Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

Status changed to 'Confirmed' because the bug affects multiple users.

Timeline?

To emphasize, this vulnerability allows remote access as any valid user by any third party with no local foothold. It's a very bad one.

There is any prevision of a bugfix for Ubuntu 14.04?

It's been 2 weeks since this critical vuln was announced, and SPs running Shibboleth on Ubuntu are dead in the water or insecure. Does Ubuntu have any fix plan for this?

I've tried porting the Debian package stack myself but there are build failures I don't have time to pursue.

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

The 14.04 LTS xmltooling package shows up on http://people.canonical.com/~ubuntu-security/d2u/ so there's a good chance we'll release a fakesync from Debian to address this for trusty, but other releases will need someone from the community to prepare and test a debdiff. Once it's ready, attach it here, and subscribe ubuntu-security-sponsors.

Thanks

Thanks for the explanation. Unfortunately all the debian packaging stuff puts it out of reach for me. I'll look into simply building my own stack from source.

Another question though. Why is this bug now "incomplete" when there's a CVE that confirms this version has a flaw? It doesn't seem unverifiable.

"Incomplete" is noisier -- if we set this to 'confirmed' and no one works on it, no one will ever be reminded of it. If we set this to 'incomplete' and no one works on it, folks will get an email when it auto-expires and be reminded that it's still not fixed. Perhaps by then someone will have more time / enthusiasm for providing a fix.

Thanks

This bug was fixed in the package xmltooling - 1.5.3-2+deb8u3build0.14.04.1

---------------
xmltooling (1.5.3-2+deb8u3build0.14.04.1) trusty-security; urgency=medium

  * fake sync from Debian (LP: #1752306)

xmltooling (1.5.3-2+deb8u3) jessie-security; urgency=high

  * [2890d0c] New patches fixing CVE-2018-0489: additional data forgery flaws.
    These flaws allow for changes to an XML document that do not break a
    digital signature but alter the user data passed through to applications
    enabling impersonation attacks and exposure of protected information.
    https://shibboleth.net/community/advisories/secadv_20180227.txt
    https://issues.shibboleth.net/jira/browse/CPPXT-128
    The Add-disallowDoctype-to-parser-configuration.patch is not effective
    under Xerces 3.1 in jessie, but provides more generic protection under
    Xerces 3.2 against issues like CVE-2018-0486. It's included here for
    completeness and to avoid a conflict applying the CVE-2018-0489 patch.

 -- Steve Beattie <email address hidden> Tue, 20 Mar 2018 15:21:30 -0700

Fixed in bionic in https://launchpad.net/ubuntu/+source/xmltooling/1.6.4-1ubuntu2.

Still needs to be addressed in xenial and artful.

Debdiff attached which fixes the problem for Xenial.

Since there is no corresponding Debian release to fakesync this from for Xenial, I've just recreated the patch sequence against the version already in Xenial. It includes the same two quilt patches which have been fake-synced into Trusty, and already exist in Bionic:

- A one-line patch to add 'disallowDoctype' to the parser configuration. While this does nothing under the Xerces 3.1 in Xenial, it provides generic impersonation protection for Xerces 3.2. This patch is a pre-req to get the upstream CVE-2018-0489 patch to apply cleanly.

- Upstream's patch for CVE-2018-0489.

Packages from security-proposed tested and look ok.

This bug was fixed in the package xmltooling - 1.5.6-2ubuntu0.2

---------------
xmltooling (1.5.6-2ubuntu0.2) xenial-security; urgency=medium

  * SECURITY UPDATE: Upstream patch to fix CVE-2018-0489 (LP: #1752306)
    - d/p/Add-disallowDoctype-to-parser-configuration.patch:
      Generic protection against data forgery. Irrelevant under
      Xerces 3.1, but is a pre-req for the CVE-2018-0489 patch.
    - d/p/CVE-2018-0489-Fix-additional-data-forgery-flaws.patch:
      New patches fixing CVE-2018-0489: additional data forgery flaws.
      These flaws allow for changes to an XML document that do not break a
      digital signature but alter the user data passed through to applications
      enabling impersonation attacks and exposure of protected information.

 -- Ray Link <email address hidden> Thu, 29 Mar 2018 15:17:35 -0400

Ubuntu 17.10 aka artful has reached the end of of its support lifetime, closing artful's task. Thanks!