Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

Bug #1752306 reported by Nick Moriarty on 2018-02-28
318
This bug affects 13 people
Affects Status Importance Assigned to Milestone
xmltooling (Ubuntu)
Undecided
Unassigned
Trusty
Undecided
Unassigned
Xenial
Undecided
Emily Ratliff
Artful
Undecided
Unassigned
Bionic
Undecided
Unassigned

Bug Description

From the Debian security advisory at https://www.debian.org/security/2018/dsa-4126

    Kelby Ludwig and Scott Cantor discovered that the Shibboleth service provider is vulnerable to impersonation attacks and information disclosure due to incorrect XML parsing. For additional details please refer to the upstream advisory at https://shibboleth.net/community/advisories/secadv_20180227.txt

    For the oldstable distribution (jessie), this problem has been fixed in version 1.5.3-2+deb8u3.

    For the stable distribution (stretch), this problem has been fixed in version 1.6.0-4+deb9u1.

    We recommend that you upgrade your xmltooling packages.

    For the detailed security status of xmltooling please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xmltooling

This bug is fixed upstream in Debian

CVE References

information type: Private Security → Public Security
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in xmltooling (Ubuntu):
status: New → Confirmed
David Champion (dgc-launchpad) wrote :

Timeline?

David Champion (dgc-launchpad) wrote :

To emphasize, this vulnerability allows remote access as any valid user by any third party with no local foothold. It's a very bad one.

Bruno Silva (brunosilva3161) wrote :

There is any prevision of a bugfix for Ubuntu 14.04?

David Champion (dgc-launchpad) wrote :

It's been 2 weeks since this critical vuln was announced, and SPs running Shibboleth on Ubuntu are dead in the water or insecure. Does Ubuntu have any fix plan for this?

I've tried porting the Debian package stack myself but there are build failures I don't have time to pursue.

Seth Arnold (seth-arnold) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in xmltooling (Ubuntu):
status: Confirmed → Incomplete
Seth Arnold (seth-arnold) wrote :

The 14.04 LTS xmltooling package shows up on http://people.canonical.com/~ubuntu-security/d2u/ so there's a good chance we'll release a fakesync from Debian to address this for trusty, but other releases will need someone from the community to prepare and test a debdiff. Once it's ready, attach it here, and subscribe ubuntu-security-sponsors.

Thanks

David Champion (dgc-launchpad) wrote :

Thanks for the explanation. Unfortunately all the debian packaging stuff puts it out of reach for me. I'll look into simply building my own stack from source.

David Champion (dgc-launchpad) wrote :

Another question though. Why is this bug now "incomplete" when there's a CVE that confirms this version has a flaw? It doesn't seem unverifiable.

Seth Arnold (seth-arnold) wrote :

"Incomplete" is noisier -- if we set this to 'confirmed' and no one works on it, no one will ever be reminded of it. If we set this to 'incomplete' and no one works on it, folks will get an email when it auto-expires and be reminded that it's still not fixed. Perhaps by then someone will have more time / enthusiasm for providing a fix.

Thanks

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xmltooling - 1.5.3-2+deb8u3build0.14.04.1

---------------
xmltooling (1.5.3-2+deb8u3build0.14.04.1) trusty-security; urgency=medium

  * fake sync from Debian (LP: #1752306)

xmltooling (1.5.3-2+deb8u3) jessie-security; urgency=high

  * [2890d0c] New patches fixing CVE-2018-0489: additional data forgery flaws.
    These flaws allow for changes to an XML document that do not break a
    digital signature but alter the user data passed through to applications
    enabling impersonation attacks and exposure of protected information.
    https://shibboleth.net/community/advisories/secadv_20180227.txt
    https://issues.shibboleth.net/jira/browse/CPPXT-128
    The Add-disallowDoctype-to-parser-configuration.patch is not effective
    under Xerces 3.1 in jessie, but provides more generic protection under
    Xerces 3.2 against issues like CVE-2018-0486. It's included here for
    completeness and to avoid a conflict applying the CVE-2018-0489 patch.

 -- Steve Beattie <email address hidden> Tue, 20 Mar 2018 15:21:30 -0700

Changed in xmltooling (Ubuntu):
status: Incomplete → Fix Released
Steve Beattie (sbeattie) wrote :

Fixed in bionic in https://launchpad.net/ubuntu/+source/xmltooling/1.6.4-1ubuntu2.

Still needs to be addressed in xenial and artful.

Changed in xmltooling (Ubuntu Trusty):
status: New → Fix Released
Changed in xmltooling (Ubuntu Xenial):
status: New → Incomplete
Changed in xmltooling (Ubuntu Artful):
status: New → Incomplete
Ray Link (rlink) wrote :

Debdiff attached which fixes the problem for Xenial.

Since there is no corresponding Debian release to fakesync this from for Xenial, I've just recreated the patch sequence against the version already in Xenial. It includes the same two quilt patches which have been fake-synced into Trusty, and already exist in Bionic:

- A one-line patch to add 'disallowDoctype' to the parser configuration. While this does nothing under the Xerces 3.1 in Xenial, it provides generic impersonation protection for Xerces 3.2. This patch is a pre-req to get the upstream CVE-2018-0489 patch to apply cleanly.

- Upstream's patch for CVE-2018-0489.

Emily Ratliff (emilyr) on 2018-03-29
Changed in xmltooling (Ubuntu Xenial):
status: Incomplete → In Progress
assignee: nobody → Emily Ratliff (emilyr)
Ray Link (rlink) wrote :

Packages from security-proposed tested and look ok.

tags: added: verification-done-xenial
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xmltooling - 1.5.6-2ubuntu0.2

---------------
xmltooling (1.5.6-2ubuntu0.2) xenial-security; urgency=medium

  * SECURITY UPDATE: Upstream patch to fix CVE-2018-0489 (LP: #1752306)
    - d/p/Add-disallowDoctype-to-parser-configuration.patch:
      Generic protection against data forgery. Irrelevant under
      Xerces 3.1, but is a pre-req for the CVE-2018-0489 patch.
    - d/p/CVE-2018-0489-Fix-additional-data-forgery-flaws.patch:
      New patches fixing CVE-2018-0489: additional data forgery flaws.
      These flaws allow for changes to an XML document that do not break a
      digital signature but alter the user data passed through to applications
      enabling impersonation attacks and exposure of protected information.

 -- Ray Link <email address hidden> Thu, 29 Mar 2018 15:17:35 -0400

Changed in xmltooling (Ubuntu Xenial):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers