Bug 23677 - dom4j new security issue CVE-2018-1000632
Summary: dom4j new security issue CVE-2018-1000632
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-10-13 00:13 CEST by David Walser
Modified: 2019-02-14 09:40 CET (History)
6 users (show)

See Also:
Source RPM: dom4j-2.0.0-3.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-10-13 00:13:33 CEST 
openSUSE has issued an advisory on September 28:
https://lists.opensuse.org/opensuse-updates/2018-09/msg00174.html

The issue is fixed upstream in 2.1.1.

Mageia 6 is also affected.
David Walser 2018-10-13 00:13:40 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-10-13 08:33:10 CEST 
Assigning to the registered maintainer.

Also CC'ing some committers.

Assignee: bugsquad => mageia
CC: (none) => geiger.david68210, marja11, pterjan

Comment 2 David Walser 2019-02-03 02:17:27 CET 
Upstream patch applies to 2.0.0, but package doesn't build:
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20190203011009.luigiwalser.duvel.37065/log/dom4j-2.0.0-4.mga7/build.0.20190203011109.log

All but one hunk of openSUSE patch applies to Mageia 6 version if you run dos2unix on the Java files, so it should be fixable there.

Status comment: (none) => Fixed upstream in 2.1.1

Comment 3 David GEIGER 2019-02-03 10:03:19 CET 
Fixed for Cauldron!
Comment 4 David GEIGER 2019-02-03 11:02:16 CET 
Now fixed for mga6!
Comment 5 David Walser 2019-02-03 17:48:17 CET 
Thanks David!

Advisory:
========================

Updated dom4j packages fix security vulnerability:

dom4j version prior to version 2.1.1 contains an XML Injection vulnerability in
Class: Element. Methods: addElement, addAttribute that can result in an
attacker tampering with XML documents through XML injection. This attack
appears to be exploitable via an attacker specifying attributes or elements in
the XML document (CVE-2018-1000632).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000632
https://lists.opensuse.org/opensuse-updates/2018-09/msg00174.html
========================

Updated packages in core/updates_testing:
========================
dom4j-1.6.1-28.1.mga6
dom4j-demo-1.6.1-28.1.mga6
dom4j-manual-1.6.1-28.1.mga6
dom4j-javadoc-1.6.1-28.1.mga6

from dom4j-1.6.1-28.1.mga6.src.rpm

Assignee: mageia => qa-bugs
Status comment: Fixed upstream in 2.1.1 => (none)
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 6 Herman Viaene 2019-02-06 17:17:43 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Trying to find some example of usage, but I keep running into problems. I guess some more java stuff is needed to compile one of those, I keep getting errors like:
$ javac dom4j.java 
dom4j.java:7: error: class Foo is public, should be declared in a file named Foo.java
public class Foo {
       ^
dom4j.java:3: error: package org.dom4j does not exist
import org.dom4j.Document;
                ^
dom4j.java:4: error: package org.dom4j does not exist
import org.dom4j.DocumentException;
At least it installs cleanly.

CC: (none) => herman.viaene

Comment 7 David Walser 2019-02-06 19:18:18 CET 
Clean upgrades are a sufficient test for Java stack packages.
Herman Viaene 2019-02-07 08:28:35 CET

Whiteboard: (none) => MGA6-32-OK

Dave Hodgins 2019-02-14 07:55:02 CET

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 8 Mageia Robot 2019-02-14 09:40:14 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0077.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.