Bug 15803 - perl-XML-LibXML new security issue CVE-2015-3451
Summary: perl-XML-LibXML new security issue CVE-2015-3451
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/642877/
Whiteboard: has_procedure advisory mga4-32-ok mga...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-04-30 18:34 CEST by David Walser
Modified: 2015-05-06 19:11 CEST (History)
6 users (show)

See Also:
Source RPM: perl-XML-LibXML-2.11.600-7.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-04-30 18:34:03 CEST 
A CVE has been assigned for an issue fixed in XML::LibXML 2.0119:
http://openwall.com/lists/oss-security/2015/04/30/1

Reproducible: 

Steps to Reproduce:
David Walser 2015-04-30 18:34:19 CEST

CC: (none) => mageia, shlomif
Whiteboard: (none) => MGA5TOO, MGA4TOO

David Walser 2015-05-01 18:09:55 CEST

URL: (none) => http://lwn.net/Vulnerabilities/642877/

David Walser 2015-05-04 23:51:24 CEST

Blocks: (none) => 14674

Comment 1 Vladimir Zawalinski 2015-05-05 05:37:17 CEST 
Testing MGA4.1  32 and 64 bit, Vbox hardware.

Testing will be limited to executing a trivial script pre and post update in each architecture.

CC: (none) => vzawalin1

Comment 2 Shlomi Fish 2015-05-05 09:50:28 CEST 
(In reply to Vladimir Zawalinski from comment #1)
> Testing MGA4.1  32 and 64 bit, Vbox hardware.
> 
> Testing will be limited to executing a trivial script pre and post update in
> each architecture.

Vladimir, you can also run the test suite from the source distribution using «prove t/*.t».
Comment 3 Vladimir Zawalinski 2015-05-05 11:50:14 CEST 
Thank you Shlomi - I'll try that.
Comment 4 David Walser 2015-05-05 13:07:45 CEST 
There's nothing to test yet, no update has been posted.
Comment 5 Vladimir Zawalinski 2015-05-05 13:18:25 CEST 
That explains it
Comment 6 Oden Eriksson 2015-05-05 15:47:03 CEST 
Fixed with perl-XML-LibXML-2.10.0-2.1.mga4

CC: (none) => oe

Comment 7 David Walser 2015-05-05 15:48:07 CEST 
(In reply to David Walser from comment #4)
> There's nothing to test yet, no update has been posted.

Now there is :o)  Thanks Oden.

Still waiting for it to be pushed in Cauldron before assigning to QA, but you can test the Mageia 4 update now.
Comment 8 David Walser 2015-05-06 14:32:30 CEST 
Patched package uploaded for Mageia 4.

Updated package uploaded for Cauldron.  Thanks again Shlomi and Oden!

Mageia 4 package is listed in Comment 6.

Advisory:
========================

Updated perl-XML-LibXML package fixes security vulnerability:

Tilmann Haak from xing.com discovered that XML::LibXML did not respect the
expand_entities parameter to disable processing of external entities in some
circumstances. This may allow attackers to gain read access to otherwise
protected ressources, depending on how the library is used (CVE-2015-3451).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3451
https://www.debian.org/security/2015/dsa-3243

CC: (none) => jquelin
Version: Cauldron => 4
Blocks: 14674 => (none)
Assignee: jquelin => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 9 claire robinson 2015-05-06 18:55:01 CEST 
Testing complete mga4 32 & 64

Self tests are run at build time and the package is required by urpmi so just ensured the packages update cleanly and urpmi isn't broken.
Comment 10 claire robinson 2015-05-06 18:58:40 CEST 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: (none) => has_procedure advisory mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 11 Mageia Robot 2015-05-06 19:11:19 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0199.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.