Bug 13554 - castor new security issue CVE-2014-3004
Summary: castor new security issue CVE-2014-3004
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/603009/
Whiteboard: has_procedure advisory MGA4-32-OK MGA...
Keywords: validated_update
Depends on:
Reported: 2014-06-20 16:44 CEST by David Walser
Modified: 2014-12-31 13:36 CET (History)
4 users (show)

See Also:
Source RPM: castor-1.3.2-10.mga4.src.rpm
Status comment:


Description David Walser 2014-06-20 16:44:26 CEST
OpenSuSE has issued an advisory today (June 20):

The issue is fixed upstream in 1.3.2.

Since we have version 1.3.2 in Mageia 3, Mageia 4, and Cauldron, it may be easier to update it.  Otherwise, OpenSuSE's patch for 0.9.5 may be adaptable.  I haven't found any reference to the upstream commit.


Steps to Reproduce:
David Walser 2014-06-20 16:44:35 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

David Walser 2014-06-20 18:54:09 CEST

URL: (none) => http://lwn.net/Vulnerabilities/603009/

Comment 1 David Walser 2014-07-09 00:57:06 CEST
(In reply to David Walser from comment #0)
> The issue is fixed upstream in 1.3.2.

Whoops, I meant 1.3.3.

The patch OpenSuSE added for 0.9.5 doesn't look forward-portable to 1.3.2.  Fedora has yet to address this issue, so I guess we'll wait for them.
Comment 2 Sander Lepik 2014-10-04 16:06:03 CEST

CC: (none) => mageia

Comment 3 David Walser 2014-12-15 20:02:01 CET
Fedora has finally updated to 1.3.3 to fix this:

Blocks: (none) => 14674

Comment 4 David Walser 2014-12-24 20:52:51 CET
Removing Mageia 3 from the whiteboard due to EOL.

I've checked the update into Mageia 4 and Cauldron SVN.  It needs to be submitted (and hopefully it can be built).

CC: (none) => pterjan
Whiteboard: MGA4TOO, MGA3TOO => MGA4TOO

Comment 5 David Walser 2014-12-24 21:26:55 CET
It looks like it needs some of the removed packages (in Cauldron) to build; at least apache-poi that I noticed.  That'll need to resynced with Fedora before it's re-imported to fix the issues in Bug 14128.
Comment 6 David Walser 2014-12-24 23:04:36 CET
apache-poi has indeed been resynced with Fedora in SVN.  Sophie says it isn't in Cauldron, but I tried to submit it to Cauldron and mgarepo/youri says that it's already there.
Comment 7 Pascal Terjan 2014-12-24 23:10:19 CET
Things are still in progress restoring things in cauldron but it should be there.

I hope to finish to building eclipse-* in the next few hours (almost there) then I'll have a look.
Comment 8 David Walser 2014-12-27 23:07:37 CET
Updated packages uploaded for Mageia 4 and Cauldron.

Verifying that the updated packages install cleanly is sufficient for testing this update.


Updated castor packages fix security vulnerability:

The default configuration for the Xerces SAX Parser in Castor before 1.3.3
allows context-dependent attackers to conduct XML External Entity (XXE)
attacks via a crafted XML document (CVE-2014-3004).


Updated package in core/updates_testing:

from castor-1.3.3-1.mga4.src.rpm

Whiteboard: MGA4TOO => (none)
Version: Cauldron => 4
Assignee: dmorganec => qa-bugs

Comment 9 Herman Viaene 2014-12-28 22:33:59 CET
MGA4-64 on HP Probook 6555b
Version castor-1.3.3-1.mga4 installs without problems pver existing version 1.3.2, castor-javadoc-1.3.3-1.mga4 also OK (did not exist before).

Whiteboard: (none) => MGA4-64-OK
CC: (none) => herman.viaene

Comment 10 Herman Viaene 2014-12-29 10:44:00 CET
MGA4-32 on Acer D620 Xfce
Version castor-1.3.3-1.mga4 installs without problems pver existing version 1.3.2, castor-javadoc-1.3.3-1.mga4 also OK (did not exist before).

Whiteboard: MGA4-64-OK => MGA4-32-OK MGA4-64-OK

Comment 11 claire robinson 2014-12-29 20:52:46 CET
Validating. Advisory uploaded.

Please push to updates


CC: (none) => sysadmin-bugs
Whiteboard: MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
Keywords: (none) => validated_update

Comment 12 Mageia Robot 2014-12-31 13:28:37 CET
An update for this issue has been pushed to Mageia Updates repository.


Resolution: (none) => FIXED

David Walser 2014-12-31 13:36:05 CET

Blocks: 14674 => (none)

Note You need to log in before you can comment on or make changes to this bug.