[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

[Steve Beattie]

Ubuntu 17.10 aka artful has reached the end of of its support lifetime,
closing artful's task. Thanks!

** Changed in: xmltooling (Ubuntu Artful)
   Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1752306

Title:
  Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

[Launchpad Bug Tracker]

This bug was fixed in the package xmltooling - 1.5.6-2ubuntu0.2

---
xmltooling (1.5.6-2ubuntu0.2) xenial-security; urgency=medium

  * SECURITY UPDATE: Upstream patch to fix CVE-2018-0489 (LP: #1752306)
- d/p/Add-disallowDoctype-to-parser-configuration.patch:
  Generic protection against data forgery.  Irrelevant under
  Xerces 3.1, but is a pre-req for the CVE-2018-0489 patch.
- d/p/CVE-2018-0489-Fix-additional-data-forgery-flaws.patch:
  New patches fixing CVE-2018-0489: additional data forgery flaws.
  These flaws allow for changes to an XML document that do not break a
  digital signature but alter the user data passed through to applications
  enabling impersonation attacks and exposure of protected information.

 -- Ray Link   Thu, 29 Mar 2018 15:17:35
-0400

** Changed in: xmltooling (Ubuntu Xenial)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1752306

Title:
  Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

[Ray Link]

Packages from security-proposed tested and look ok.

** Tags added: verification-done-xenial

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1752306

Title:
  Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

[Emily Ratliff]

** Changed in: xmltooling (Ubuntu Xenial)
   Status: Incomplete => In Progress

** Changed in: xmltooling (Ubuntu Xenial)
 Assignee: (unassigned) => Emily Ratliff (emilyr)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1752306

Title:
  Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

[Ray Link]

Debdiff attached which fixes the problem for Xenial.

Since there is no corresponding Debian release to fakesync this from for
Xenial, I've just recreated the patch sequence against the version
already in Xenial.  It includes the same two quilt patches which have
been fake-synced into Trusty, and already exist in Bionic:

- A one-line patch to add 'disallowDoctype' to the parser configuration.
While this does nothing under the Xerces 3.1 in Xenial, it provides
generic impersonation protection for Xerces 3.2.  This patch is a pre-
req to get the upstream CVE-2018-0489 patch to apply cleanly.

- Upstream's patch for CVE-2018-0489.

** Patch added: "debdiff for Xenial"
   
https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+attachment/5095295/+files/CVE-2018-0489-xenial.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1752306

Title:
  Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

[Steve Beattie]

Fixed in bionic in
https://launchpad.net/ubuntu/+source/xmltooling/1.6.4-1ubuntu2.

Still needs to be addressed in xenial and artful.

** Also affects: xmltooling (Ubuntu Bionic)
   Importance: Undecided
   Status: Fix Released

** Also affects: xmltooling (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: xmltooling (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: xmltooling (Ubuntu Artful)
   Importance: Undecided
   Status: New

** Changed in: xmltooling (Ubuntu Trusty)
   Status: New => Fix Released

** Changed in: xmltooling (Ubuntu Xenial)
   Status: New => Incomplete

** Changed in: xmltooling (Ubuntu Artful)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1752306

Title:
  Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

[Launchpad Bug Tracker]

This bug was fixed in the package xmltooling -
1.5.3-2+deb8u3build0.14.04.1

---
xmltooling (1.5.3-2+deb8u3build0.14.04.1) trusty-security; urgency=medium

  * fake sync from Debian (LP: #1752306)

xmltooling (1.5.3-2+deb8u3) jessie-security; urgency=high

  * [2890d0c] New patches fixing CVE-2018-0489: additional data forgery flaws.
These flaws allow for changes to an XML document that do not break a
digital signature but alter the user data passed through to applications
enabling impersonation attacks and exposure of protected information.
https://shibboleth.net/community/advisories/secadv_20180227.txt
https://issues.shibboleth.net/jira/browse/CPPXT-128
The Add-disallowDoctype-to-parser-configuration.patch is not effective
under Xerces 3.1 in jessie, but provides more generic protection under
Xerces 3.2 against issues like CVE-2018-0486.  It's included here for
completeness and to avoid a conflict applying the CVE-2018-0489 patch.

 -- Steve Beattie   Tue, 20 Mar 2018 15:21:30 -0700

** Changed in: xmltooling (Ubuntu)
   Status: Incomplete => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-0486

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1752306

Title:
  Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

[Seth Arnold]

"Incomplete" is noisier -- if we set this to 'confirmed' and no one
works on it, no one will ever be reminded of it. If we set this to
'incomplete' and no one works on it, folks will get an email when it
auto-expires and be reminded that it's still not fixed. Perhaps by then
someone will have more time / enthusiasm for providing a fix.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1752306

Title:
  Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

[David Champion]

Another question though. Why is this bug now "incomplete" when there's a
CVE that confirms this version has a flaw? It doesn't seem unverifiable.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1752306

Title:
  Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

[David Champion]

Thanks for the explanation. Unfortunately all the debian packaging stuff
puts it out of reach for me. I'll look into simply building my own stack
from source.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1752306

Title:
  Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

[Seth Arnold]

Thanks for taking the time to report this bug and helping to make Ubuntu
better. Since the package referred to in this bug is in universe or
multiverse, it is community maintained. If you are able, I suggest
coordinating with upstream and posting a debdiff for this issue. When a
debdiff is available, members of the security team will review it and
publish the package. See the following link for more information:
https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

** Changed in: xmltooling (Ubuntu)
   Status: Confirmed => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1752306

Title:
  Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

[Seth Arnold]

The 14.04 LTS xmltooling package shows up on http://people.canonical.com
/~ubuntu-security/d2u/ so there's a good chance we'll release a fakesync
from Debian to address this for trusty, but other releases will need
someone from the community to prepare and test a debdiff. Once it's
ready, attach it here, and subscribe ubuntu-security-sponsors.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1752306

Title:
  Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

[David Champion]

It's been 2 weeks since this critical vuln was announced, and SPs
running Shibboleth on Ubuntu are dead in the water or insecure. Does
Ubuntu have any fix plan for this?

I've tried porting the Debian package stack myself but there are build
failures I don't have time to pursue.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1752306

Title:
  Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

[Bruno Silva]

There is any prevision of a bugfix for Ubuntu 14.04?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1752306

Title:
  Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

[David Champion]

Timeline?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1752306

Title:
  Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

[David Champion]

To emphasize, this vulnerability allows remote access as any valid user
by any third party with no local foothold. It's a very bad one.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1752306

Title:
  Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: xmltooling (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1752306

Title:
  Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1752306] Re: Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

[Ken]

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-0489

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1752306

Title:
  Security bug in XMLTooling-C before 1.6.4 [CVE-2018-0489]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1752306/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs