23401 – xml-security-c new security issue

Bug 23401 - xml-security-c new security issue

Summary: xml-security-c new security issue

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA6-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2018-08-06 21:54 CEST by David Walser
Modified:	2018-09-21 18:27 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	xml-security-c-1.7.3-3.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-08-06 21:54:08 CEST

Debian has issued an advisory on August 5:
https://www.debian.org/security/2018/dsa-4265

Mageia 5 and Mageia 6 are also affected.

David Walser 2018-08-06 21:54:21 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-08-07 07:37:24 CEST

Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => mageia

Comment 2 Sander Lepik 2018-09-12 10:33:15 CEST

I have uploaded a patched package for Mageia 6 (cauldron was fixed by new version from guillomovitch).

I have no idea how to test the patch...

Suggested advisory:
========================

Updated xml-security-c packages fix security vulnerability:

It was discovered that the Apache XML Security for C++ library performed insufficient validation of KeyInfo hints, which could result in denial of service via NULL pointer dereferences when processing malformed XML data.

https://issues.apache.org/jira/projects/SANTUARIO/issues/SANTUARIO-491
========================

Updated packages in core/updates_testing:
========================
xml-security-c-1.7.3-2.1.mga6

Source RPM:
xml-security-c-1.7.3-2.1.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6
Assignee: mageia => qa-bugs

Comment 3 Len Lawrence 2018-09-12 15:52:05 CEST

Mageia 6, x86_64

No idea about testing the patch either.  Nothing upstream.

Installed qdigidoc and ran strace on the gui via qdigidocclient.
$ strace -o trace.qdig qdigidocclient
This presented the DigiDoc3 interface where documents can be signed or opened.  There is a third option which looks like an opportunity to encrypt the signage:
"Open DigiDoc3 Crypto"
Pressed "Open signed document" which led to a file manager.
Retreated - just giving the application something to do.
The language options work.
Closed down and checked the trace file.
$ grep xml-security trace.qdig
open("/lib64/libxml-security-c.so.17", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libxml-security-c.so.17.0.3", O_RDONLY) = 3
open("/usr/lib64/libxml-security-c.so.17.0.3", O_RDONLY) = 24

Updated xml-security-c and tinkered with qdigidocclient.
Picked a PDF document rather than XML and the DigiDoc stated that PDF signing would be forwarded to the Estonian authority and a form was presented for the user to enter details.  Backed out at that point.
Just have to assume that it is all working.  No crashes or errors reported.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

Comment 4 Thomas Andrews 2018-09-19 03:56:25 CEST

Sounds like the best we can do. Validating...

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2018-09-21 16:51:23 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2018-09-21 18:27:38 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0381.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.