Bug 18421 - xerces-c new security issue CVE-2016-2099
Summary: xerces-c new security issue CVE-2016-2099
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/687229/
Whiteboard: has_procedure MGA5-64-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-05-09 22:35 CEST by David Walser
Modified: 2016-05-20 13:39 CEST (History)
5 users (show)

See Also:
Source RPM: xerces-c-3.1.3-1.mga6.src.rpm
CVE:
Status comment:

Attachments
Simple parser program to be run on the sample file (154.17 KB, application/octet-stream)
2016-05-20 01:07 CEST, Len Lawrence 		Details
Simple XML file with two stanzas (260 bytes, text/xml)
2016-05-20 01:09 CEST, Len Lawrence 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-05-09 22:35:15 CEST 
A security issue in xerces-c has been announced today (May 9):
http://openwall.com/lists/oss-security/2016/05/09/7

There is a proposed patch on the upstream bug report:
https://issues.apache.org/jira/browse/XERCESC-2066

Mageia 5 is also affected.
David Walser 2016-05-09 22:35:33 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2016-05-10 12:41:00 CEST 
Assigning to all packagers collectively, since there is no maintainer for this package.

CC: (none) => makowski.mageia, marja11
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2016-05-13 18:26:02 CEST 
Debian-LTS has issued an advisory for this on May 12:
http://lwn.net/Alerts/687206/

URL: (none) => http://lwn.net/Vulnerabilities/687229/

Comment 3 David Walser 2016-05-18 23:56:23 CEST 
Patched packages uploaded for Mageia 5 and Cauldron.

Testing ideas in Bug 17820.

Advisory:
========================

Updated xerces-c packages fix security vulnerability:

Gustavo Grieco discovered an use-after-free vulnerability in xerces-c, due to
not properly handling invalid characters in XML input documents in the
DTDScanner (CVE-2016-2099).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2099
https://www.debian.org/security/2016/dsa-3579
========================

Updated packages in core/updates_testing:
========================
xerces-c-3.1.2-1.2.mga5
libxerces-c3.1-3.1.2-1.2.mga5
libxerces-c-devel-3.1.2-1.2.mga5
xerces-c-doc-3.1.2-1.2.mga5

from xerces-c-3.1.2-1.2.mga5.src.rpm

Version: Cauldron => 5
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA5TOO => has_procedure

Comment 4 Len Lawrence 2016-05-19 01:28:18 CEST 
Tested this package before.  Hope to get round to testing it later today.

CC: (none) => tarazed25

Comment 5 Len Lawrence 2016-05-20 01:00:29 CEST 
Put enigma through its paces before updating and ran the parser program on a sample XML file.

Updated and found that enigma continued to work - an addictive game that - and the parser also functioned.

Reckon this is OK.
Comment 6 Len Lawrence 2016-05-20 01:07:00 CEST 
Created attachment 7814 [details]
Simple parser program to be run on the sample file

Original C++ code is omitted because it was copied from github so there might be intellectual property rights attached to it.
This looks for sample.xml.
$ ./parser
Application option A=10
Application option B=24
Len Lawrence 2016-05-20 01:07:52 CEST

Whiteboard: has_procedure => has_procedure MGA5-64-OK

Comment 7 Len Lawrence 2016-05-20 01:09:49 CEST 
Created attachment 7815 [details]
Simple XML file with two stanzas

This goes with the parser program.
Dave Hodgins 2016-05-20 11:35:01 CEST

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 8 Mageia Robot 2016-05-20 13:39:25 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0189.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.