Bug 30351 - xmlrpc-c possible new security issue CVE-2022-25235
Summary: xmlrpc-c possible new security issue CVE-2022-25235
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2022-04-29 02:00 CEST by David Walser
Modified: 2022-05-15 12:08 CEST (History)
5 users (show)

See Also:
Source RPM: xmlrpc-c-1.51.07-2.mga9.src.rpm
CVE: CVE-2022-25235
Status comment:


Description David Walser 2022-04-29 02:00:09 CEST
RedHat has issued an advisory today (April 28):

This is apparently due to a bundled expat.

I don't see expat BR'd in our package, so we're probably affected, in which case Mageia 8 would be also.
David Walser 2022-04-29 02:00:25 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Possible bundled expat would need to be patched

Comment 1 Nicolas Salguero 2022-04-29 22:37:27 CEST
For Mga8, xmlrpc-c-1.51.06-1.1.mga8 solves the issue.

For Cauldron, there is a problem with current version of meson:
ERROR: Got unknown keyword arguments "install"
(see: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20220429202712.ns80.duvel.2922008/log/xmlrpc-c-1.51.07-4.mga9/build.x86_64.0.20220429202806.log)

CC: (none) => nicolas.salguero

Comment 2 Lewis Smith 2022-04-30 09:34:59 CEST
Changing NicolasS from CC to assignee, seeing you have already updated Cauldron for this. The SRPM has no registered maintainer.

Assignee: bugsquad => nicolas.salguero
CC: nicolas.salguero => (none)

Comment 3 Nicolas Salguero 2022-05-12 11:28:28 CEST
For Cauldron, the problem with meson is over.

Suggested advisory:

The updated packages fix a security vulnerability:

xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. (CVE-2022-25235)


Updated packages in core/updates_testing:

from SRPM:

Status comment: Possible bundled expat would need to be patched => (none)
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2022-25235
Version: Cauldron => 8
Assignee: nicolas.salguero => qa-bugs
Whiteboard: MGA8TOO => (none)

Comment 4 Herman Viaene 2022-05-12 14:23:58 CEST
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues
Mcc says:
"Programming library for writing an XML-RPC server or client in C or C++​"
So I will OK it on clean install just as for other deveopers's stuff. But in case someone would like to try her/his hand on it, I found way over my head) https://www.tutorialspoint.com/xml-rpc/xml_rpc_examples.htm

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2022-05-13 14:55:51 CEST
Nothing that I can use. Every time I start to think I could consider myself a skilled used, a series of these development packages comes along for QA approval to prove how little I actually know.

Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-05-15 00:41:40 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2022-05-15 12:08:03 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.