Bug 21108 - expat new security issues CVE-2016-9063 and CVE-2017-9233
Summary: expat new security issues CVE-2016-9063 and CVE-2017-9233
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5-32-OK advisory MGA5-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-06-18 21:16 CEST by David Walser
Modified: 2017-07-23 22:05 CEST (History)
5 users (show)

See Also:
Source RPM: expat-2.1.0-9.3.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-06-18 21:16:29 CEST
Expat 2.2.1 has been announced on June 17:
http://openwall.com/lists/oss-security/2017/06/17/7

There's also a further addressing of CVE-2012-0876 and other security fixes.

Updated package uploaded for Cauldron by Shlomi.
Comment 1 Marja van Waes 2017-06-19 15:18:59 CEST
Thanks for fixing this in Cauldron, Shlomi.

Assigning to you for Mga5, because you are the registered maintainer of expat.
Comment 2 David Walser 2017-06-26 12:05:34 CEST
Debian has issued an advisory for this on June 25:
https://www.debian.org/security/2017/dsa-3898
Comment 3 David Walser 2017-07-08 21:56:05 CEST
Patched package uploaded for Mageia 5.

Advisory:
========================

Updated expat packages fix security vulnerabilities:

Gustavo Grieco discovered an integer overflow flaw during parsing of XML. An
attacker can take advantage of this flaw to cause a denial of service against
an application using the Expat library (CVE-2016-9063).

Rhodri James discovered an infinite loop vulnerability within the
entityValueInitProcessor() function while parsing malformed XML in an external
entity. An attacker can take advantage of this flaw to cause a denial of
service against an application using the Expat library (CVE-2017-9233).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9063
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9233
https://www.debian.org/security/2017/dsa-3898
========================

Updated packages in core/updates_testing:
========================
expat-2.1.0-9.5.mga5
libexpat1-2.1.0-9.5.mga5
libexpat-devel-2.1.0-9.5.mga5

from expat-2.1.0-9.5.mga5.src.rpm
Comment 4 Herman Viaene 2017-07-19 11:23:07 CEST
MGA5-32 on Asus A6000VM Xfce
No installation issues
Followed procedure as per https://wiki.mageia.org/en/QA_procedure:Expat resulting at CLI:
$ python testexpat.py
Tested OK
and
$ strace -o expattest1.txt xmlwf /etc/xml/catalog
no feedback as expected
and
$ strace -o expattest2.txt xmlwf /etc/passwd     
/etc/passwd:1:16: not well-formed (invalid token)
 Each of the traces showing a call to libexpat.
Comment 5 Lewis Smith 2017-07-23 08:52:51 CEST
Testing M5 64-bit - OK
Updated the pkgs to:
 expat-2.1.0-9.5.mga5
 lib64expat1-2.1.0-9.5.mga5
 lib64expat-devel-2.1.0-9.5.mga5

From procedure https://wiki.mageia.org/en/QA_procedure:Expat created 'testdata.xml' and 'testexpat.py', ran the tests:

 $ python testexpat.py
 Tested OK

 $ xmlwf /etc/xml/catalog
 $                       [no ouput correct]

 $ xmlwf /etc/passwd
 /etc/passwd:1:16: not well-formed (invalid token)       [expected]

All three commands showed via strace that the library was called:
 open("/lib64/libexpat.so.1", O_RDONLY|O_CLOEXEC) = 3

Validating.
Comment 6 Mageia Robot 2017-07-23 22:05:57 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0214.html

Note You need to log in before you can comment on or make changes to this bug.