1271009 - CVE-2016-0718 for libexpat

Status: RESOLVED DUPLICATE of bug 1236923

(Core :: XML, defect)

Description

[Eric Rahm [:erahm]]

Received an email indicating a pending libexpat CVE disclosure. They want to disclose on May 17th, but are willing to coordinate if we need more time. Contents below:

> From: sebastian@pipping.org Sebastian Pipping 
> To:  
> Date: Fri, 6 May 2016 15:07:05 -0700 
> Subject: Re: Expat vuln. CVE-2016-0718, please reply before 2016-05-10 
>  
> Hello again!
> 
> 
> A quick update on dates:
>         ^^^^^^    ^^^^^
> We have been asked to move the second deadline off Friday for good
> reasons.  After careful consideration, we have decided to:
> 
>   move the second deadline ("end of embargo")
>   from Friday 2016-05-13 forward
>   to  Tuesday 2016-05-17,
>   keeping the time unchanged at 21:00 UTC+2.
> 
> leaving more time to you as well.  I hope it's in your interest, too.
> Thanks for your attention.
> 
> Best, Sebastian
> 
> 
> On 06.05.2016 00:40, Sebastian Pipping wrote:
> > Hello!
> > 
> > 
> > You are either maintaining Expat somewhere important or are security
> > contact of a project or both.
> > 
> > There is a vulnerability named "CVE-2016-0718" in Expat that we aim to
> > disclose to the public responsibly: The idea is to have everyone
> > publish a fixed version at the same time so that no one remains
> > vulnerable once the vulnerability went public.
> > 
> > For next steps we are planning:
> > 
> >  * 2016-05-10   Mail to everyone (who replied confirming to be in and
> >    Tuesday      respect the embargo period):
> >    21:00 UTC+2  * More details
> >                 * A patch
> >                 * Malformed trigger files in a tar archive
> >                 * The list of contacts that are in to promote
> >                   collaboration without violating the embargo
> > 
> >  * 2016-05-17   Embargo ends, we push related commits to the Expat
>              ^^ moved
> >    Tuesday       Git repository, and publish to oss-security.
>      ^^^^ moved
> >    21:00 UTC+2  You upload packaging changes, new binaries etc.
>      ^^ kept :)
> > 
> > If these dates do not work for you, please let us know ASAP.
> > We will share changes of dates with everyone.
> > 
> > To continue, please confirm that you respect the embargo and
> > would like to participate.
> > 
> > We are looking forward to hearing from you.  Best,
> > 
> > 
> > 
> > Sebastian
> > 
>

Comment 1

[Eric Rahm [:erahm]]

I assume I received this email because I fixed a previous sec issue in libexpat. I've replied indicating we'd like to participate and CC'd security@mozilla.org.

Comment 2

[Daniel Veditz [:dveditz]]

We don't have any details yet, but given the way this is being coordinated and dropping everywhere at once this could lead to a chemspill release for May 17 or 18.

Comment 3

[Liz Henry (:lizzard) (relman/hg->git project)]

OK. thanks for letting me know. So does this definitely affect 46 ?  45esr too?

Comment 4

[Andrew McCreight [:mccr8]]

Can you fix this, Eric, when the patch is released, if it is needed? Thanks.

Comment 5

[Eric Rahm [:erahm]]

(In reply to Andrew McCreight [:mccr8] from comment #4)
> Can you fix this, Eric, when the patch is released, if it is needed? Thanks.

Yes. I'm hoping whatever it is doesn't affect us (my guess is it's character conversion which we don't use), either way I'll evaluate and fix as necessary.

Comment 6

[Andrew McCreight [:mccr8]]

Thanks, Eric!

Comment 7

[Andrew McCreight [:mccr8]]

(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #3)
> OK. thanks for letting me know. So does this definitely affect 46? 45esr too?

If it affects any version, it will affect all versions. As Eric said, we might be safe but we can't tell yet.

Comment 8

[Daniel Veditz [:dveditz]]

This has the same CVE, and same discoverer according to the additional details we got, as bug 1236923. We determined that bug didn't affect us, but now that we have a patch we should double-check that.

Comment 9

[Daniel Veditz [:dveditz]]

Yes, same testcase -- this is bug 1236923.