, including
remote code execution in the context of the server running the XStream
application (CVE-2013-7285).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7285
http://xstream.codehaus.org/security.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128807.html

SRPM: 
xstream-1.3.1-6.1.mga3.src.rpm
kxml-2.3.0-5.1.mga4.src.rpm
xstream-1.4.7-1.mga4.src.rpm

Could sysadmin please push from core/updates_testing to core/updates for both mageia 3 and 4?

Thank you!
Comment 7 claire robinson 2014-02-25 09:35:11 CET
Advisory uploaded.
Comment 8 Thomas Backlund 2014-02-25 23:23:15 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0100.html

Note You need to log in before you can comment on or make changes to this bug.