Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 583268 (CVE-2016-0718) - <dev-libs/expat-2.1.1-r1: Expat XML Parser Crashes on Malformed Input (CVE-2016-0718)
Summary: <dev-libs/expat-2.1.1-r1: Expat XML Parser Crashes on Malformed Input (CVE-20...
Status: RESOLVED FIXED
Alias: CVE-2016-0718
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-05-17 09:39 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2017-01-11 12:16 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
The patch for CVE-2016-0718 (CVE-2016-0718-v2-2-1.patch,25.82 KB, patch)
2016-05-17 09:39 UTC, Kristian Fiskerstrand (RETIRED)
no flags Details | Diff
Hardening to previous CVE-2015-1283 in 2.1.1 (CVE-2015-1283-refix.patch,1.33 KB, patch)
2016-05-17 09:41 UTC, Kristian Fiskerstrand (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-05-17 09:39:33 UTC
Created attachment 434502 [details, diff]
The patch for CVE-2016-0718

CVE-2016-0718: Expat XML Parser Crashes on Malformed Input

Severity: Critical

Versions Affected: All Expat XML Parser library versions

Description: The Expat XML parser mishandles certain kinds of malformed
input documents, resulting in buffer overflows during processing and error
reporting. The overflows can manifest as a segmentation fault or as memory
corruption during a parse operation. The bugs allow for a denial of service
attack in many applications by an unauthenticated attacker, and could
conceivably result in remote code execution.

Mitigation: Applications that are using Expat should apply the attached patch as soon as possible.

Credit: this issue was reported by Gustavo Grieco
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-05-17 09:41:02 UTC
Created attachment 434506 [details, diff]
Hardening to previous CVE-2015-1283 in 2.1.1
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-05-19 07:37:15 UTC
Issue public via ${URL}
Comment 3 Sebastian Pipping gentoo-dev 2016-05-28 16:42:34 UTC
In Git.  How do we proceed?

https://github.com/gentoo/gentoo/commit/6bcf306fc93c86f15779e3e3f44ec856beb1414c
Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-05-29 13:02:14 UTC
Arches, please stabilize
=dev-libs/expat-2.1.1-r1
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 5 Tobias Klausmann gentoo-dev 2016-05-30 08:21:26 UTC
Stable on alpha.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2016-05-30 11:01:34 UTC
Stable for PPC64.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2016-05-31 04:46:58 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2016-05-31 09:30:20 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-05-31 09:35:37 UTC
x86 stable
Comment 10 Markus Meier gentoo-dev 2016-06-04 05:07:16 UTC
arm stable
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2016-06-27 11:33:50 UTC
CVE-2016-0718 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0718):
  Expat allows context-dependent attackers to cause a denial of service
  (crash) or possibly execute arbitrary code via a malformed input document,
  which triggers a buffer overflow.
Comment 12 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-06-27 11:34:21 UTC
Added to existing GLSA.
Comment 13 Agostino Sarubbo gentoo-dev 2016-07-08 07:58:18 UTC
ppc stable
Comment 14 Agostino Sarubbo gentoo-dev 2016-07-08 10:06:59 UTC
sparc stable
Comment 15 Agostino Sarubbo gentoo-dev 2016-07-08 12:06:12 UTC
ia64 stable.

Maintainer(s), please cleanup.
Comment 16 Sebastian Pipping gentoo-dev 2016-07-08 12:39:48 UTC
(In reply to Agostino Sarubbo from comment #15)
> Maintainer(s), please cleanup.

I have removed 2.1.1 now (https://github.com/gentoo/gentoo/commit/41169f960485226b530b0b46dc1c55ea4ab7570f)

BUT am unsure about the removal of 2.1.0-r5.  It is marked stable on four more arches (arm64, m68k, s390, sh) than any later ebuild of Expat.  Please confirm that non of these arches are stabilized any more and that you're good with removal of expat-2.1.0-r5.ebuild.  Thanks!
Comment 17 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-07-09 01:35:53 UTC
(In reply to Sebastian Pipping from comment #16)
> (In reply to Agostino Sarubbo from comment #15)
> > Maintainer(s), please cleanup.
> 
> I have removed 2.1.1 now
> (https://github.com/gentoo/gentoo/commit/
> 41169f960485226b530b0b46dc1c55ea4ab7570f)
> 
> BUT am unsure about the removal of 2.1.0-r5.  It is marked stable on four
> more arches (arm64, m68k, s390, sh) than any later ebuild of Expat.  Please
> confirm that non of these arches are stabilized any more and that you're
> good with removal of expat-2.1.0-r5.ebuild.  Thanks!

Those arches are unsupported so removal is fine.
Comment 18 Sebastian Pipping gentoo-dev 2016-07-09 14:43:26 UTC
Good, 2.1.0-r5 removed now.

https://github.com/gentoo/gentoo/commit/0905f87452499686c30270f737b728a88b059250
Comment 19 Sebastian Pipping gentoo-dev 2016-07-26 19:30:04 UTC
commit 16a87b549461e49ac8b7915d892d4d8ca187c1b1
Author: Sebastian Pipping <sping@g.o>
Date:   Tue Jul 26 21:23:09 2016 +0200

    dev-libs/expat: CVE-2016-0718 regression fix
    
    Package-Manager: portage-2.2.28

 dev-libs/expat/expat-2.1.1-r3.ebuild               | 98 ++++++++++++++++++++++
 .../{expat-2.2.0.ebuild => expat-2.2.0-r1.ebuild}  |  4 +
 .../expat-2.1.1-CVE-2016-0718-regression.patch     | 27 ++++++
 3 files changed, 129 insertions(+)

https://github.com/gentoo/gentoo/commit/16a87b549461e49ac8b7915d892d4d8ca187c1b1


The fix itself does not close a vulnerability, but fixes a regression introduced with expat-2.1.1-CVE-2016-0718-v2-2-1.patch .  I'm proposing to stabilize 2.1.1-r3.  What do you think?
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2017-01-11 12:16:10 UTC
This issue was resolved and addressed in
 GLSA 201701-21 at https://security.gentoo.org/glsa/201701-21
by GLSA coordinator Aaron Bauman (b-man).