Fedora has issued an advisory on August 22: http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085828.html Mageia 1 and Mageia 2 are also affected. The upstream fix is linked here: https://bugzilla.redhat.com/show_bug.cgi?id=787890#c8
CC: (none) => pterjan
CC: (none) => shlomif
CC: (none) => pierre-malo.denielou
Whiteboard: (none) => MGA2TOO, MGA1TOO
I will take care of that.
Status: NEW => ASSIGNEDAssignee: bugsquad => pierre-malo.denielou
I believe Malo fixed this in Cauldron, but it still needs fixed for Mageia 1/2.
Version: Cauldron => 2Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO
Yes, I'm on it. I just wanted to test the patch on Cauldron a little. The security threat is not very big anyway.
Patched package for Mageia 1 and Mageia 2 uploaded by Malo. Thanks Malo! Advisory: ======================== Updated ocaml-xml-light packages fix security vulnerability: OCaml Xml-Light Library before r234 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via unspecified vectors (CVE-2012-3514). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3514 http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085828.html ======================== Updated packages in core/updates_testing: ======================== ocaml-xml-light-2.2-18.1.mga1 ocaml-xml-light-devel-2.2-18.1.mga1 ocaml-xml-light-2.2-19.1.mga2 ocaml-xml-light-devel-2.2-19.1.mga2 from SRPMS: ocaml-xml-light-2.2-18.1.mga1.src.rpm ocaml-xml-light-2.2-19.1.mga2.src.rpm
Assignee: pierre-malo.denielou => qa-bugs
Severity: normal => major
Thanks David for the advisory. Only one package in Mageia uses ocaml-xml-light. It is ocaml-dose3, so it should be rebuilt against this patched version.
Do the changes in the patch require ocaml-dose3 to be rebuilt, or does ocaml-dose3 include an internal copy of ocaml-xml-light?
The ocaml-dose3 package includes some executables, like distcheck, that contain built in copies of ocaml-xml-light. I just pushed the ocaml-dose3 package to updates_testing for mga1 and mga2.
OK, thanks Malo. Malo has submitted these packages to the build system. I'll update the advisory when they are built. ocaml-dose3-2.9.2-2.2457.2.1.mga1 ocaml-dose3-2.9.10-3.1.mga2
ocaml-dose3 packages are now built. Advisory: ======================== Updated ocaml-xml-light packages fix security vulnerability: OCaml Xml-Light Library before r234 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via unspecified vectors (CVE-2012-3514). Additionally, ocaml-dose3 has been rebuilt to include the updated ocaml-xml-light. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3514 http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085828.html ======================== Updated packages in core/updates_testing: ======================== ocaml-xml-light-2.2-18.1.mga1 ocaml-xml-light-devel-2.2-18.1.mga1 ocaml-dose3-2.9.2-2.2457.2.1.mga1 ocaml-dose3-devel-2.9.2-2.2457.2.1.mga1 ocaml-xml-light-2.2-19.1.mga2 ocaml-xml-light-devel-2.2-19.1.mga2 ocaml-dose3-2.9.10-3.1.mga2 ocaml-dose3-devel-2.9.10-3.1.mga2 from SRPMS: ocaml-xml-light-2.2-18.1.mga1.src.rpm ocaml-dose3-2.9.2-2.2457.2.1.mga1.src.rpm ocaml-xml-light-2.2-19.1.mga2.src.rpm ocaml-dose3-2.9.10-3.1.mga2.src.rpm
Possibly useful links: http://tech.motion-twin.com/xmllight http://xahlee.info/ocaml/ocaml_basics.html
$ urpmf ocaml-dose3 | grep bin ocaml-dose3:/usr/bin/apt-cudf ocaml-dose3:/usr/bin/ceve ocaml-dose3:/usr/bin/challenged ocaml-dose3:/usr/bin/deb-buildcheck ocaml-dose3:/usr/bin/debcheck ocaml-dose3:/usr/bin/distcheck ocaml-dose3:/usr/bin/eclipsecheck ocaml-dose3:/usr/bin/outdated ocaml-dose3:/usr/bin/rpmcheck
Unable to install ocaml-dose3 from Release due to it having a strictly versioned rpm require and Testing (and so QA) having a newer version. Limiting regression testing to checking the new version. # urpmi ocaml-dose3 The following packages can't be installed because they depend on packages that are older than the installed ones: lib64rpm-devel-4.9.1.3-2.mga2 ocaml-dose3-2.9.10-3.mga2 Continue installation anyway? (Y/n) n "the more recent rpm-4.9.1.3-2.1.mga2.x86_64 is installed, but does not provide rpm[== 1:4.9.1.3-2.mga2] whereas rpm-4.9.1.3-2.mga2.x86_64 does"
It seems this a result of the new rpm in Testing (with no bug :P) but not in the way I initially thought. Installing ocaml-dose3 requires librpm-devel which for the Testing version of rpm is not available with Testing disabled. The workaround is to install from Release with Testing enabled using: # urpmi --searchmedia Release ocaml-dose3 The side effect is that it installs further rpm libs from Testing for which we have no bug yet and could give misleading results.
From Release version, some dangling links: $ ll /usr/bin/eclipsecheck lrwxrwxrwx 1 root root 81 Sep 10 13:05 /usr/bin/eclipsecheck -> ../../home/iurt/rpm/BUILDROOT/ocaml-dose3-2.9.10-3.mga2.x86_64//usr/bin/distcheck $ ll /usr/bin/debcheck lrwxrwxrwx 1 root root 81 Sep 10 13:05 /usr/bin/debcheck -> ../../home/iurt/rpm/BUILDROOT/ocaml-dose3-2.9.10-3.mga2.x86_64//usr/bin/distcheck $ ll /usr/bin/rpmcheck lrwxrwxrwx 1 root root 81 Sep 10 13:05 /usr/bin/rpmcheck -> ../../home/iurt/rpm/BUILDROOT/ocaml-dose3-2.9.10-3.mga2.x86_64//usr/bin/distcheck
Not sure how to use this, testing first with Release version.. Looking at /usr/share/doc/ocaml-xml-light/README Following the simple sample.. $ ocaml Objective Caml version 3.12.1 # let x = Xml.parse_string "<a href='url'>TEXT<begin/><end/></a>" in Printf.printf "XML formated = \n%s" (Xml.to_string_fmt x); ;; Error: Unbound module Xml
Testing mga2 64 Some success, following here http://rosettacode.org/wiki/XML/Input#OCaml #directory "+xml-light" (* or maybe "+site-lib/xml-light" *) ;; #load "xml-light.cma" ;; let x = Xml.parse_string " <Students> <Student Name='April' Gender='F' DateOfBirth='1989-01-02' /> <Student Name='Bob' Gender='M' DateOfBirth='1990-03-04' /> <Student Name='Chad' Gender='M' DateOfBirth='1991-05-06' /> <Student Name='Dave' Gender='M' DateOfBirth='1992-07-08'> <Pet Type='dog' Name='Rover' /> </Student> <Student DateOfBirth='1993-09-10' Gender='F' Name='Émily' /> </Students>" in Xml.iter (function Xml.Element ("Student", attrs, _) -> List.iter (function ("Name", name) -> print_endline name | _ -> ()) attrs | _ -> ()) x ;; By doing this I get the output it lists.. April Bob Chad Dave Émily - : unit = () This is the same after updating so there doesn't appear to be any obvious regression with ocaml-xml-light. ocaml-dose3 however still has the same dangling links in the update .. $ ll /usr/bin/rpmcheck lrwxrwxrwx 1 root root 83 Sep 10 15:15 /usr/bin/rpmcheck -> ../../home/iurt/rpm/BUILDROOT/ocaml-dose3-2.9.10-3.1.mga2.x86_64//usr/bin/distcheck $ ll /usr/bin/debcheck lrwxrwxrwx 1 root root 83 Sep 10 15:15 /usr/bin/debcheck -> ../../home/iurt/rpm/BUILDROOT/ocaml-dose3-2.9.10-3.1.mga2.x86_64//usr/bin/distcheck $ ll /usr/bin/eclipsecheck lrwxrwxrwx 1 root root 83 Sep 10 15:15 /usr/bin/eclipsecheck -> ../../home/iurt/rpm/BUILDROOT/ocaml-dose3-2.9.10-3.1.mga2.x86_64//usr/bin/distcheck the binaries in ocaml-dose3 seem oriented towards debian rather than mageia, is this really a mageia package?
Whiteboard: MGA1TOO => MGA1TOO feedback
Thankyou to malo for a testing procedure for ocaml-dose3 and confirming the procedure in comment 16 is OK for ocaml-xml-light. He is busy this week but going to take a look at dose3 so has suggested we can test distcheck and create a new bug for the dangling links which I will do later. Download hdlist.cz for say Core Updates Testing.. wget http://your/mirror/here/distrib/2/x86_64/media/core/updates_testing/media_info/hdlist.cz Obviously change it to suit your mirror $ distcheck -vvv hdlist://hdlist.cz (I)Boilerplate: Parsing and normalizing... (I)Rpm: Parsing hdlist.cz... (I)Rpm: total packages 0 (I)Rpm: total packages 0 (I)Distcheck: Solving... (D)Depsolver_int: n. disjunctions 0 (D)Depsolver_int: n. dependencies 0 (D)Depsolver_int: n. conflicts 0 background-packages: 0 foreground-packages: 0 total-packages: 0 broken-packages: 0 Testing complete for ocaml-xml-light & ocaml-dose3 on Mageia 2 x86_64
Whiteboard: MGA1TOO feedback => MGA1TOO has_procedure mga2-64-OK
Testing complete mga1 32 Following procedures in comment 16 and comment 17
Whiteboard: MGA1TOO has_procedure mga2-64-OK => MGA1TOO has_procedure mga1-32-OK mga2-64-OK
Bug 7448 created for the dangling links on Mageia 2
Testing complete mga1 64
Whiteboard: MGA1TOO has_procedure mga1-32-OK mga2-64-OK => MGA1TOO has_procedure mga1-32-OK mga1-64-OK mga2-64-OK
Testing complete on Mageia 2 i586. Thanks for the procedures. Could someone from the sysadmin team please push the srpms ocaml-xml-light-2.2-19.1.mga2.src.rpm ocaml-dose3-2.9.10-3.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpms ocaml-xml-light-2.2-18.1.mga1.src.rpm ocaml-dose3-2.9.2-2.2457.2.1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated ocaml-xml-light packages fix security vulnerability: OCaml Xml-Light Library before r234 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via unspecified vectors (CVE-2012-3514). Additionally, ocaml-dose3 has been rebuilt to include the updated ocaml-xml-light. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3514 http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085828.html https://bugs.mageia.org/show_bug.cgi?id=7276
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: MGA1TOO has_procedure mga1-32-OK mga1-64-OK mga2-64-OK => MGA1TOO has_procedure mga1-32-OK mga1-64-OK mga2-64-OK mga2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0266
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED