Bug 17820 - xerces-c new security issue CVE-2016-0729
Summary: xerces-c new security issue CVE-2016-0729
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/677608/
Whiteboard: has_procedure advisory MGA5-64-OK MGA...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-02-25 15:42 CET by David Walser
Modified: 2018-03-18 22:07 CET (History)
2 users (show)

See Also:
Source RPM: xerces-c-3.1.2-1.mga5.src.rpm
CVE:
Status comment:


Attachments
Utility for stripping line numbers from code files. (856 bytes, application/x-ruby)
2016-02-27 01:14 CET, Len Lawrence
Details
Utility for stripping n leading characters from each line of a file. (860 bytes, application/x-ruby)
2018-03-18 21:13 CET, Len Lawrence
Details
Margin removal utility for text files (665 bytes, application/x-ruby)
2018-03-18 22:07 CET, Len Lawrence
Details

Description David Walser 2016-02-25 15:42:46 CET
Upstream has issued an advisory today (February 25):
http://openwall.com/lists/oss-security/2016/02/25/7

It should be posted here shortly:
http://xerces.apache.org/xerces-c/secadv/CVE-2016-0729.txt

The issue is fixed upstream in 3.1.3.  Updated package uploaded for Cauldron.

Patched package uploaded for Mageia 5.

Advisory:
========================

Updated xerces-c packages fix security vulnerability:

The Xerces-C XML parser mishandles certain kinds of malformed input documents,
resulting in buffer overlows during processing and error reporting. The
overflows can manifest as a segmentation fault or as memory corruption during
a parse operation. The bugs allow for a denial of service attack in many
applications by an unauthenticated attacker, and could conceivably result in
remote code execution (CVE-2016-0729).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0729
http://xerces.apache.org/xerces-c/secadv/CVE-2016-0729.txt
========================

Updated packages in core/updates_testing:
========================
xerces-c-3.1.2-1.1.mga5
libxerces-c3.1-3.1.2-1.1.mga5
libxerces-c-devel-3.1.2-1.1.mga5
xerces-c-doc-3.1.2-1.1.mga5

from xerces-c-3.1.2-1.1.mga5.src.rpm
Comment 1 David Walser 2016-02-25 15:43:11 CET
Testing ideas in Bug 15538.

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2016-02-26 17:32:48 CET
Debian has issued an advisory for this on February 25:
https://www.debian.org/security/2016/dsa-3493

URL: (none) => http://lwn.net/Vulnerabilities/677608/

Comment 3 Len Lawrence 2016-02-27 01:10:24 CET
mga5  x86_64  Mate

The links and information provided through the link referenced in comment #1 are invaluable.

Before updating:

1) Played around with Enigma for half an hour - working through four levels in   tutorial mode.
2) Installed the -devel package
3) Obtained the parser files from the link.  There did not seem to be a download link so I cut and pasted the three files into an editor and saved them.  They included line numbers so I wrote a quick ruby script to eliminate those because I was not sure if g++ can deal with them (script attached).
4) Compiled and linked the parser files to produce an executable.
$ g++ -g -Wall -pedantic -lxerces-c parser.c++ -DMAIN_TEST -o parser
5) Ran the unit test on parser.
$ ./parser
Application option A=10
Application option B=24

There are other applications, like sigil, depending on xerces-c.  sigil opened an editing screen with file manager but I could take it no further, not having any ebooks.

After update launched sigil and then enigma.
Within my limitations they work fine.
Recompiled and linked the parser utility.  It produced the expected output on parsing the test file.

CC: (none) => tarazed25

Len Lawrence 2016-02-27 01:10:48 CET

Whiteboard: has_procedure => has_procedure MGA5-64-OK

Comment 4 Len Lawrence 2016-02-27 01:14:28 CET
Created attachment 7498 [details]
Utility for stripping line numbers from code files.

Included this only because of my ignorance of how g++ views line-numbered code.
Comment 5 Len Lawrence 2016-02-27 12:04:05 CET
mga5  i586 in virtualbox  Mate

Installed sigil, enigma and xerces-c libraries before the update.
Updated to xerces-c-3.1.2-1.1.mga5 and added the libraries.
Compiled the parser test program and ran it on the sample XML file.
That worked fine.
Opened sigil but took it no further.
enigma started; chose tutorial mode and started at a low level and immediately ran into problems with the mouse.  Could not capture the mouse even with Right Ctrl so had to crash the machine via reset.

Inclined to give xerces-c the OK but shall wait for any responses.
Len Lawrence 2016-02-27 16:58:27 CET

Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OK

Len Lawrence 2016-02-27 18:00:32 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 claire robinson 2016-02-27 21:21:53 CET
advisory uploaded

Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK

Comment 7 Mageia Robot 2016-03-02 19:30:16 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0088.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 8 Len Lawrence 2018-03-18 21:13:27 CET
Created attachment 10056 [details]
Utility for stripping n leading characters from each line of a file.

Either run using ruby explicitly or make the script executable.  Either way, ruby should be installed first.

$ ruby stripe.rb ....

or

$ chmod +x stripe.rb
$ mv stripe.rb stripe
$ ./stripe textfile <n> > newtext

Attachment 7498 is obsolete: 0 => 1

Comment 9 Len Lawrence 2018-03-18 22:07:49 CET
Created attachment 10057 [details]
Margin removal utility for text files

A slight improvement.

Attachment 10056 is obsolete: 0 => 1


Note You need to log in before you can comment on or make changes to this bug.