Bug 30351 - xmlrpc-c possible new security issue CVE-2022-25235
Summary: xmlrpc-c possible new security issue CVE-2022-25235
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-04-29 02:00 CEST by David Walser
Modified: 2022-05-15 12:08 CEST (History)
5 users (show)

See Also:
Source RPM: xmlrpc-c-1.51.07-2.mga9.src.rpm
CVE: CVE-2022-25235
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-04-29 02:00:09 CEST 
RedHat has issued an advisory today (April 28):
https://access.redhat.com/errata/RHSA-2022:1643

This is apparently due to a bundled expat.

I don't see expat BR'd in our package, so we're probably affected, in which case Mageia 8 would be also.
David Walser 2022-04-29 02:00:25 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Possible bundled expat would need to be patched

Comment 1 Nicolas Salguero 2022-04-29 22:37:27 CEST 
For Mga8, xmlrpc-c-1.51.06-1.1.mga8 solves the issue.

For Cauldron, there is a problem with current version of meson:
"""
ERROR: Got unknown keyword arguments "install"
"""
(see: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20220429202712.ns80.duvel.2922008/log/xmlrpc-c-1.51.07-4.mga9/build.x86_64.0.20220429202806.log)

CC: (none) => nicolas.salguero

Comment 2 Lewis Smith 2022-04-30 09:34:59 CEST 
Changing NicolasS from CC to assignee, seeing you have already updated Cauldron for this. The SRPM has no registered maintainer.

Assignee: bugsquad => nicolas.salguero
CC: nicolas.salguero => (none)

Comment 3 Nicolas Salguero 2022-05-12 11:28:28 CEST 
For Cauldron, the problem with meson is over.

Suggested advisory:
========================

The updated packages fix a security vulnerability:

xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. (CVE-2022-25235)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25235
https://access.redhat.com/errata/RHSA-2022:1643
========================

Updated packages in core/updates_testing:
========================
lib(64)xmlrpc-c3-1.51.06-1.1.mga8
lib(64)xmlrpc-c-devel-1.51.06-1.1.mga8
xmlrpc-c-1.51.06-1.1.mga8

from SRPM:
xmlrpc-c-1.51.06-1.1.mga8.src.rpm

Status comment: Possible bundled expat would need to be patched => (none)
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2022-25235
Status: NEW => ASSIGNED
Version: Cauldron => 8
Assignee: nicolas.salguero => qa-bugs
Whiteboard: MGA8TOO => (none)

Comment 4 Herman Viaene 2022-05-12 14:23:58 CEST 
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues
Mcc says:
"Programming library for writing an XML-RPC server or client in C or C++​"
So I will OK it on clean install just as for other deveopers's stuff. But in case someone would like to try her/his hand on it, I found way over my head) https://www.tutorialspoint.com/xml-rpc/xml_rpc_examples.htm

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2022-05-13 14:55:51 CEST 
Nothing that I can use. Every time I start to think I could consider myself a skilled used, a series of these development packages comes along for QA approval to prove how little I actually know.

Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-05-15 00:41:40 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2022-05-15 12:08:03 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0183.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.