A security issue in expat has been announced today (May 17): http://openwall.com/lists/oss-security/2016/05/17/12 A suggested patch is included in the message above. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Debian has issued an advisory for this today (May 18): https://www.debian.org/security/2016/dsa-3582
URL: (none) => http://lwn.net/Vulnerabilities/687860/
Patched packages uploaded for Mageia 5 and Cauldron. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=5141#c7 Advisory: ======================== Updated expat packages fix security vulnerability: Gustavo Grieco discovered that Expat does not properly handle certain kinds of malformed input documents, resulting in buffer overflows during processing and error reporting. A remote attacker can take advantage of this flaw to cause an application using the Expat library to crash, or potentially, to execute arbitrary code with the privileges of the user running the application (CVE-2016-0718). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718 https://www.debian.org/security/2016/dsa-3582 ======================== Updated packages in core/updates_testing: ======================== expat-2.1.0-9.2.mga5 libexpat1-2.1.0-9.2.mga5 libexpat-devel-2.1.0-9.2.mga5 from expat-2.1.0-9.2.mga5.src.rpm
Version: Cauldron => 5Whiteboard: MGA5TOO => has_procedure
Advisory, package list, testing info in Comment 2.
Assignee: bugsquad => qa-bugs
This python test case: import xml.etree.ElementTree x = xml.etree.ElementTree.ElementTree(file='testdata.xml') allcases = x.findall(".//testcase") cases = [c for c in allcases if c.get('classname') == 'TestOne' and c.get('name') == 'VHDL_BUILD_Passthrough'] print cases[0].attrib['status'] with testdata.xml file: <?xml version="1.0" encoding="UTF-8"?> <testsuites tests="10" failures="0" disabled="0" errors="0" time="0.001" name="AllTests"> <testsuite name="TestOne" tests="5" failures="0" disabled="0" errors="0" time="0.001"> <testcase name="DefaultConstructor" status="run" time="0" classname="TestOne" /> <testcase name="DefaultDestructor" status="run" time="0" classname="TestOne" /> <testcase name="VHDL_EMIT_Passthrough" status="run" time="0" classname="TestOne" /> <testcase name="VHDL_BUILD_Passthrough" status="Tested OK" time="0" classname="TestOne" /> <testcase name="VHDL_SIMULATE_Passthrough" status="run" time="0.001" classname="TestOne" /> </testsuite> </testsuites> currently listed here: https://wiki.mageia.org/en/QA_procedure:Libxml2 actually uses expat instead of libxml2. You can use that to test this as well.
Tested OK on Mageia 5 i586.
Whiteboard: has_procedure => has_procedure MGA5-32-OK
Testing M5 x64 Thanks David for the good pointers. But "actually uses expat instead of libxml2" - how does one know that? And "You can use that to test this as well" is enigmatic; does it test libxml2 (its declared aim) and/or expat? How to direct it one way or the other? Created the two given files testxml.py & testdata.xml . PRE-update. $ python testxml.py Tested OK but I discovered that I had only: lib64expat1-2.1.0-9.1.mga5 lib64expat-devel-2.1.0-9.1.mga5 and *not* expat-2.1.0-9.1.mga5 . Installed that, the test ran the same. But it was clearly not involved. Does this matter? POST-update. expat-2.1.0-9.2.mga5 lib64expat1-2.1.0-9.2.mga5 lib64expat-devel-2.1.0-9.2.mga5 Same satisfactory test result: $ python testxml.py Tested OK Validating the update.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OKCC: (none) => lewyssmith, sysadmin-bugs
That particular script only tests expat. I posted an equivalent script to the current libxml2 bug that uses that library instead, so we'll need to update that wiki page. I determined that the existing script uses expat first by looking at Python documentation and seeing which package owned the libraries it used, and then I verified that using strace.
CC: (none) => davidwhodginsWhiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0193.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
In this update I also added a patch from Debian that corrected an issue in the previous fix for CVE-2015-1283. That correction ended up being assigned CVE-2016-4472: http://lwn.net/Vulnerabilities/692028/