Bug 23401 - xml-security-c new security issue
Summary: xml-security-c new security issue
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2018-08-06 21:54 CEST by David Walser
Modified: 2018-09-21 18:27 CEST (History)
5 users (show)

See Also:
Source RPM: xml-security-c-1.7.3-3.mga7.src.rpm
Status comment:


Description David Walser 2018-08-06 21:54:08 CEST
Debian has issued an advisory on August 5:

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-08-06 21:54:21 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-08-07 07:37:24 CEST
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => mageia

Comment 2 Sander Lepik 2018-09-12 10:33:15 CEST
I have uploaded a patched package for Mageia 6 (cauldron was fixed by new version from guillomovitch).

I have no idea how to test the patch...

Suggested advisory:

Updated xml-security-c packages fix security vulnerability:

It was discovered that the Apache XML Security for C++ library performed insufficient validation of KeyInfo hints, which could result in denial of service via NULL pointer dereferences when processing malformed XML data.


Updated packages in core/updates_testing:

Source RPM:

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6
Assignee: mageia => qa-bugs

Comment 3 Len Lawrence 2018-09-12 15:52:05 CEST
Mageia 6, x86_64

No idea about testing the patch either.  Nothing upstream.

Installed qdigidoc and ran strace on the gui via qdigidocclient.
$ strace -o trace.qdig qdigidocclient
This presented the DigiDoc3 interface where documents can be signed or opened.  There is a third option which looks like an opportunity to encrypt the signage:
"Open DigiDoc3 Crypto"
Pressed "Open signed document" which led to a file manager.
Retreated - just giving the application something to do.
The language options work.
Closed down and checked the trace file.
$ grep xml-security trace.qdig
open("/lib64/libxml-security-c.so.17", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libxml-security-c.so.17.0.3", O_RDONLY) = 3
open("/usr/lib64/libxml-security-c.so.17.0.3", O_RDONLY) = 24

Updated xml-security-c and tinkered with qdigidocclient.
Picked a PDF document rather than XML and the DigiDoc stated that PDF signing would be forwarded to the Estonian authority and a form was presented for the user to enter details.  Backed out at that point.
Just have to assume that it is all working.  No crashes or errors reported.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

Comment 4 Thomas Andrews 2018-09-19 03:56:25 CEST
Sounds like the best we can do. Validating...

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2018-09-21 16:51:23 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2018-09-21 18:27:38 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.