Bug 16514 - xmltooling new security issue CVE-2015-0851
Summary: xmltooling new security issue CVE-2015-0851
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/653065/
Whiteboard: MGA4TOO has_procedure advisory MGA5-6...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-07-31 23:16 CEST by David Walser
Modified: 2015-09-08 19:57 CEST (History)
3 users (show)

See Also:
Source RPM: xmltooling-1.5.3-5.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-07-31 23:16:32 CEST
Debian has issued an advisory on July 30:
https://www.debian.org/security/2015/dsa-3321

Mageia 4 and Mageia 5 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-07-31 23:16:40 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

David Walser 2015-09-02 20:24:28 CEST

Blocks: (none) => 16690

David Walser 2015-09-02 20:24:44 CEST

Blocks: 16690 => (none)

Comment 1 David Walser 2015-09-02 20:42:37 CEST
The Debian bug has a link to the upstream commit to fix this.  They also have a link to the upstream advisory, which notes that opensaml needs to be rebuilt against the updated xmltooling.

These are used by shibboleth-sp, which we recently updated for a different issue, and were unable to really test.  Just make sure these packages update OK.

Advisory:
========================

Updated xmltooling and opensaml packages fix security vulnerability:

The InCommon Shibboleth Training team discovered that XMLTooling, a C++ XML
parsing library, did not properly handle an exception when parsing well-formed
but schema-invalid XML. This could allow remote attackers to cause a denial of
service (crash) via crafted XML data (CVE-2015-0851).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0851
http://shibboleth.net/community/advisories/secadv_20150721.txt
https://www.debian.org/security/2015/dsa-3321
========================

Updated packages in core/updates_testing:
========================
libxmltooling6-1.5.3-3.1.mga4
libxmltooling-devel-1.5.3-3.1.mga4
xmltooling-schemas-1.5.3-3.1.mga4
opensaml-bin-2.5.2-4.1.mga4
libopensaml8-2.5.2-4.1.mga4
libopensaml-devel-2.5.2-4.1.mga4
opensaml-schemas-2.5.2-4.1.mga4
libxmltooling6-1.5.3-5.1.mga5
libxmltooling-devel-1.5.3-5.1.mga5
xmltooling-schemas-1.5.3-5.1.mga5
opensaml-bin-2.5.2-6.1.mga5
libopensaml8-2.5.2-6.1.mga5
libopensaml-devel-2.5.2-6.1.mga5
opensaml-schemas-2.5.2-6.1.mga5

from SRPMS:
xmltooling-1.5.3-3.1.mga4.src.rpm
opensaml-2.5.2-4.1.mga4.src.rpm
xmltooling-1.5.3-5.1.mga5.src.rpm
opensaml-2.5.2-6.1.mga5.src.rpm

CC: (none) => guillomovitch
Version: Cauldron => 5
Assignee: guillomovitch => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO has_procedure

Comment 2 Shlomi Fish 2015-09-08 16:22:45 CEST
I'm going to test this - stay tuned.

CC: (none) => shlomif

Comment 3 Shlomi Fish 2015-09-08 16:29:21 CEST
Marking as MGA5-64-OK MGA4-32-OK .

Whiteboard: MGA4TOO has_procedure => MGA4TOO has_procedure MGA5-64-OK MGA4-32-OK

Comment 4 Shlomi Fish 2015-09-08 16:32:24 CEST
Marking as MGA5-32-OK .

Whiteboard: MGA4TOO has_procedure MGA5-64-OK MGA4-32-OK => MGA4TOO has_procedure MGA5-64-OK MGA4-32-OK MGA5-32-OK

Comment 5 Shlomi Fish 2015-09-08 16:36:51 CEST
Tested everywhere. Validating.

Keywords: (none) => validated_update
Whiteboard: MGA4TOO has_procedure MGA5-64-OK MGA4-32-OK MGA5-32-OK => MGA4TOO has_procedure MGA5-64-OK MGA4-32-OK MGA5-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 6 claire robinson 2015-09-08 16:43:18 CEST
Advisory uploaded.

Whiteboard: MGA4TOO has_procedure MGA5-64-OK MGA4-32-OK MGA5-32-OK MGA4-64-OK => MGA4TOO has_procedure advisory MGA5-64-OK MGA4-32-OK MGA5-32-OK MGA4-64-OK

Comment 7 Mageia Robot 2015-09-08 19:57:35 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0350.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.