[Secure-testing-commits] r31729 - in data: . CVE DLA DSA

Raphaël Hertzog hertzog at moszumanska.debian.org
Tue Jan 27 11:05:38 UTC 2015 

Author: hertzog
Date: 2015-01-27 11:05:38 +0000 (Tue, 27 Jan 2015)
New Revision: 31729

Modified:
   data/CVE/list
   data/DLA/list
   data/DSA/list
   data/dla-needed.txt
Log:
Reopen CVE-2014-0191 as the fix we used was incomplete

While investigating CVE-2012-6685 for libnokogiri-ruby, I discovered that
libxml2 was always opening local entities files. This could be used
to perform information disclosure on services accepting untrusted
XML files. The discussion made it clear that this was fixed in
libxml 2.9 with this commit:
https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f

Looking through libxml2 CVE history, I discovered CVE-2014-0191 which
appears to be exactly about this problem (except that the CVE description
is misleading and unrelated to libxml2) so I'm reopening it.

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2015-01-27 11:03:48 UTC (rev 31728)
+++ data/CVE/list	2015-01-27 11:05:38 UTC (rev 31729)
@@ -2791,6 +2791,7 @@
 	- ruby-nokogiri 1.5.4-1 (low)
 	- libnokogiri-ruby <removed>
 	NOTE: https://github.com/sparklemotion/nokogiri/issues/693
+	NOTE: Full fix requires fixing CVE-2014-0191 in libxml2 too.
 CVE-2014-9428 (The batadv_frag_merge_packets function in ...)
 	- linux 3.16.7-ckt4-1 (bug #774155)
 	[wheezy] - linux <not-affected> (Introduced in 3.13)
@@ -28482,10 +28483,9 @@
 CVE-2014-0192 (Foreman 1.4.0 before 1.5.0 does not properly restrict access to ...)
 	- foreman <itp> (bug #663101)
 CVE-2014-0191 (Unspecified vulnerability in the Oracle HTTP Server component in ...)
-	{DSA-2978-1 DLA-80-1 DLA-0016-1}
 	- libxml2 2.9.1+dfsg1-4 (bug #747309)
-	[squeeze] - libxml2 2.7.8.dfsg-2+squeeze9
-	NOTE: patch: https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df
+	NOTE: The upstream patch we used in DSA-2978-1 and DLA-16-1 is only half of the fix. The other half is likely https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f which is only in libxml 2.9 and newer. This was found out with the test case given in https://github.com/sparklemotion/nokogiri/issues/693#issuecomment-8935085.
+	NOTE: First patches: https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df https://git.gnome.org/browse/libxml2/commit/?id=dd8367da17c2948981a51e52c8a6beb445edf825
 CVE-2014-0190 (The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to ...)
 	- qt4-x11 4:4.8.6+dfsg-1 (low)
 	[wheezy] - qt4-x11 <no-dsa> (Minor issue)

Modified: data/DLA/list
===================================================================
--- data/DLA/list	2015-01-27 11:03:48 UTC (rev 31728)
+++ data/DLA/list	2015-01-27 11:05:38 UTC (rev 31729)
@@ -169,7 +169,7 @@
 	{CVE-2014-3567 CVE-2014-3568 CVE-2014-3569}
 	[squeeze] - openssl 0.9.8o-4squeeze18
 [29 Oct 2014] DLA-80-1 libxml2 - security update
-	{CVE-2014-0191 CVE-2014-3660}
+	{CVE-2014-3660}
 	[squeeze] - libxml2 2.7.8.dfsg-2+squeeze10
 [29 Oct 2014] DLA-79-1 dokuwiki - security update
 	{CVE-2014-8763 CVE-2014-8764}
@@ -364,7 +364,6 @@
 	{CVE-2014-3515 CVE-2014-0207 CVE-2014-3480 CVE-2014-4721}
 	[squeeze] - php5 5.3.3-7+squeeze21
 [19 Jul 2014] DLA-0016-1 libxml2 - security update
-	{CVE-2014-0191}
 	[squeeze] - libxml2 2.7.8.dfsg-2+squeeze
 [12 Jul 2014] DLA-0015-1 linux-2.6 - security update
 	{CVE-2013-4387 CVE-2013-4470 CVE-2014-0203 CVE-2014-2678 CVE-2014-3122 CVE-2014-3144 CVE-2014-3917 CVE-2014-4652 CVE-2014-4699 CVE-2014-3145 CVE-2014-4656 CVE-2014-4667}

Modified: data/DSA/list
===================================================================
--- data/DSA/list	2015-01-27 11:03:48 UTC (rev 31728)
+++ data/DSA/list	2015-01-27 11:05:38 UTC (rev 31729)
@@ -495,7 +495,6 @@
 	{CVE-2013-7176 CVE-2013-7177}
 	[wheezy] - fail2ban 0.8.6-3wheezy3
 [11 Jul 2014] DSA-2978-1 libxml2 - security update
-	{CVE-2014-0191}
 	[wheezy] - libxml2 2.8.0+dfsg1-7+wheezy1
 [11 Jul 2014] DSA-2977-1 libav - security update
 	{CVE-2014-4609}

Modified: data/dla-needed.txt
===================================================================
--- data/dla-needed.txt	2015-01-27 11:03:48 UTC (rev 31728)
+++ data/dla-needed.txt	2015-01-27 11:05:38 UTC (rev 31729)
@@ -38,6 +38,8 @@
 libextlib-ruby
   NOTE: debdiff of Salvatore Bonaccorso ready in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697895#23
 --
+libnokogiri-ruby
+--
 libjson-ruby
 --
 libksba
@@ -48,6 +50,8 @@
 --
 libvncserver (Nguyen Cong)
 --
+libxml2
+--
 nss
 --
 php5 (Thorsten Alteholz)

More information about the Secure-testing-commits mailing list