Fwd: Vulnerability in APR-UTIL, perhaps APR

[William A Rowe Jr <wr...@rowe-clan.net>]

Thanks Daniel, sharing this with the dev@ list, as the problem and the fix
are both public.

Folks, what are your thoughts?  Our expat is already quite old, and the
current release
was 2.10, while we were still shipping 1.95.7, before this issue popped up.

Bumping major versions in a subversion release seems out of place.  Perhaps
though
we can ship this in a 1.6 if we are going to proceed.  Would we want to
ship the patch,
or would we want to ship expat project's own patches once they update?

In 2.0 we thankfully don't bundle expat any longer, and actually allow
libxml2 in place
of expat at the user's discretion.


---------- Forwarded message ----------
From: David Dillard <dd...@symantec.com>
Date: Fri, Jul 24, 2015 at 9:30 AM
Subject: Vulnerability in APR-UTIL, perhaps APR
To: "security@apache.org" <se...@apache.org>


Hi,



You may already know about this, but in case you don’t, some
vulnerabilities were published today against Google Chrome, one of which is
in the expat XML library.  A copy of this library is included in the latest
version of APR-UTIL (1.5.4).  Looking at the source it appears that this
vulnerability is still present in the version of the code used in APR-UTIL.



Link to the CVE:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1283

Link to the patch in Chrome:
https://codereview.chromium.org/1224303003/diff/1/third_party/expat/files/lib/xmlparse.c

Link to the related source in APR-UTIL:
http://svn.apache.org/viewvc/apr/apr-util/tags/1.5.4/xml/expat/lib/xmlparse.c?revision=1625430&view=markup#l1497



This may affect APR 2.x as well, I’m not sure.





--- David

Re: Fwd: Vulnerability in APR-UTIL, perhaps APR

[Joe Orton <jo...@redhat.com>]

On Fri, Jul 31, 2015 at 03:50:08PM -0500, William Rowe wrote:
> Thanks Daniel, sharing this with the dev@ list, as the problem and the fix
> are both public.
> 
> Folks, what are your thoughts?  Our expat is already quite old, and 
> the current release was 2.10, while we were still shipping 1.95.7, 
> before this issue popped up.
> 
> Bumping major versions in a subversion release seems out of place.  
> Perhaps though we can ship this in a 1.6 if we are going to proceed.  
> Would we want to ship the patch, or would we want to ship expat 
> project's own patches once they update?

Having taken a brief look, I'm not sure if CVE-2015-2716 would be 
properly considered an expat bug, or a bug in some use of the expat API 
which Mozilla chose to fix by patching input parameter validation into 
expat.

https://hg.mozilla.org/releases/mozilla-esr31/rev/2f3e78643f5c

That said, there is also CVE-2012-0876 and CVE-2012-1148 which look 
unfixed in the apr-util bundled expat.  I have backports of those fixes 
for expat 1.95.8 which don't apply to the 1.95.7 in apr-util.

Dunno.  "Don't start from here" looks like a pretty good option.

Regards, Joe

Re: Fwd: Vulnerability in APR-UTIL, perhaps APR

[Ruediger Pluem <rp...@apache.org>]

On 08/03/2015 12:13 AM, Branko Čibej wrote:
> On 31.07.2015 22:50, William A Rowe Jr wrote:
>> Thanks Daniel, sharing this with the dev@ list, as the problem and the
>> fix are both public.
>>
>> Folks, what are your thoughts?  Our expat is already quite old, and
>> the current release 
>> was 2.10, while we were still shipping 1.95.7, before this issue
>> popped up.
>>
>> Bumping major versions in a subversion release seems out of place. 
>> Perhaps though
>> we can ship this in a 1.6 if we are going to proceed.
> 
> I agree, we should bundle the latest Expat in 1.6.

+1

> 
>>   Would we want to ship the patch,
>> or would we want to ship expat project's own patches once they update?
> 
> Ideally we'd use the Expat project's patches, but it's likely that
> they'll just fix 2.10 and roll a new release; that won't help us with
> the code we bundle 1.4.x/1.5.x.

What about upgrading to the latest 1.95.x available and apply the needed project patches or backports of them like
mentioned by Joe?

Regards

Rüdiger

Re: Fwd: Vulnerability in APR-UTIL, perhaps APR

[Branko Čibej <br...@apache.org>]

On 31.07.2015 22:50, William A Rowe Jr wrote:
> Thanks Daniel, sharing this with the dev@ list, as the problem and the
> fix are both public.
>
> Folks, what are your thoughts?  Our expat is already quite old, and
> the current release 
> was 2.10, while we were still shipping 1.95.7, before this issue
> popped up.
>
> Bumping major versions in a subversion release seems out of place. 
> Perhaps though
> we can ship this in a 1.6 if we are going to proceed.

I agree, we should bundle the latest Expat in 1.6.

>   Would we want to ship the patch,
> or would we want to ship expat project's own patches once they update?

Ideally we'd use the Expat project's patches, but it's likely that
they'll just fix 2.10 and roll a new release; that won't help us with
the code we bundle 1.4.x/1.5.x.

> In 2.0 we thankfully don't bundle expat any longer, and actually allow
> libxml2 in place 
> of expat at the user's discretion.

Whew, yes! :)

-- Brane

> ---------- Forwarded message ----------
> From: *David Dillard* <ddillard@symantec.com
> <ma...@symantec.com>>
> Date: Fri, Jul 24, 2015 at 9:30 AM
> Subject: Vulnerability in APR-UTIL, perhaps APR
> To: "security@apache.org <ma...@apache.org>"
> <security@apache.org <ma...@apache.org>>
>
>
> Hi,
>
>  
>
> You may already know about this, but in case you don’t, some
> vulnerabilities were published today against Google Chrome, one of
> which is in the expat XML library.  A copy of this library is included
> in the latest version of APR-UTIL (1.5.4).  Looking at the source it
> appears that this vulnerability is still present in the version of the
> code used in APR-UTIL.
>
>  
>
> Link to the CVE:
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1283
>
> Link to the patch in Chrome:
> https://codereview.chromium.org/1224303003/diff/1/third_party/expat/files/lib/xmlparse.c
>
> Link to the related source in APR-UTIL:
> http://svn.apache.org/viewvc/apr/apr-util/tags/1.5.4/xml/expat/lib/xmlparse.c?revision=1625430&view=markup#l1497
>
>  
>
> This may affect APR 2.x as well, I’m not sure.
>
>  
>
>  
>
> --- David
>
>  
>
>  
>
>