Bug 25019 - expat new security issue fixed upstream in 2.2.7 (CVE-2018-20843)
Summary: expat new security issue fixed upstream in 2.2.7 (CVE-2018-20843)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6TOO MGA6-64-OK MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-06-28 14:13 CEST by David Walser
Modified: 2019-09-15 14:13 CEST (History)
6 users (show)

See Also:
Source RPM: expat-2.2.6-2.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-06-28 14:13:21 CEST
Expat 2.2.7 has been released on June 19:
https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes

The upstream author says that it fixes one CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843

Mageia 6 is also affected.
David Walser 2019-06-28 14:13:35 CEST

Whiteboard: (none) => MGA7TOO, MGA6TOO

Comment 1 Lewis Smith 2019-06-28 17:27:52 CEST
I think this is yours, Shlomi.

CC: (none) => lewyssmith
Assignee: bugsquad => shlomif

Comment 2 David Walser 2019-08-11 22:37:03 CEST
Debian has issued an advisory for this on June 28:
https://www.debian.org/security/2019/dsa-4472
Comment 3 David Walser 2019-08-11 23:11:44 CEST
Ubuntu has issued an advisory for this on June 26:
https://usn.ubuntu.com/4040-1/
Comment 4 David Walser 2019-08-12 15:42:28 CEST
Shlomi updated Cauldron to 2.2.7 on June 29.

Shlomi uploaded an updated package for Mageia 7.  Waiting for Mageia 6...

expat-2.2.7-1.mga7
libexpat1-2.2.7-1.mga7
libexpat-devel-2.2.7-1.mga7

Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO
Version: Cauldron => 7

Comment 5 David Walser 2019-08-12 21:38:47 CEST
Advisory:
========================

Updated expat packages fix security vulnerability:

It was discovered that Expat did not properly handled XML input including XML
names that contain a large number of colons, potentially resulting in denial of
service (CVE-2018-20843).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843
https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes
https://www.debian.org/security/2019/dsa-4472
========================

Updated packages in core/updates_testing:
========================
expat-2.2.7-1.mga6
libexpat1-2.2.7-1.mga6
libexpat-devel-2.2.7-1.mga6
expat-2.2.7-1.mga7
libexpat1-2.2.7-1.mga7
libexpat-devel-2.2.7-1.mga7

from SRPMS:
expat-2.2.7-1.mga6.src.rpm
expat-2.2.7-1.mga7.src.rpm

CC: (none) => shlomif
Assignee: shlomif => qa-bugs

Comment 6 Herman Viaene 2019-09-07 10:28:03 CEST
MGA6-64 Plasma on Lenovo B50
No installation issues
Followed tests as described in https://wiki.mageia.org/en/QA_procedure:Expat
$ python testexpat.py
Tested OK
$ xmlwf /etc/xml/catalog
$ xmlwf /etc/passwd
/etc/passwd:1:16: not well-formed (invalid token)

All seems OK.

Whiteboard: MGA6TOO => MGA6TOO MGA6-64-OK
CC: (none) => herman.viaene

Lewis Smith 2019-09-08 09:02:42 CEST

CC: lewyssmith => (none)

Comment 7 Len Lawrence 2019-09-13 19:16:34 CEST
mga7, x86_64

CVE-2018-20843
https://bugzilla.suse.com/show_bug.cgi?id=1139937&_ga=2.66152878.104103968.1568393798-120638559.1565709153
$ xmlwf clusterfuzz-testcase-4543406568112128.txt
clusterfuzz-testcase-4543406568112128.txt:1:88403: no element found

This is the expected result.  Also:-
$ valgrind xmlwf clusterfuzz-testcase-4543406568112128.txt
One CPU core hit 99% and stayed there.... for a while.  "no element found" was reported.

Updated the packages and ran the POC.
$ xmlwf clusterfuzz-testcase-4543406568112128.txt
clusterfuzz-testcase-4543406568112128.txt:1:88403: no element found

That returned immediately as did the valgrind test.
Issue fixed.


Followed the Mageia wiki test as reported in comment 6.
$ edit testexpat.py
$ edit testdata.xml
$ python testexpat.py
Tested OK
$ python3 testexpat.py
Tested OK
$ xmlwf /etc/xml/catalog
$ xmlwf /etc/passwd
/etc/passwd:1:16: not well-formed (invalid token)

OK for mga7 as well.

Whiteboard: MGA6TOO MGA6-64-OK => MGA6TOO MGA6-64-OK MGA7-64-OK
CC: (none) => tarazed25

Comment 8 Thomas Andrews 2019-09-14 05:15:09 CEST
Validating. Advisory in Comment 5.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-09-15 11:53:11 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 9 Mageia Robot 2019-09-15 14:13:08 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0274.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.