Bug 15538 - xerces-c new security issue CVE-2015-0252
Summary: xerces-c new security issue CVE-2015-0252
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/637571/
Whiteboard: has_procedure mga4-64-ok advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-03-20 15:50 CET by David Walser
Modified: 2015-04-10 00:44 CEST (History)
3 users (show)

See Also:
Source RPM: xerces-c-3.1.1-16.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-03-20 15:50:55 CET
Upstream has issued an advisory on March 19:
http://xerces.apache.org/xerces-c/secadv/CVE-2015-0252.txt

The issue is fixed upstream in 3.1.2.

Mageia 4 and Mageia 5 are affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-03-20 15:51:09 CET

CC: (none) => geiger.david68210, pterjan
Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David GEIGER 2015-03-20 21:07:06 CET
Fixed on svn for Cauldron with new fixes 3.1.2 release and freeze_push requested and also fixed for mga4.

packages awaiting upload.
Comment 2 David Walser 2015-03-23 15:10:22 CET
shibboleth-sp is one of the applications affected by this.  See Bug 15556 for more information.
David Walser 2015-03-23 18:51:38 CET

URL: (none) => http://lwn.net/Vulnerabilities/637571/

Comment 3 David Walser 2015-03-23 18:52:13 CET
Debian has issued an advisory for this on March 20:
https://www.debian.org/security/2015/dsa-3199
Comment 4 David Walser 2015-03-23 20:49:49 CET
xerces-c-3.1.2-1.mga5 uploaded for Cauldron.

Version: Cauldron => 4
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 5 David Walser 2015-03-23 21:08:33 CET
Updated package uploaded for Mageia 4.

Advisory:
========================

Updated xerces-c packages fix security vulnerability:

Anton Rager and Jonathan Brossard from the Salesforce.com Product Security
Team and Ben Laurie of Google discovered a denial of service vulnerability in
xerces-c. The parser mishandles certain kinds of malformed input documents,
resulting in a segmentation fault during a parse operation. An
unauthenticated attacker could use this flaw to cause an application using
the xerces-c library to crash (CVE-2015-0252).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0252
http://xerces.apache.org/xerces-c/secadv/CVE-2015-0252.txt
https://www.debian.org/security/2015/dsa-3199
========================

Updated packages in core/updates_testing:
========================
xerces-c-3.1.2-1.mga4
libxerces-c3.1-3.1.2-1.mga4
libxerces-c-devel-3.1.2-1.mga4
xerces-c-doc-3.1.2-1.mga4

from xerces-c-3.1.2-1.mga4.src.rpm

Assignee: dmorganec => qa-bugs

Comment 6 claire robinson 2015-04-07 17:02:57 CEST
No PoC. Some possible scripts for testing here:
http://www.yolinux.com/TUTORIALS/XML-Xerces-C.html
Comment 7 claire robinson 2015-04-07 17:15:17 CEST
Easy way to test..

$ urpmq --whatrequires lib64xerces-c3.1
apache-mod_shib
enigma
lib64cegui0.7.7
lib64digidocpp0
lib64flightcrew0.7.2
lib64gdal1
lib64kolabxml0
lib64opensaml8
lib64shibboleth-sp6
lib64xerces-c-devel
lib64xerces-c3.1
lib64xmltooling6
megaglest
megaglest
opensaml-bin
shibboleth-sp
sigil
xerces-c
xml-security-c
xsd


Testing with enigma and megaglest which are both games and sigil which is an epub ebook editor..

Whiteboard: (none) => has_procedure

Comment 8 claire robinson 2015-04-07 17:53:50 CEST
Testing complete mga4 64

Tested the two games and also compiled and ran the example from the link (with the -devel package installed)

Whiteboard: has_procedure => has_procedure mga4-64-ok

Comment 9 claire robinson 2015-04-08 17:29:32 CEST
validating. advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-64-ok advisory
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2015-04-10 00:44:59 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0136.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.