Ubuntu
xml-security-c package

[MIR] open-vm-tools 10.0.x build dependencies: xml-security-c and xerces-c

Bug #1482777 reported by Ben Howard
16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
xerces-c (Ubuntu)
Won't Fix
High
Ubuntu Security Team
Ubuntu ubuntu-16.04
xml-security-c (Ubuntu)
Won't Fix
High
Unassigned
Ubuntu ubuntu-16.04

Bug Description

Explanation: open-vm-tools 9.10.2 synced from Debian introduces two new build dependencies. This MIR requests that both
libxerces-c and libxml-security-c be promoted to main.

These build dependencies support the SAML based guest authentication.

open-vm-tools was MIR with Bug #1220950

[PACKAGE: xml-security-c ]
Apache XML Security for C++ is a library for the XML Digital Security specification. It provides processing and handling of XML Key Management Specifications (XKMS) messages.

Availability: universe, Debian

Rationale: build dependency for SAML Based guest authentication in open-vm-tools

Security: There have been 5 CVE's, with four in 2013:
   [1] CVE-2013-2153 - signature validation bypass issue
   [2] CVE-2013-2154 - stack overflow during XPointer evaluation
   [3] CVE-2013-2155 - DoS attack through crafted HMAC authenticatoin
   [4] CVE-2013-2156 - heap overflow potentially allow arbitrary code execution

[1] http://santuario.apache.org/secadv.data/CVE-2013-2153.txt
[2] http://santuario.apache.org/secadv.data/CVE-2013-2154.txt
[3] http://santuario.apache.org/secadv.data/CVE-2013-2155.txt
[4] http://santuario.apache.org/secadv.data/CVE-2013-2156.txt

QA: This is an official project under the Apache foundation. The project is actively maintained. See: https://svn.apache.org/viewvc/santuario/

[ PACKAGE: xerces-c ]
Xerces-C++ is a validating XML parser written in a portable subset of C++.

Availability: universe, Debian

Rationale: build dependency for SAML Based guest authentication in open-vm-tools

Security: A review of the CVE history shows 3 CVE's since 2004. There was one CVE in 2015 (CVE-2015-0252) and before that in 2009 (CVE-2009-1885). CVE-2009-1885 was a DoS vector caused with malformed DTD's.

QA: This package is an official project under the Apache foundation and has been around since 2004. The project is actively maintained. See https://svn.apache.org/viewvc/xerces/c/?root=Apache-SVN

Dependencies: Package is maintained in Debian and Ubuntu.

Steve Langasek (vorlon)
affects: open-vm-tools (Ubuntu) → xml-security-c (Ubuntu)
Revision history for this message
Matthias Klose (doko) wrote :

both packages don't have bug subscribers, this is incomplete. However it blocks GCC 5, so lets go ahead with it, requesting a review from the security team.

Changed in xerces-c (Ubuntu):
importance: Undecided → Critical
milestone: none → ubuntu-15.08
Changed in xml-security-c (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
importance: Undecided → Critical
milestone: none → ubuntu-15.08
Changed in xerces-c (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Matthias Klose (doko) wrote :

disabled xmlsecurity and xerces for now, so that it doesn't block GCC 5

Tyler Hicks (tyhicks)
Changed in xerces-c (Ubuntu):
importance: Critical → Medium
Changed in xml-security-c (Ubuntu):
importance: Critical → High
importance: High → Medium
Revision history for this message
Ben Howard (darkmuggle-deactivatedaccount) wrote :

Subscribed the Cloud Image team to both packages.

Revision history for this message
Robert C Jennings (rcj) wrote :

I am working on bringing open-vm-tools 10.0 (bug #1492429) to Xenial. I will disable xmlsecurity and xerces while this bug is being worked.

Revision history for this message
Patricia Gaughen (gaughen) wrote :

Checking in to see if this will land for Xenial.

Revision history for this message
Ben Howard (darkmuggle-deactivatedaccount) wrote :

Retargetting this for 16.04.

summary: - [MIR] open-vm-tools 9.10.2 build dependencies: xml-security-c and
+ [MIR] open-vm-tools 10.0.x build dependencies: xml-security-c and
xerces-c
Changed in xml-security-c (Ubuntu):
milestone: ubuntu-15.08 → ubuntu-16.04
Changed in xerces-c (Ubuntu):
milestone: ubuntu-15.08 → ubuntu-16.04
Ben Howard (darkmuggle-deactivatedaccount)
Changed in xerces-c (Ubuntu):
importance: Medium → High
Changed in xml-security-c (Ubuntu):
importance: Medium → High
Tyler Hicks (tyhicks)
Changed in xml-security-c (Ubuntu):
status: New → In Progress
assignee: Ubuntu Security Team (ubuntu-security) → Seth Arnold (seth-arnold)
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Security team NAK for xml-security-c promotion to main. I will follow up with Apache security team.

Consider using xmlsec1 instead; I recall liking the codebase when I reviewed it.

Changed in xml-security-c (Ubuntu):
assignee: Seth Arnold (seth-arnold) → nobody
Revision history for this message
Robert C Jennings (rcj) wrote :

Thank you Seth, I will take this feedback to the development team and see if xmlsec1 is an alternative post-GA. Meanwhile we will build without the feature that requires this package.

Revision history for this message
Oliver Kurth (okurth-1) wrote :

Please note that the CVEs mentioned in the original description are all about versions prior to 1.7.1. The current version of xml-security is 1.7.3.

Revision history for this message
Ravindra Kumar (ravindrakumar) wrote :

Robert, would you mind sharing the list of applications in Ubuntu that are already using xmlsec1?

Revision history for this message
Dan Watkins (oddbloke) wrote :

Hi Ravindra,

You can generate this list yourself using `apt-cache rdepends "*xmlsec1*"`.

Below is the output for xenial; note that the list is likely to be different for different releases. :)

Dan

libxmlsec1
Reverse Depends:
  libxmlsec1-gcrypt
  liblasso3
  libarccommon3v5
  libaqebics0
  dacs
  xmlsec1
  libxmlsec1-openssl
  libxmlsec1-nss
  libxmlsec1-gnutls
  libxmlsec1-dev
libxmlsec1-dev
Reverse Depends:
  liblasso3-dev
libxmlsec1-openssl
Reverse Depends:
  xmlsec1
  liblasso3
  libarccommon3v5
  dacs
  libxmlsec1-dev
libxmlsec1-gnutls
Reverse Depends:
  libxmlsec1-dev
libxmlsec1-nss
Reverse Depends:
  libxmlsec1-dev
libxmlsec1-gcrypt
Reverse Depends:
  libxmlsec1-gnutls
  libxmlsec1-dev
xmlsec1
Reverse Depends:
  python-pysaml2
  python3-pysaml2

Revision history for this message
Tiago Stürmer Daitx (tdaitx) wrote :

I got to this bug through the last merge (LP: #1666430) that pointed to LP: #1492429 which linked here.

I was also investigating that merge (somehow we got two bug reports open for the same thing) and I agree with Seth Arnold that it is better (ubuntu-wise) to use xmlsec1 than xml-security-c + xerces.

I tested and confirmed that the package builds fine with xmlsec1 which - as Seth pointed out - is also on main.

The question is: do we care about SAML-based guest authentication? If we don't, then it is better to simply keep the Build-Depends as it is in Debian (so we can prevent recurring merges because of changes in debian/control) and simply disable the xml-security-c check on debian/rules's auto configure override. Notice that since Xenial it is ok to have a package in Main with a Build-Depends from Universe as long as that don't generate a runtime dependency to Universe [1].

Now, if we *do* care about SAML-based guest authentication, moving to xmlsec1 seems fine. It would be great to also have that change into Debian as well, but I don't know if there is a more convincing reason to push that forward than "works better for Ubuntu". Can anyone help figuring this out?

See the proposed patch to replace xml-security-c + xerces by xmlsec1. Note that the patch also changes the Build-Depends from libssl1-0-dev to libssl-1-0-dev|libssl-dev to make backporting easier (see debian bug #856569 [2]), but that part can be safely ignored.

[1] https://lists.ubuntu.com/archives/ubuntu-devel-announce/2016-April/001179.html
[2] http://bugs.debian.org/856569

Revision history for this message
Tiago Stürmer Daitx (tdaitx) wrote :

The Debian maintainer reached out to me through the debian bug 856569. He will be moving from xmlsecurity to xmlsec1 after stretch is released.

He has also updated the package to have a libssl-dev as an alternate dependency to libssl-1.0-dev (ie. Build-Depends on 'libssl-1.0-dev|libssl-dev') [1].

We can update our package now following that commit (but replacing xmlsecurity/xerces with xmlsec1) or wait until the merge fails again after his next release. I am copying this message over the last merge bug report (LP: #1666430) so we have some track of this issue in case we decide to wait for the next merge.

[1] https://github.com/bzed/pkg-open-vm-tools/commit/ed95c1d1f23c9982ba997ca05bae0d86d1505162

Revision history for this message
Yogendra Bhasin (ybhasin) wrote :

We have released 10.1.5 open-vm-tools where VGAuth is dependent on xmlsec1 instead of xml-security-c. Please help enable VGAuth using the following configure switch --enable-xmlsec1. We have raised the following bug against 17.04 for this issue:
https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1677196

Thanks
Yogi

Dimitri John Ledkov (xnox)
Changed in xml-security-c (Ubuntu):
status: In Progress → Won't Fix
Changed in xerces-c (Ubuntu):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.