22925 – freeplane new security issue CVE-2018-1000069

Bug 22925 - freeplane new security issue CVE-2018-1000069

Summary: freeplane new security issue CVE-2018-1000069

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	https://www.debian.org/security/2018/...
Whiteboard:	MGA6-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2018-04-18 19:26 CEST by Zombie Ryushu
Modified:	2018-04-22 21:59 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	freeplane-1.3.15-3.mga6.src.rpm
CVE:	CVE-2018-1000069
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Zombie Ryushu 2018-04-18 19:26:22 CEST

Wojciech Regula discovered an XML External Entity vulnerability in the XML Parser of the mindmap loader in freeplane, a Java program for working with mind maps, resulting in potential information disclosure if a malicious mind map file is opened.

Zombie Ryushu 2018-04-18 19:27:39 CEST

CVE: (none) => CVE-2018-1000069

Comment 1 Marja Van Waes 2018-04-18 21:47:13 CEST

Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 David GEIGER 2018-04-19 09:30:53 CEST

Fixed on Cauldron and mga6 too!

CC: (none) => geiger.david68210

Comment 3 David Walser 2018-04-21 18:31:41 CEST

Thanks David!

Debian has issued an advisory for this on April 18:
https://www.debian.org/security/2018/dsa-4175

Advisory:
========================

Updated freeplane packages fix security vulnerability:

Wojciech Regula discovered an XML External Entity vulnerability in the XML
Parser of the mindmap loader in freeplane, a Java program for working with mind
maps, resulting in potential information disclosure if a malicious mind map
file is opened (CVE-2018-1000069).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000069
https://www.debian.org/security/2018/dsa-4175
========================

Updated packages in core/updates_testing:
========================
freeplane-1.3.15-3.1.mga6

freeplane-1.3.15-3.1.mga6.src.rpm

Version: Cauldron => 6
Summary: freeplane security vulnerabilities CVE-2018-1000069 => freeplane new security issue CVE-2018-1000069
Source RPM: freeplane => freeplane-1.3.15-3.mga6.src.rpm
Assignee: pkg-bugs => qa-bugs

Comment 4 Len Lawrence 2018-04-22 18:57:46 CEST

Mageia 6, x86_64

Installed this and had a quick look at it before updating.
There is a built-in tutorial which I did not attempt to follow but was able to produce a primitive mind-map by tinkering with the menus, creating nodes, child nodes and child sibling nodes and entering text.  It was basically ideas for an essay.  Saved the map as a .mm file, all text in a rich-text format with XML-style delimiters and passages of HTML.  Images and other types of files can be included.  Ran freeplane again to reopen the mind-map and continue editing, then saved an printed the file on several sheets of paper.  It is pure WYSIWYG.

As far as these simple tests go the application appears to work alright after updating.

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Lewis Smith 2018-04-22 20:34:52 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2018-04-22 21:59:59 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0210.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.