Bug 7276 - ocaml-xml-light new security issue CVE-2012-3514
: ocaml-xml-light new security issue CVE-2012-3514
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/514539/
: MGA1TOO has_procedure mga1-32-OK mga1...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-08-31 21:37 CEST by David Walser
Modified: 2012-09-13 14:23 CEST (History)
6 users (show)

See Also:
Source RPM: ocaml-xml-light-2.2-19.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-08-31 21:37:56 CEST
Fedora has issued an advisory on August 22:
http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085828.html

Mageia 1 and Mageia 2 are also affected.

The upstream fix is linked here:
https://bugzilla.redhat.com/show_bug.cgi?id=787890#c8
Comment 1 Malo Deniélou 2012-08-31 21:55:32 CEST
I will take care of that.
Comment 2 David Walser 2012-09-05 22:21:39 CEST
I believe Malo fixed this in Cauldron, but it still needs fixed for Mageia 1/2.
Comment 3 Malo Deniélou 2012-09-05 22:25:07 CEST
Yes, I'm on it. I just wanted to test the patch on Cauldron a little. The security threat is not very big anyway.
Comment 4 David Walser 2012-09-06 00:09:36 CEST
Patched package for Mageia 1 and Mageia 2 uploaded by Malo.

Thanks Malo!

Advisory:
========================

Updated ocaml-xml-light packages fix security vulnerability:

OCaml Xml-Light Library before r234 computes hash values without
restricting the ability to trigger hash collisions predictably, which
allows context-dependent attackers to cause a denial of service (CPU
consumption) via unspecified vectors (CVE-2012-3514).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3514
http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085828.html
========================

Updated packages in core/updates_testing:
========================
ocaml-xml-light-2.2-18.1.mga1
ocaml-xml-light-devel-2.2-18.1.mga1
ocaml-xml-light-2.2-19.1.mga2
ocaml-xml-light-devel-2.2-19.1.mga2

from SRPMS:
ocaml-xml-light-2.2-18.1.mga1.src.rpm
ocaml-xml-light-2.2-19.1.mga2.src.rpm
Comment 5 Malo Deniélou 2012-09-06 11:04:22 CEST
Thanks David for the advisory. Only one package in Mageia uses ocaml-xml-light. It is ocaml-dose3, so it should be rebuilt against this patched version.
Comment 6 David Walser 2012-09-06 15:21:43 CEST
Do the changes in the patch require ocaml-dose3 to be rebuilt, or does ocaml-dose3 include an internal copy of ocaml-xml-light?
Comment 7 Malo Deniélou 2012-09-06 23:10:41 CEST
The ocaml-dose3 package includes some executables, like distcheck, that contain built in copies of ocaml-xml-light. I just pushed the ocaml-dose3 package to updates_testing for mga1 and mga2.
Comment 8 David Walser 2012-09-06 23:15:46 CEST
OK, thanks Malo.

Malo has submitted these packages to the build system.
I'll update the advisory when they are built.

ocaml-dose3-2.9.2-2.2457.2.1.mga1
ocaml-dose3-2.9.10-3.1.mga2
Comment 9 David Walser 2012-09-07 02:35:44 CEST
ocaml-dose3 packages are now built.

Advisory:
========================

Updated ocaml-xml-light packages fix security vulnerability:

OCaml Xml-Light Library before r234 computes hash values without
restricting the ability to trigger hash collisions predictably, which
allows context-dependent attackers to cause a denial of service (CPU
consumption) via unspecified vectors (CVE-2012-3514).

Additionally, ocaml-dose3 has been rebuilt to include the updated
ocaml-xml-light.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3514
http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085828.html
========================

Updated packages in core/updates_testing:
========================
ocaml-xml-light-2.2-18.1.mga1
ocaml-xml-light-devel-2.2-18.1.mga1
ocaml-dose3-2.9.2-2.2457.2.1.mga1
ocaml-dose3-devel-2.9.2-2.2457.2.1.mga1
ocaml-xml-light-2.2-19.1.mga2
ocaml-xml-light-devel-2.2-19.1.mga2
ocaml-dose3-2.9.10-3.1.mga2
ocaml-dose3-devel-2.9.10-3.1.mga2

from SRPMS:
ocaml-xml-light-2.2-18.1.mga1.src.rpm
ocaml-dose3-2.9.2-2.2457.2.1.mga1.src.rpm
ocaml-xml-light-2.2-19.1.mga2.src.rpm
ocaml-dose3-2.9.10-3.1.mga2.src.rpm
Comment 10 claire robinson 2012-09-10 11:11:17 CEST
Possibly useful links:

http://tech.motion-twin.com/xmllight

http://xahlee.info/ocaml/ocaml_basics.html
Comment 11 claire robinson 2012-09-10 11:14:06 CEST
$ urpmf ocaml-dose3 | grep bin
ocaml-dose3:/usr/bin/apt-cudf
ocaml-dose3:/usr/bin/ceve
ocaml-dose3:/usr/bin/challenged
ocaml-dose3:/usr/bin/deb-buildcheck
ocaml-dose3:/usr/bin/debcheck
ocaml-dose3:/usr/bin/distcheck
ocaml-dose3:/usr/bin/eclipsecheck
ocaml-dose3:/usr/bin/outdated
ocaml-dose3:/usr/bin/rpmcheck
Comment 12 claire robinson 2012-09-10 11:29:57 CEST
Unable to install ocaml-dose3 from Release due to it having a strictly versioned rpm require and Testing (and so QA) having a newer version. Limiting regression testing to checking the new version.

# urpmi ocaml-dose3
The following packages can't be installed because they depend on packages
that are older than the installed ones:
lib64rpm-devel-4.9.1.3-2.mga2
ocaml-dose3-2.9.10-3.mga2
Continue installation anyway? (Y/n) n

"the more recent rpm-4.9.1.3-2.1.mga2.x86_64 is installed, but does not provide rpm[== 1:4.9.1.3-2.mga2] whereas rpm-4.9.1.3-2.mga2.x86_64 does"
Comment 13 claire robinson 2012-09-10 12:17:19 CEST
It seems this a result of the new rpm in Testing (with no bug :P) but not in the way I initially thought.

Installing ocaml-dose3 requires librpm-devel which for the Testing version of rpm is not available with Testing disabled.

The workaround is to install from Release with Testing enabled using:

# urpmi --searchmedia Release ocaml-dose3

The side effect is that it installs further rpm libs from Testing for which we have no bug yet and could give misleading results.
Comment 14 claire robinson 2012-09-10 14:28:22 CEST
From Release version, some dangling links:

$ ll /usr/bin/eclipsecheck
lrwxrwxrwx 1 root root 81 Sep 10 13:05 /usr/bin/eclipsecheck -> ../../home/iurt/rpm/BUILDROOT/ocaml-dose3-2.9.10-3.mga2.x86_64//usr/bin/distcheck

$ ll /usr/bin/debcheck
lrwxrwxrwx 1 root root 81 Sep 10 13:05 /usr/bin/debcheck -> ../../home/iurt/rpm/BUILDROOT/ocaml-dose3-2.9.10-3.mga2.x86_64//usr/bin/distcheck

$ ll /usr/bin/rpmcheck
lrwxrwxrwx 1 root root 81 Sep 10 13:05 /usr/bin/rpmcheck -> ../../home/iurt/rpm/BUILDROOT/ocaml-dose3-2.9.10-3.mga2.x86_64//usr/bin/distcheck
Comment 15 claire robinson 2012-09-10 16:00:30 CEST
Not sure how to use this, testing first with Release version..

Looking at /usr/share/doc/ocaml-xml-light/README

Following the simple sample..

$ ocaml
        Objective Caml version 3.12.1

# let x = Xml.parse_string "<a href='url'>TEXT<begin/><end/></a>" in
  Printf.printf "XML formated = \n%s" (Xml.to_string_fmt x);
  ;;
Error: Unbound module Xml
Comment 16 claire robinson 2012-09-10 16:24:37 CEST
Testing mga2 64

Some success, following here http://rosettacode.org/wiki/XML/Input#OCaml

 #directory "+xml-light" (* or maybe "+site-lib/xml-light" *) ;;
 #load "xml-light.cma" ;;
 
 let x = Xml.parse_string "
  <Students>
    <Student Name='April' Gender='F' DateOfBirth='1989-01-02' />
    <Student Name='Bob' Gender='M'  DateOfBirth='1990-03-04' />
    <Student Name='Chad' Gender='M'  DateOfBirth='1991-05-06' />
    <Student Name='Dave' Gender='M'  DateOfBirth='1992-07-08'>
      <Pet Type='dog' Name='Rover' />
    </Student>
    <Student DateOfBirth='1993-09-10' Gender='F' Name='&#x00C9;mily' />
  </Students>"
  in
  Xml.iter (function
    Xml.Element ("Student", attrs, _) ->
       List.iter (function ("Name", name) -> print_endline name | _ -> ()) attrs
  | _ -> ()) x
  ;;

By doing this I get the output it lists..

April
Bob
Chad
Dave
&#x00C9;mily
- : unit = ()

This is the same after updating so there doesn't appear to be any obvious regression with ocaml-xml-light.

ocaml-dose3 however still has the same dangling links in the update ..

$ ll /usr/bin/rpmcheck
lrwxrwxrwx 1 root root 83 Sep 10 15:15 /usr/bin/rpmcheck -> ../../home/iurt/rpm/BUILDROOT/ocaml-dose3-2.9.10-3.1.mga2.x86_64//usr/bin/distcheck

$ ll /usr/bin/debcheck
lrwxrwxrwx 1 root root 83 Sep 10 15:15 /usr/bin/debcheck -> ../../home/iurt/rpm/BUILDROOT/ocaml-dose3-2.9.10-3.1.mga2.x86_64//usr/bin/distcheck

$ ll /usr/bin/eclipsecheck
lrwxrwxrwx 1 root root 83 Sep 10 15:15 /usr/bin/eclipsecheck -> ../../home/iurt/rpm/BUILDROOT/ocaml-dose3-2.9.10-3.1.mga2.x86_64//usr/bin/distcheck

the binaries in ocaml-dose3 seem oriented towards debian rather than mageia, is this really a mageia package?
Comment 17 claire robinson 2012-09-10 18:53:04 CEST
Thankyou to malo for a testing procedure for ocaml-dose3 and confirming the procedure in comment 16 is OK for ocaml-xml-light.

He is busy this week but going to take a look at dose3 so has suggested we can test distcheck and create a new bug for the dangling links which I will do later.

Download hdlist.cz for say Core Updates Testing..
wget http://your/mirror/here/distrib/2/x86_64/media/core/updates_testing/media_info/hdlist.cz

Obviously change it to suit your mirror

$ distcheck -vvv hdlist://hdlist.cz
(I)Boilerplate: Parsing and normalizing...
(I)Rpm: Parsing hdlist.cz...
(I)Rpm: total packages 0
(I)Rpm: total packages 0
(I)Distcheck: Solving...
(D)Depsolver_int: n. disjunctions 0
(D)Depsolver_int: n. dependencies 0
(D)Depsolver_int: n. conflicts 0
background-packages: 0
foreground-packages: 0
total-packages: 0
broken-packages: 0

Testing complete for ocaml-xml-light & ocaml-dose3 on Mageia 2 x86_64
Comment 18 claire robinson 2012-09-11 15:09:37 CEST
Testing complete mga1 32

Following procedures in comment 16 and comment 17
Comment 19 claire robinson 2012-09-11 15:14:42 CEST
Bug 7448 created for the dangling links on Mageia 2
Comment 20 claire robinson 2012-09-11 15:52:15 CEST
Testing complete mga1 64
Comment 21 Dave Hodgins 2012-09-11 22:16:00 CEST
Testing complete on Mageia 2 i586.  Thanks for the procedures.

Could someone from the sysadmin team please push the srpms
ocaml-xml-light-2.2-19.1.mga2.src.rpm
ocaml-dose3-2.9.10-3.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpms
ocaml-xml-light-2.2-18.1.mga1.src.rpm
ocaml-dose3-2.9.2-2.2457.2.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated ocaml-xml-light packages fix security vulnerability:

OCaml Xml-Light Library before r234 computes hash values without
restricting the ability to trigger hash collisions predictably, which
allows context-dependent attackers to cause a denial of service (CPU
consumption) via unspecified vectors (CVE-2012-3514).

Additionally, ocaml-dose3 has been rebuilt to include the updated
ocaml-xml-light.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3514
http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085828.html

https://bugs.mageia.org/show_bug.cgi?id=7276
Comment 22 Thomas Backlund 2012-09-13 14:23:53 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0266

Note You need to log in before you can comment on or make changes to this bug.