CVEs have been assigned due to bad fixes for previous security issues: http://openwall.com/lists/oss-security/2016/06/04/1 http://openwall.com/lists/oss-security/2016/06/04/5 Fixes for these have already been committed in upstream git, but I don't know which commits fix them. The commit linked at the end of the thread only updates the changelog. It sounds like there may be a new upstream release coming soon with the fixes, so maybe we'll have to wait for that, unless someone backports the right patches.
Whiteboard: (none) => MGA5TOO
CC: (none) => marja11Assignee: bugsquad => shlomif
Debian has issued an advisory for this on June 7: https://www.debian.org/security/2016/dsa-3597 Patched packages uploaded for Mageia 5 and Cauldron. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=5141#c7 Advisory: ======================== Updated expat packages fix security vulnerabilities: An issue was introduced when CVE-2012-0876 was addressed. Stefan Sørensen discovered that the use of the function XML_Parse() seeds the random number generator generating repeated outputs for rand() calls (CVE-2012-6702). Due to an incomplete solution for CVE-2012-0876, the parser poorly seeds the random number generator allowing an attacker to cause a denial of service (CPU consumption) via an XML file with crafted identifiers (CVE-2016-5300). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6702 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5300 https://www.debian.org/security/2016/dsa-3597 ======================== Updated packages in core/updates_testing: ======================== expat-2.1.0-9.3.mga5 libexpat1-2.1.0-9.3.mga5 libexpat-devel-2.1.0-9.3.mga5 from expat-2.1.0-9.3.mga5.src.rpm
URL: (none) => http://lwn.net/Vulnerabilities/690403/Version: Cauldron => 5Assignee: shlomif => qa-bugsWhiteboard: MGA5TOO => has_procedure
Testing M5 x64 > Testing procedure: > https://bugs.mageia.org/show_bug.cgi?id=5141#c7 We now have (thanks to David) a dedicated Wiki for this: https://wiki.mageia.org/en/QA_procedure:Expat [Although I cannot find the link between 'xmlwf' and expat] With both testdata.xml & testexpat.py; xmlwf gives no O/P if the file is OK. BEFORE update: $ xmlwf /etc/xml/catalog $ xmlwf /etc/passwd /etc/passwd:1:16: not well-formed (invalid token) $ xmlwf testdata.xml $ python testexpat.py Tested OK AFTER update: expat-2.1.0-9.3.mga5 lib64expat1-2.1.0-9.3.mga5 lib64expat-devel-2.1.0-9.3.mga5 Results were all the same as above, i.e. correct. Update looks OK.
CC: (none) => lewyssmithWhiteboard: has_procedure => has_procedure MGA5-64-OK
(In reply to Lewis Smith from comment #2) > [Although I cannot find the link between 'xmlwf' and expat] xmlwf is a command in the expat package.
Tested fine on Mageia 5 i586.
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK
Validating. Advisory to follow.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
advisory added
CC: (none) => tmbWhiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0227.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
(In reply to Thomas Backlund from comment #6) > advisory added with an incorrect CVE identifier (2016 instead of 2012). Fixed in SVN.