[security-announce] Security Update: expat: CVE-2012-6702, CVE-2016-5300

Sona Sarmadi sona.sarmadi at enea.com
Fri Feb 17 08:29:09 CET 2017


	Enea Linux Security Advisory

==============================================================
Product/package: Enea Linux 6.0: (expat 2.1.0)
Architecture: all
==============================================================

Following vulnerabilities have been fixed in Enea Linux 6.0:

===============================================================
CVE-2012-6702 expat: Using XML_Parse before rand() results into
non-random output
===============================================================
Severity: Medium

Expat, when used in a parser that has not called XML_SetHashSalt or
passed it a seed of 0, makes it easier for context-dependent attackers
to defeat cryptographic protection mechanisms via vectors involving use
of the srand function.


================================================================
CVE-2016-5300 expat: Little entropy used for hash initialization
================================================================
Severity: Medium

It was found that original fix for CVE-2012-0876 used too little entropy
for the hash intilization.

References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5300
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6702

Reference to upstream fix:
https://bugzilla.redhat.com/attachment.cgi?id=1165210 Squashed backport
against vanilla Expat 2.1.1, addressing:
* CVE-2012-6702 -- unanticipated internal calls to srand
* CVE-2016-5300 -- use of too little entropy

Correction for Enea Linux:
http://git.enea.com/cgit/linux/poky.git/patch/?id=88246c60937b662064cc10b3771faf6b73466a5b


How to get the latest patches
=============================
- If you have already cloned needed repositories, update it to get new
security patches.

cd Enea-Linux-6.0
$ repo sync

- If you have not yet cloned needed repositories, do it as described
below. (Security patches are fetched implicitly when cloning the repos).

Use repo tool to download the source for the Enea Linux 6.0 standard,
follow the steps below:
1. Make sure that the repo tool is installed. If not, follow the
instructions below:

$ curl https://storage.googleapis.com/git-repo-downloads/repo >
~/bin/repo $ chmod a+x ~/bin/repo

The instruction assumes that ~/bin exists and is included in the PATH
variable.

2.Use the repo tool to download the source:
$ mkdir Enea-Linux-6.0
$ cd Enea-Linux-6.0
$ repo init \
-u git://git.enea.com/linux/el_manifests-standard.git \ -b krogoth\ -m
<manifest file> $ repo sync

The parameter <manifest file> depends on the target:
P2041RDB: p2041rdb/default.xml
LS1021a-IoT: ls1021aiot/default.xml
QEMUARM: qemuarm/default.xml
QEMUPCC: qemuppc/default.xml
QEMUX86: qemux86/default.xml

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

For gerneral security refer to Enea Linux Security page:
http://www.enea.com/solutions/Enea-Linux/Security/

For the CVEs fixed at Enea Linux releases see CVE list:
http://www.enea.com/solutions/Enea-Linux/Security/CVEs-list/

For custom packages/releases please use the Support Channel:
http://www.enea.com/solutions/support.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://mail.lists.enea.com/pipermail/security-announce/attachments/20170217/abb3c99e/attachment.sig>


More information about the security-announce mailing list