Apache has issued an advisory today (March 1): http://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt The issue is fixed upstream in 3.2.1 and the message above contains a link to the commit that fixed the issue. Mageia 5 and Mageia 6 are also affected.
Status comment: (none) => Fixed upstream in 3.2.1Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11
Updated packages built for cauldron and Mageia 6. Testing ideas in Bug 17820 and Bug 18421. Advisory: ======================== Updated xerces-c packages fix security vulnerability: The Xerces-C XML parser mishandles certain kinds of external DTD references, resulting in dereference of a NULL pointer while processing the path to the DTD. The bug allows for a denial of service attack in applications that allow DTD processing and do not prevent external DTD usage, and could conceivably result in remote code execution. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12627 http://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt ======================== Updated packages in core/updates_testing: ======================== xerces-c-3.1.4-2.1.mga6 libxerces-c3.1-3.1.4-2.1.mga6 libxerces-c-devel-3.1.4-2.1.mga6 from xerces-c-3.1.4-2.1.mga6.src.rpm
Version: Cauldron => 6Keywords: (none) => has_procedureWhiteboard: MGA6TOO => (none)CC: (none) => mrambo
Assignee: pkg-bugs => qa-bugs
Advisory uploaded. Added cve to text and markup.
Keywords: (none) => advisory
Mageia 6 :: x86_64 The reference identifies external Document Type Definitions as a possible source of problems for the xml parser. Installed the the packages from Updates. Bug 18421 mentions enigma: $ urpmq --requires enigma | grep xerces libxerces-c-3.1.so()(64bit) Installed enigma and played a bit. It looks like sigil no longer needs xerces-c. $ urpmq --requires-recursive sigil | grep xerces $ urpmq --whatrequires-recursive lib64xerces-c3.1 | grep sigil $ http://www.yolinux.com/TUTORIALS/XML-Xerces-C.html This link provides the code for an XML parser along with a sample document. $ cat sample.xml <?xml version="1.0" encoding="UTF-8" standalone="no"?> <root> <ApplicationSettings option_a = "10" option_b = "24" > </ApplicationSettings> <OtherStuff option_x = "500" > </OtherStuff> </root> Compiled parser.h++ and parser.c++ and ran parser against the sample. $ g++ -g -Wall -pedantic -I/opt/include -L/opt/lib -lxerces-c parser.c++ -DMAIN_TEST -o parser $ ./parser sample.xml Application option A=10 Application option B=24 So, all is OK before the updates. Installed the updates and played with enigma and recompiled the test parser. $ ./parser sample.xml Application option A=10 Application option B=24 This all looks fine. OK for x86_64.
CC: (none) => tarazed25Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0158.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
Blocks: (none) => 22779