Fedora has issued an advisory today (July 23): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CYPWMSEV5NK2JJCTOSA6SAI4RG6MVJH5/ Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
pushed in updates_testing and fixed in cauldron
CC: (none) => mageiaWhiteboard: MGA6TOO, MGA5TOO => MGA5TOOAssignee: shlomif => qa-bugs
Version: Cauldron => 6
Assigning back to Nicolas. The update for Mageia 5 hasn't been built yet. perl-XML-LibXML-2.12.900-1.1.mga6 is the update for Mageia 6.
CC: mageia => qa-bugsAssignee: qa-bugs => mageia
patch added for mga5 but test doesn't pass. pascal can you take a look ?
CC: (none) => pterjan
Searching the error on Google gave me https://rt.cpan.org/Ticket/Display.html?id=114638 which leads to https://github.com/shlomif/perl-XML-LibXML/commit/069d0e4431ee8b6d92e42acbe1fd1fe54e9fad71 + https://github.com/shlomif/perl-XML-LibXML/commit/059e8b81d098bbdbd2abe39fa721225457d08d4e
CC: (none) => shlomif
Maybe Shlomi can help since he's the upstream maintainer :)
Assignee: mageia => shlomifCC: (none) => mageia
Build fixed in mga5 now
Assignee: shlomif => qa-bugs
Advisory: ======================== Updated perl-XML-LibXML package fixes security vulnerability: Use-after-free in the XML-LibXML module through 2.0129 for Perl allows attackers to execute arbitrary code by controlling the arguments to a replaceChild call (CVE-2017-10672). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10672 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CYPWMSEV5NK2JJCTOSA6SAI4RG6MVJH5/ ======================== Updated packages in core/updates_testing: ======================== perl-XML-LibXML-2.12.100-1.1.mga5 perl-XML-LibXML-2.12.900-1.1.mga6 from SRPMS: perl-XML-LibXML-2.12.100-1.1.mga5.src.rpm perl-XML-LibXML-2.12.900-1.1.mga6.src.rpm
Testing on maga6, x86_64. CVE-2017-10672 poc.pl available at https://rt.cpan.org/Public/Bug/Display.html?id=122246 $ perl poc.pl <mipu94><pwn4fun><��{><text>��5F</text></��{></pwn4fun></mipu94>heap: 0x7be1c0 libc: 0x0 i'm still ok and go more far! Segmentation fault (core dumped) $ An strace contained a complaint about a "Malformed UTF-8 character" in the specimen XML code, trapped by the print statement at line 14. After the update: $ perl poc.pl <mipu94><pwn4fun><>-------------------------------------------------------tadinhsung-at-gmail-dot-com-----------------------------------------------------</></pwn4fun></mipu94>heap: 0x2d2d3e libc: 0x0 i'm still ok and go more far! $ The post-update trace does not complain and finishes with what looks like a complete run-through of the signal handlers, starting with SIGHUP and all returning 0. I guess that must be normal. Functionality tests for this package are beyond my scope so I am giving it an OK based on the result of the PoC test and a clean install.
CC: (none) => tarazed25
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
Testing on mga5, x86_64. Ran the same tests as in comment 8 using the downloaded PoC file and also strace. Before the update, the contained XML string is printed, followed by a segfault. $ strace perl poc.pl 2> trace.1 <mipu94><pwn4fun><��)><text>(��</text></��)></pwn4fun></mipu94>heap: 0x299990 libc: 0x0 i'm still ok and go more far! Segmentation fault In this case the trace does not show any concern about malformed characters. Installed perl-XML-LibXML-2.12.100-1.1.mga5 and tried the test again. $ perl poc.pl <mipu94><pwn4fun><>-------------------------------------------------------tadinhsung-at-gmail-dot-com-----------------------------------------------------</></pwn4fun></mipu94>heap: 0x2d2d3e libc: 0x0 i'm still ok and go more far! $ An strace file shows that there is a 176 character write to SDOUT and finishes with the signal handler checks. Passing this for 64-bits.
Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO has_procedure mga6-64-ok MGA5-64-OK
CC: (none) => lewyssmithWhiteboard: MGA5TOO has_procedure mga6-64-ok MGA5-64-OK => MGA5TOO has_procedure mga6-64-ok MGA5-64-OK advisory
Whiteboard: MGA5TOO has_procedure mga6-64-ok MGA5-64-OK advisory => MGA5TOO has_procedure mga6-64-ok MGA5-64-OK advisory MGA6-32-OKCC: (none) => nathan95
Not sure how that has_procedure got in there. A PoC is not necessarily a procedure because it more often than not only applies to the current bug and does not help with functionality testing.
Whiteboard: MGA5TOO has_procedure mga6-64-ok MGA5-64-OK advisory MGA6-32-OK => MGA5TOO mga6-64-ok MGA5-64-OK advisory MGA6-32-OK
The has_procedure was added by Len. If all we're doing is patching a particular issue and we have a PoC for it, as long as it's clear how to use it, it is a procedure as it's all you need to test.
I think it was finger trouble on my part. The point is, as far as I understand it, procedures are general ways to test the functionality of the package(s) irrespective of the bug issues, so are worth recording or noting.
No, has_procedure means that we have figured out a way to test that particular bug and documented it, so even someone unfamiliar can jump right in and test. When we don't have that tag, it means that testers will have to figure out how to test it.
OK David. So the procedure applies to the specific bug and if the package(s) comes up again with a different issue the procedure no longer applies. Thanks.
Should have said "might no longer apply". Obviously it does not exclude general testing procedures.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0254.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
*** Bug 22069 has been marked as a duplicate of this bug. ***