openSUSE has issued an advisory on March 27: https://lists.opensuse.org/opensuse-updates/2017-03/msg00081.html
Whiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
Update to version 2.10 uploaded and freeze push requested for cauldron. I have a patch for Mga5 ready too. It will pushed after cauldron builds.
CC: (none) => mramboAssignee: pkg-bugs => mrambo
Patched package uploaded to core/updates_testing for Mageia 5. Advisory: ======================== Updated mxml package fixes security vulnerabilities. Two stack exhaustion issues based on uncontrolled recursion were found in mxml. A maliciously crafted xml file can cause the application to crash. * Recursion using mxmlDelete at mxml-node.c:217 (reproducer is stack-exhaustion-1.xml CVE-2016-4570). * Recursion using mxml_write_node at mxml-file.c:2739 (reproducer is stack-exhaustion-2.xml CVE-2016-4571). References: https://bugzilla.redhat.com/show_bug.cgi?id=1334648 https://lists.opensuse.org/opensuse-updates/2017-03/msg00081.html http://seclists.org/oss-sec/2016/q2/276 (reproducers available here) ======================== Updated packages in core/updates_testing: lib64mxml1-2.7-6.1.mga5 lib64mxml-devel-2.7-6.1.mga5 mxml-debuginfo-2.7-6.1.mga5 from mxml-2.7-6.1.mga5.src.rpm
Version: Cauldron => 5Assignee: mrambo => qa-bugsWhiteboard: MGA5TOO => (none)
x86_64 real hardware Downloaded the reproducers, two large XML files. CVE-2016-4570 Adapted a snippet of code from an Ubuntu forum to see if the exploit could be reproduced using the mxmlDelete function. (Not at all sure what I am doing here) ------------------------------------------------------- #include <stdio.h> #include <mxml.h> int main() { FILE *fp; mxml_node_t *tree; // struct mxml_node_t *tree; fp = fopen( "stack-exhaustion-1.xml", "r" ); tree = mxmlLoadFile( NULL, fp, MXML_NO_CALLBACK ); mxmlDelete( tree ); fclose( fp ); } ------------------------------------------------------ $ gcc -o mx minixml.c -lmxml -lxml2 Ran mx under strace before the update to try an understand what was going on. libmxml was accessed and the file was parsed, apparently successfully. Since then I found the textmxml.c file at https://bugzilla.suse.com/show_bug.cgi?id=979205 Trying that out in the morning. Too late now.
CC: (none) => tarazed25
$ gcc -o testmx testmxml.c -lmxml -lxml2 $ ./testmx stack-exhaustion-1.xml > output.hml (typo) Unable to read XML file with default callback! The "#include config.h" line had to be removed before the C code would compile. The result may be the expected one; output file was empty.
Mid-air collision submitting my results. :-) Before update (note lib{64}mxml-devel must be installed $ wget -O stack-exhaustion-1.xml https://bugzilla.suse.com/attachment.cgi?id=717019 $ wget -O testmxml.c https://bugzilla.suse.com/attachment.cgi?id=717022 No idea what it should include, so I did $ touch config.h $ ulimit -s 1024 $ ./testmxml stack-exhaustion-1.xml Segmentation fault $ wget -O stack-exhaustion-2.xml https://bugzilla.suse.com/attachment.cgi?id=717020 $ ./testmxml stack-exhaustion-2.xml >/dev/null Segmentation fault After installing the updates ... [dave@x3 mxmltest]$ ./testmxml stack-exhaustion-1.xml mxml: Maximum recursion depth reached Unable to read XML file with default callback! [dave@x3 mxmltest]$ ./testmxml stack-exhaustion-2.xml >/dev/null mxml: Maximum recursion depth reached mxml: Recursion limit reached mxml: Recursion limit reached mxml: Maximum recursion depth reached mxml: Recursion limit reached mxml: Maximum recursion depth reached
CC: (none) => davidwhodginsWhiteboard: (none) => advisory MGA5-64-OK
Forgot to copy/paste the compile step above ... $ gcc -pthread -o testmxml testmxml.c -lmxml Same output on i586 as on x86_64. Validating the update.
Keywords: (none) => validated_updateWhiteboard: advisory MGA5-64-OK => advisory MGA5-64-OK MGA5-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0103.html
Status: NEW => RESOLVEDResolution: (none) => FIXED