Upstream has issued an advisory today (June 29): http://xerces.apache.org/xerces-c/secadv/CVE-2016-4463.txt Update to 3.1.4 checked into Cauldron SVN. Freeze push requested. Patch checked into Mageia 5 SVN.
Packages built with the fixes. Testing ideas in Bug 17820 and Bug 18421. Advisory: ======================== Updated xerces-c packages fix security vulnerability: The Xerces-C XML parser fails to successfully parse a DTD that is deeply nested, and this causes a stack overflow, which makes a denial of service attack against many applications possible by an unauthenticated attacker (CVE-2016-4464). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4464 http://xerces.apache.org/xerces-c/secadv/CVE-2016-4463.txt ======================== Updated packages in core/updates_testing: ======================== xerces-c-3.1.2-1.3.mga5 libxerces-c3.1-3.1.2-1.3.mga5 libxerces-c-devel-3.1.2-1.3.mga5 xerces-c-doc-3.1.2-1.3.mga5 from xerces-c-3.1.2-1.3.mga5.src.rpm
Assignee: bugsquad => qa-bugsWhiteboard: (none) => has_procedure
Debian has issued an advisory for this on June 29: https://www.debian.org/security/2016/dsa-3610
URL: (none) => http://lwn.net/Vulnerabilities/693102/
I could have a look at this on an x86_64 machine. Not familiar with DTDs so am unlikely to be able to develop a PoC but can certainly check the parser on a simple XML file and use enigma to make sure it is running fine after the update. Tomorrow maybe.
CC: (none) => tarazed25
MGA 5-32 on Acer D620 Xfce No installation issues. Downloaded test files from bug 18421 and made parser executable So I get: $ ls -als totaal 168 4 drwxrwxr-x 2 tester5 tester5 4096 jul 1 16:59 ./ 4 drwxr-xr-x 9 tester5 tester5 4096 jul 1 16:39 ../ 156 -rwxrwxr-x 1 tester5 tester5 157868 jul 1 16:59 parser* 4 -rw-rw-r-- 1 tester5 tester5 260 jul 1 16:40 sample.xml that is all there should be to it??? but at CLI: ]$ ./parser bash: ./parser: kan binair bestand Verkeerd uitvoerbaar bestand niet uitvoeren which I would translate as: cannot execute file wrong executable file
CC: (none) => herman.viaene
Soory Herman; my fault - I compiled it for x86_64. I should have noted that. If you can wait I shall have a go at compiling it in i586 virtualbox, assuming I can find the code. Have been too busy to spare the time to look at this bug. :(
Sorry again Herman. Recompiling the original file parser.c++ against the updated library fails, as I suspected it would. There are a lot of undefined references in the trace so I shall have to see if there is something else which will exercise the update. On a brief look at the references yesterday I saw no hints. The parser was just that. It was not a PoC as far as I can recall, just something to show that a basic function continued to work. For the time being you could install enigma and play with it. That worked fine after the last update so you should be able to go straight in after the current update and play it.
Installed enigma and played a few levels. strace shows a.o. open("/lib/libxerces-c-3.1.so", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000\260\16\0004\0\0\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=3525348, ...}) = 0 mmap2(NULL, 3523036, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb718b000 mprotect(0xb74b5000, 4096, PROT_NONE) = 0 mmap2(0xb74b6000, 200704, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x32a000) = 0xb74b6000 mmap2(0xb74e7000, 476, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb74e7000 So OK for me
Whiteboard: has_procedure => has_procedure MGA5-32-OK
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0243.html
Status: NEW => RESOLVEDResolution: (none) => FIXED