Bug 26311 - xerces-c new security issue CVE-2018-1311
Summary: xerces-c new security issue CVE-2018-1311
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Depends on:
Reported: 2020-03-06 16:24 CET by David Walser
Modified: 2020-06-21 16:02 CEST (History)
4 users (show)

See Also:
Source RPM: xerces-c-3.2.2-2.mga7.src.rpm
Status comment:

Code for simple XML parser based on xerces-c API. (6.07 KB, text/x-csrc)
2020-06-02 19:50 CEST, Len Lawrence
Include file needed by parser.c++ (1.36 KB, text/plain)
2020-06-02 19:51 CEST, Len Lawrence

Description David Walser 2020-03-06 16:24:31 CET
RedHat has issued an advisory on March 4:

Mageia 7 is also affected.
David Walser 2020-03-06 16:24:41 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-03-06 21:16:10 CET
No registered or obvious packager visible, so assigning globally.

Assignee: bugsquad => pkg-bugs

Comment 2 David GEIGER 2020-03-08 17:42:20 CET
Done! you can test the upcoming arp-scan-1.9.6-1.mga7 in Core/Updates_testing repo.

CC: (none) => geiger.david68210

Comment 3 David GEIGER 2020-03-08 17:54:09 CET
OOppss! wrong bug, sorry :)
Comment 4 David Walser 2020-03-19 14:48:07 CET
RedHat notes that this package was dropped in RHEL8.  Maybe we don't need it?

Status comment: (none) => Patch available from RedHat

Comment 5 Nicolas Lécureuil 2020-05-31 14:54:45 CEST
Fixed in cauldron, 

and in mga7 with the rpm: xerces-c-3.2.2-2.1.mga7

CC: (none) => mageia
Whiteboard: MGA7TOO => (none)
Status comment: Patch available from RedHat => (none)
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 7

Comment 6 David Walser 2020-05-31 18:48:55 CEST

Updated xerces-c packages fix security vulnerability:

A use-after-free vulnerability was found in xerces-c in the way an XML document
is processed via the SAX API. Applications that process XML documents with an
external Document Type Definition (DTD) may be vulnerable to this flaw. A
remote attacker could exploit this flaw by creating a specially crafted XML
file that would crash the application or potentially lead to arbitrary code
execution (CVE-2018-1311).


Updated packages in core/updates_testing:

from xerces-c-3.2.2-2.1.mga7.src.rpm
Comment 7 Herman Viaene 2020-06-02 14:27:47 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 18421 for test.
Used strace on enigma, and found ref:
openat(AT_FDCWD, "/lib64/libxerces-c-3.2.so", O_RDONLY|O_CLOEXEC) = 3.
I could play two levels, but the thing started flashing and sounding when I tried to close it.
Leaving for more experienced people.

CC: (none) => herman.viaene

Comment 8 Len Lawrence 2020-06-02 15:42:57 CEST
That's OK Herman.  Having encountered this before I shall follow up when I have time (been sent to Hell and back by the latest version of tbird - grrrrh!!).

CC: (none) => tarazed25

Comment 9 Len Lawrence 2020-06-02 19:50:35 CEST
Created attachment 11673 [details]
Code for simple XML parser based on xerces-c API.

Needs parser.h++

This command works but may not be the best way to do it.
$ g++ -g -Wall -pedantic $(pkg-config --libs xerces-c) parser.c++ -DMAIN_TEST -o parser
Comment 10 Len Lawrence 2020-06-02 19:51:40 CEST
Created attachment 11674 [details]
Include file needed by parser.c++
Comment 11 Len Lawrence 2020-06-02 20:19:12 CEST
mga7, x86_64

Updated the packages in the absence of a PoC.
Referred to https://bugs.mageia.org/show_bug.cgi?id=18421 to see how things were tackled before.  The first problem was the lack of source for the parser test program.  Downloaded that from http://www.yolinux.com/TUTORIALS/XML-Xerces-C.html and hacked it enough to allow it to be compiled.  Ran the result against the trivial XML file attached and all was well.  The parser is not a general utility.  It seems to work for only that target.

Followed Herman's lead and tried out enigma.
Tried to enlarge the board but there seemed to be no way to do it.  Changed video mode resolution upward and set fullscreen - no effect.  Unable to start a game, but it used to work.  Eventually the flashing started, as in comment 7 and the game crashed.

Moved to ~/.enigma.

Could not see any errors in state.xml.
So maybe there is a regression here.
Comment 12 Len Lawrence 2020-06-02 20:54:20 CEST
Referring to comment 11, the enigma program was run from the system menus.  Running it from the command line was a little more successful.  It generated the board at very low resolution fullscreen - i.e. it looked very fuzzy.  Played a couple of levels then tried to quit from the main menu.  That froze the whole machine - needed a hard reset to get back to the desktop.
Comment 13 Len Lawrence 2020-06-09 18:37:42 CEST
We have no idea if the fault here lies with enigma or xerces-c.  It might be possible to catch a trace.

Keywords: (none) => feedback

Comment 14 David Walser 2020-06-21 14:53:08 CEST
Did you try enigma before the xerces-c update?

Source RPM: xerces-c-3.2.2-4.mga8.src.rpm => xerces-c-3.2.2-2.mga7.src.rpm
Keywords: feedback => (none)

Comment 15 Len Lawrence 2020-06-21 14:59:30 CEST
I am not sure now - too far back.  Need to try it on another partition.
Comment 16 Len Lawrence 2020-06-21 15:54:49 CEST
On another machine.
Installed xerces-c and enigma.

$ rpm -q xerces-c
$ rpm -qa | grep xerces
$ rpm -q enigma

Started enigma successfully from the cli.  Played tutorial level game for a while but could find no way to quit.  Not clear exactly what happened.  Repeated Esc's and tried to kill it via the window decorations.  Lost control of the mouse and the game window started flashing.

Enabled updates-testing.
$ urpmi.update -a
$ MageiaUpdate
Updated the four xerces-c packages.
$ enigma

The game played, shifted from level 0 to level 1 and then the trouble started.  After only a few moves the level went back to the "abort/restart level" screen.  On clicking resume the window started to flash.  Could not kill the window or  control the mouse but mouse events were being echoed in the terminal.  Tried several keyboard combinations like CtrlAltF2, CtrlC, AltX and others and eventually the game window vanished.

The journal reports nothing relevant around that time.  Nor was anything recorded in .xsession-errors.

So the update probably did not introduce the faulty behaviour in enigma.
Comment 17 Len Lawrence 2020-06-21 16:02:23 CEST
There is a .enigma directory.
$ ll .enigma
total 28
drwxr-xr-x 2 lcl lcl 4096 Jun 21 14:15 backup/
-rw-r--r-- 1 lcl lcl  524 Jun 21 14:37 enigma_nodat.score
-rw-r--r-- 1 lcl lcl  524 Jun 21 14:37 enigma.score
drwxr-xr-x 6 lcl lcl 4096 Jun 21 14:15 levels/
-rw-r--r-- 1 lcl lcl 5168 Jun 21 14:37 state.xml
drwxr-xr-x 3 lcl lcl 4096 Jun 21 14:15 thumbs-120x78/

14:37 may have been the time when enigma was first played, before updating xerces-c.  There may be an error log somewhere - which might not be any use if it were not closed properly.

Note You need to log in before you can comment on or make changes to this bug.