Bug 20593 - mxml new security issues CVE-2016-4570 and CVE-2016-4571
Summary: mxml new security issues CVE-2016-4570 and CVE-2016-4571
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: advisory MGA5-64-OK MGA5-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-03-29 12:18 CEST by David Walser
Modified: 2017-04-04 08:45 CEST (History)
5 users (show)

See Also:
Source RPM: mxml-2.8-2.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-03-29 12:18:05 CEST 
openSUSE has issued an advisory on March 27:
https://lists.opensuse.org/opensuse-updates/2017-03/msg00081.html
David Walser 2017-03-29 12:18:12 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-03-29 15:22:03 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 Mike Rambo 2017-04-02 05:28:17 CEST 
Update to version 2.10 uploaded and freeze push requested for cauldron. I have a patch for Mga5 ready too. It will pushed after cauldron builds.

CC: (none) => mrambo
Assignee: pkg-bugs => mrambo

Comment 3 Mike Rambo 2017-04-02 23:13:16 CEST 
Patched package uploaded to core/updates_testing for Mageia 5.

Advisory:
========================

Updated mxml package fixes security vulnerabilities.

Two stack exhaustion issues based on uncontrolled recursion were found in mxml. A maliciously crafted xml file can cause the application to crash.

* Recursion using mxmlDelete at mxml-node.c:217 (reproducer is stack-exhaustion-1.xml CVE-2016-4570).

* Recursion using mxml_write_node at mxml-file.c:2739 (reproducer is stack-exhaustion-2.xml CVE-2016-4571).


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1334648
https://lists.opensuse.org/opensuse-updates/2017-03/msg00081.html
http://seclists.org/oss-sec/2016/q2/276 (reproducers available here)
========================

Updated packages in core/updates_testing:

lib64mxml1-2.7-6.1.mga5
lib64mxml-devel-2.7-6.1.mga5
mxml-debuginfo-2.7-6.1.mga5

from mxml-2.7-6.1.mga5.src.rpm

Version: Cauldron => 5
Assignee: mrambo => qa-bugs
Whiteboard: MGA5TOO => (none)

Comment 4 Len Lawrence 2017-04-04 02:40:12 CEST 
x86_64 real hardware

Downloaded the reproducers, two large XML files.

CVE-2016-4570
Adapted a snippet of code from an Ubuntu forum to see if the exploit could be reproduced using the mxmlDelete function.  (Not at all sure what I am doing here)

-------------------------------------------------------
#include <stdio.h>
#include <mxml.h>

int main()
{
  FILE *fp;
  mxml_node_t *tree;
//  struct mxml_node_t *tree;

  fp = fopen( "stack-exhaustion-1.xml", "r" );
  tree = mxmlLoadFile( NULL, fp, MXML_NO_CALLBACK );
  mxmlDelete( tree );
  fclose( fp );
}
------------------------------------------------------

$ gcc -o mx minixml.c -lmxml -lxml2

Ran mx under strace before the update to try an understand what was going on.  
libmxml was accessed and the file was parsed, apparently successfully.

Since then I found the textmxml.c file at https://bugzilla.suse.com/show_bug.cgi?id=979205
Trying that out in the morning.  Too late now.

CC: (none) => tarazed25

Comment 5 Len Lawrence 2017-04-04 02:45:16 CEST 
$ gcc -o testmx testmxml.c -lmxml -lxml2
$ ./testmx stack-exhaustion-1.xml > output.hml  (typo)
Unable to read XML file with default callback!

The "#include config.h" line had to be removed before the C code would compile.
The result may be the expected one; output file was empty.
Comment 6 Dave Hodgins 2017-04-04 03:14:04 CEST 
Mid-air collision submitting my results. :-)

Before update (note lib{64}mxml-devel must be installed
$ wget -O stack-exhaustion-1.xml  https://bugzilla.suse.com/attachment.cgi?id=717019
$ wget -O testmxml.c https://bugzilla.suse.com/attachment.cgi?id=717022

No idea what it should include, so I did $ touch config.h

$ ulimit -s 1024

$ ./testmxml stack-exhaustion-1.xml 
Segmentation fault

$ wget -O stack-exhaustion-2.xml  https://bugzilla.suse.com/attachment.cgi?id=717020

$ ./testmxml stack-exhaustion-2.xml >/dev/null 
Segmentation fault

After installing the updates ...
[dave@x3 mxmltest]$ ./testmxml stack-exhaustion-1.xml 
mxml: Maximum recursion depth reached
Unable to read XML file with default callback!
[dave@x3 mxmltest]$ ./testmxml stack-exhaustion-2.xml >/dev/null 
mxml: Maximum recursion depth reached
mxml: Recursion limit reached
mxml: Recursion limit reached
mxml: Maximum recursion depth reached
mxml: Recursion limit reached
mxml: Maximum recursion depth reached

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory MGA5-64-OK

Comment 7 Dave Hodgins 2017-04-04 03:25:25 CEST 
Forgot to copy/paste the compile step above ...
$ gcc -pthread -o testmxml testmxml.c -lmxml

Same output on i586 as on x86_64.

Validating the update.

Keywords: (none) => validated_update
Whiteboard: advisory MGA5-64-OK => advisory MGA5-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2017-04-04 08:45:00 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0103.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.