Bug 14176 - xerces-j2 new security issue CVE-2013-4002
Summary: xerces-j2 new security issue CVE-2013-4002
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/570812/
Whiteboard: MGA3TOO advisory MGA3-32-OK MGA3-64-O...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-09-25 21:24 CEST by David Walser
Modified: 2014-10-07 11:23 CEST (History)
4 users (show)

See Also:
Source RPM: xerces-j2-2.11.0-11.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-09-25 21:24:04 CEST
Fedora has issued an advisory on September 11:
https://lists.fedoraproject.org/pipermail/package-announce/2014-September/138667.html

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-09-25 21:24:12 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 Oden Eriksson 2014-10-01 14:40:55 CEST
Fixed with xerces-j2-2.11.0-8.1.mga3, xerces-j2-2.11.0-10.1.mga4 & xerces-j2-2.11.0-12.mga5.

CC: (none) => oe

Comment 2 David Walser 2014-10-01 16:19:28 CEST
Thanks Oden!

Advisory:
========================

Updated xerces-j2 packages fix security vulnerability:

A resource consumption issue was found in the way Xerces-J handled
XML declarations. A remote attacker could use an XML document with
a specially crafted declaration using a long pseudo-attribute name
that, when parsed by an application using Xerces-J, would cause that
application to use an excessive amount of CPU (CVE-2013-4002).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002
https://rhn.redhat.com/errata/RHSA-2014-1319.html
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2014%3A193/
========================

Updated packages in core/updates_testing:
========================
xerces-j2-2.11.0-8.1.mga3
xerces-j2-javadoc-2.11.0-8.1.mga3
xerces-j2-demo-2.11.0-8.1.mga3
xerces-j2-2.11.0-10.1.mga4
xerces-j2-javadoc-2.11.0-10.1.mga4
xerces-j2-demo-2.11.0-10.1.mga4

from SRPMS:
xerces-j2-2.11.0-8.1.mga3.src.rpm
xerces-j2-2.11.0-10.1.mga4.src.rpm

Version: Cauldron => 4
Assignee: dmorganec => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 3 claire robinson 2014-10-01 18:45:22 CEST
Adding Frank in CC. Frank, this comes with a demo package and some samples, do you know how to use them please? Seems like it shouldn't be too difficult if you know what you're doing.

It would be good if we can test java packages beyond ensuring they install ok.

CC: (none) => ftg

Comment 4 William Kenney 2014-10-03 22:20:11 CEST
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
xerces-j2 xerces-j2-demo

default install of xerces-j2 & xerces-j2-demo

[root@localhost wilcal]# urpmi xerces-j2
Package xerces-j2-2.11.0-8.mga3.noarch is already installed
[root@localhost wilcal]# urpmi xerces-j2-demo
Package xerces-j2-demo-2.11.0-8.mga3.noarch is already installed

xerces-j2 & xerces-j2-demo install with no reported errors

install xerces-j2 & xerces-j2-demo from updates_testing

[root@localhost wilcal]# urpmi xerces-j2
Package xerces-j2-2.11.0-8.1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi xerces-j2-demo
Package xerces-j2-demo-2.11.0-8.1.mga3.noarch is already installed

xerces-j2 & xerces-j2-demo install with no reported errors

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

Comment 5 William Kenney 2014-10-03 22:34:07 CEST
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
xerces-j2 xerces-j2-demo

default install of xerces-j2 & xerces-j2-demo

[root@localhost wilcal]# urpmi xerces-j2
Package xerces-j2-2.11.0-8.mga3.noarch is already installed
[root@localhost wilcal]# urpmi xerces-j2-demo
Package xerces-j2-demo-2.11.0-8.mga3.noarch is already installed

xerces-j2 & xerces-j2-demo install with no reported errors

install xerces-j2 & xerces-j2-demo from updates_testing

[root@localhost wilcal]# urpmi xerces-j2
Package xerces-j2-2.11.0-8.1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi xerces-j2-demo
Package xerces-j2-demo-2.11.0-8.1.mga3.noarch is already installed

xerces-j2 & xerces-j2-demo install with no reported errors

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 6 William Kenney 2014-10-03 22:58:04 CEST
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
xerces-j2 xerces-j2-demo

default install of xerces-j2 & xerces-j2-demo

[root@localhost wilcal]# urpmi xerces-j2
Package xerces-j2-2.11.0-10.mga4.noarch is already installed
[root@localhost wilcal]# urpmi xerces-j2-demo
Package xerces-j2-demo-2.11.0-10.mga4.noarch is already installed

xerces-j2 & xerces-j2-demo install with no reported errors

install xerces-j2 & xerces-j2-demo from updates_testing

[root@localhost wilcal]# urpmi xerces-j2
Package xerces-j2-2.11.0-10.1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi xerces-j2-demo
Package xerces-j2-demo-2.11.0-10.1.mga4.noarch is already installed

xerces-j2 & xerces-j2-demo install with no reported errors

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 7 William Kenney 2014-10-03 23:08:05 CEST
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
xerces-j2 xerces-j2-demo

default install of xerces-j2 & xerces-j2-demo

[root@localhost wilcal]# urpmi xerces-j2
Package xerces-j2-2.11.0-10.mga4.noarch is already installed
[root@localhost wilcal]# urpmi xerces-j2-demo
Package xerces-j2-demo-2.11.0-10.mga4.noarch is already installed

xerces-j2 & xerces-j2-demo install with no reported errors

install xerces-j2 & xerces-j2-demo from updates_testing

[root@localhost wilcal]# urpmi xerces-j2
Package xerces-j2-2.11.0-10.1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi xerces-j2-demo
Package xerces-j2-demo-2.11.0-10.1.mga4.noarch is already installed

xerces-j2 & xerces-j2-demo install with no reported errors

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 8 William Kenney 2014-10-03 23:10:25 CEST
For me this update installs just fine for me.
I wish xerces-j2-demo was an easy to run demo.
If no one objects I'll validtate this update in 24-hours.
Testing complete for mga3 32-bit & 64-bit
Testing complete for mga4 32-bit & 64-bit

Whiteboard: MGA3TOO => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK

Comment 9 William Kenney 2014-10-04 18:54:48 CEST
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 claire robinson 2014-10-06 18:52:39 CEST
Advisory uploaded.

Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO advisory MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK

Comment 11 Mageia Robot 2014-10-07 11:23:33 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0398.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.