New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 703537 link

Starred by 3 users
Status: Fixed
Owner:
dominicc@chromium.org
Last visit > 30 days ago
Closed: Mar 2017
Cc:
nick@chromium.org
qingche...@opera.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 1
Type: Bug-Security

Blocking:
issue 617556
issue 637228
issue 640574
issue 666684
issue 666716
issue 666842
issue 683308
issue 702603



Sign in to add a comment

CVE Vulnerability of lib expat 2.1.0

Reported by qingche...@opera.com, Mar 21 2017 
Steps to reproduce the problem:
Expat 2.1.0 which was released at 2012-03 is know to have some 
security issue.
According to expat 2.2.0 change log:
Security fixes:
    #537  CVE-2016-0718 -- Fix crash on malformed input
          CVE-2016-4472 -- Improve insufficient fix to CVE-2015-1283 /
          CVE-2015-2716 introduced with Expat 2.1.1
    #499  CVE-2016-5300 -- Use more entropy for hash initialization
                           than the original fix to CVE-2012-0876
    #519  CVE-2012-6702 -- Resolve troublesome internal call to srand
            that was introduced with Expat 2.1.0
            when addressing CVE-2012-0876 ( issue #496 )

Part of them were patched in Chromium repo, but not complete.

We should update lib expat to fix these vulnerability.

What is the expected behavior?

What went wrong?
CVE Vulnerability of lib expat 2.1.0

Did this work before? N/A 

Chrome version: 56.0.2924.87  Channel: beta
OS Version: 58.0.3029.21
Flash Version: Shockwave Flash 24.0 r0

Comment 1 by rsesek@chromium.org, Mar 21 2017

Cc: nick@chromium.org
Components: Internals
Labels: Security_Severity-Medium Security_Impact-Stable M-58
Owner: dominicc@chromium.org
Status: Assigned (was: Unconfirmed)
Since CVE-2016-9892 is a heap buffer overflow, going to assign this as Severity-Medium.
Project Member

Comment 2 by sheriffbot@chromium.org, Mar 22 2017

Labels: -Pri-2 Pri-1
Project Member

Comment 3 by bugdroid1@chromium.org, Mar 23 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/33a5703a620ec246ee08214e6c880068b6e9d687

commit 33a5703a620ec246ee08214e6c880068b6e9d687
Author: qingchengl <qingchengl@opera.com>
Date: Thu Mar 23 08:22:16 2017

Update expat to 2.2.0 to fix CVE vulnerability.

Security fixes:
    CVE-2016-0718 -- Fix crash on malformed input
    CVE-2016-4472 -- Improve insufficient fix to CVE-2015-1283 /
    CVE-2015-2716 introduced with Expat 2.1.1
    CVE-2016-5300 -- Use more entropy for hash initialization
        than the original fix to CVE-2012-0876
    CVE-2012-6702 -- Resolve troublesome internal call to srand
            that was introduced with Expat 2.1.0
            when addressing CVE-2012-0876 ( issue #496 )

BUG= 703537 

Review-Url: https://codereview.chromium.org/2761253002
Cr-Commit-Position: refs/heads/master@{#459025}

[modify] https://crrev.com/33a5703a620ec246ee08214e6c880068b6e9d687/third_party/expat/README.chromium
[modify] https://crrev.com/33a5703a620ec246ee08214e6c880068b6e9d687/third_party/expat/files/COPYING
[modify] https://crrev.com/33a5703a620ec246ee08214e6c880068b6e9d687/third_party/expat/files/Changes
[modify] https://crrev.com/33a5703a620ec246ee08214e6c880068b6e9d687/third_party/expat/files/MANIFEST
[modify] https://crrev.com/33a5703a620ec246ee08214e6c880068b6e9d687/third_party/expat/files/README
[modify] https://crrev.com/33a5703a620ec246ee08214e6c880068b6e9d687/third_party/expat/files/lib/amigaconfig.h
[modify] https://crrev.com/33a5703a620ec246ee08214e6c880068b6e9d687/third_party/expat/files/lib/expat.h
[modify] https://crrev.com/33a5703a620ec246ee08214e6c880068b6e9d687/third_party/expat/files/lib/expat_config.h
[modify] https://crrev.com/33a5703a620ec246ee08214e6c880068b6e9d687/third_party/expat/files/lib/expat_external.h
[add] https://crrev.com/33a5703a620ec246ee08214e6c880068b6e9d687/third_party/expat/files/lib/expat_external.h.original
[modify] https://crrev.com/33a5703a620ec246ee08214e6c880068b6e9d687/third_party/expat/files/lib/internal.h
[modify] https://crrev.com/33a5703a620ec246ee08214e6c880068b6e9d687/third_party/expat/files/lib/libexpat.def
[modify] https://crrev.com/33a5703a620ec246ee08214e6c880068b6e9d687/third_party/expat/files/lib/libexpatw.def
[modify] https://crrev.com/33a5703a620ec246ee08214e6c880068b6e9d687/third_party/expat/files/lib/xmlparse.c
[modify] https://crrev.com/33a5703a620ec246ee08214e6c880068b6e9d687/third_party/expat/files/lib/xmlparse.c.original
[modify] https://crrev.com/33a5703a620ec246ee08214e6c880068b6e9d687/third_party/expat/files/lib/xmlrole.c
[modify] https://crrev.com/33a5703a620ec246ee08214e6c880068b6e9d687/third_party/expat/files/lib/xmltok.c
[add] https://crrev.com/33a5703a620ec246ee08214e6c880068b6e9d687/third_party/expat/files/lib/xmltok.c.origin
[modify] https://crrev.com/33a5703a620ec246ee08214e6c880068b6e9d687/third_party/expat/files/lib/xmltok.h
[modify] https://crrev.com/33a5703a620ec246ee08214e6c880068b6e9d687/third_party/expat/files/lib/xmltok_impl.c
[delete] https://crrev.com/430307ef971c7bb91ac0b9f6ac80e511e6418c13/third_party/expat/files/lib/xmltok_impl.c.original

Comment 4 by dominicc@chromium.org, Mar 24 2017

Cc: qingche...@opera.com
Status: Started (was: Assigned)
Thanks qingchengl for working on this.

Next step: Wait until 59.0.3050.0 is distributed and I'll check crash for problems. If none and no others come to light we should request merging this.

Comment 5 by dominicc@chromium.org, Mar 24 2017

Blocking: 617556

Comment 6 by dominicc@chromium.org, Mar 24 2017

Blocking: 666684

Comment 7 by dominicc@chromium.org, Mar 24 2017

Blocking: 702603

Comment 8 by dominicc@chromium.org, Mar 24 2017

Blocking: 640574

Comment 9 by dominicc@chromium.org, Mar 24 2017

Blocking: 666716

Comment 10 by dominicc@chromium.org, Mar 24 2017

Blocking: 637228

Comment 11 by dominicc@chromium.org, Mar 24 2017

Blocking: 666842

Comment 12 by dominicc@chromium.org, Mar 24 2017

Blocking: 683308

Comment 13 by dominicc@chromium.org, Mar 27 2017

Labels: Merge-Request-58
I'm not seeing any expat crashes in 59.0.3050.0. Shall we merge this?
Project Member

Comment 14 by sheriffbot@chromium.org, Mar 27 2017

Labels: -Merge-Request-58 Hotlist-Merge-Approved Merge-Approved-58
Your change meets the bar and is auto-approved for M58. Please go ahead and merge the CL to branch 3029 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 15 Deleted

Comment 16 by qingche...@opera.com, Mar 27 2017 

@dominicc Could you merge the patch ? I am not a committer yet:)
Project Member

Comment 17 by sheriffbot@chromium.org, Mar 27 2017

Status: Fixed (was: Started)
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 18 by bugdroid1@chromium.org, Mar 27 2017

Labels: -merge-approved-58 merge-merged-3029
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/55a2d106eda76d4248ba3415d4718afd7538f425

commit 55a2d106eda76d4248ba3415d4718afd7538f425
Author: Dominic Cooney <dominicc@chromium.org>
Date: Mon Mar 27 13:33:20 2017

Update expat to 2.2.0 to fix CVE vulnerability.

Security fixes:
    CVE-2016-0718 -- Fix crash on malformed input
    CVE-2016-4472 -- Improve insufficient fix to CVE-2015-1283 /
    CVE-2015-2716 introduced with Expat 2.1.1
    CVE-2016-5300 -- Use more entropy for hash initialization
        than the original fix to CVE-2012-0876
    CVE-2012-6702 -- Resolve troublesome internal call to srand
            that was introduced with Expat 2.1.0
            when addressing CVE-2012-0876 ( issue #496 )

BUG= 703537 

Review-Url: https://codereview.chromium.org/2761253002
Cr-Commit-Position: refs/heads/master@{#459025}
(cherry picked from commit 33a5703a620ec246ee08214e6c880068b6e9d687)

Review-Url: https://codereview.chromium.org/2781503002 .
Cr-Commit-Position: refs/branch-heads/3029@{#425}
Cr-Branched-From: 939b32ee5ba05c396eef3fd992822fcca9a2e262-refs/heads/master@{#454471}

[modify] https://crrev.com/55a2d106eda76d4248ba3415d4718afd7538f425/third_party/expat/README.chromium
[modify] https://crrev.com/55a2d106eda76d4248ba3415d4718afd7538f425/third_party/expat/files/COPYING
[modify] https://crrev.com/55a2d106eda76d4248ba3415d4718afd7538f425/third_party/expat/files/Changes
[modify] https://crrev.com/55a2d106eda76d4248ba3415d4718afd7538f425/third_party/expat/files/MANIFEST
[modify] https://crrev.com/55a2d106eda76d4248ba3415d4718afd7538f425/third_party/expat/files/README
[modify] https://crrev.com/55a2d106eda76d4248ba3415d4718afd7538f425/third_party/expat/files/lib/amigaconfig.h
[modify] https://crrev.com/55a2d106eda76d4248ba3415d4718afd7538f425/third_party/expat/files/lib/expat.h
[modify] https://crrev.com/55a2d106eda76d4248ba3415d4718afd7538f425/third_party/expat/files/lib/expat_config.h
[modify] https://crrev.com/55a2d106eda76d4248ba3415d4718afd7538f425/third_party/expat/files/lib/expat_external.h
[add] https://crrev.com/55a2d106eda76d4248ba3415d4718afd7538f425/third_party/expat/files/lib/expat_external.h.original
[modify] https://crrev.com/55a2d106eda76d4248ba3415d4718afd7538f425/third_party/expat/files/lib/internal.h
[modify] https://crrev.com/55a2d106eda76d4248ba3415d4718afd7538f425/third_party/expat/files/lib/libexpat.def
[modify] https://crrev.com/55a2d106eda76d4248ba3415d4718afd7538f425/third_party/expat/files/lib/libexpatw.def
[modify] https://crrev.com/55a2d106eda76d4248ba3415d4718afd7538f425/third_party/expat/files/lib/xmlparse.c
[modify] https://crrev.com/55a2d106eda76d4248ba3415d4718afd7538f425/third_party/expat/files/lib/xmlparse.c.original
[modify] https://crrev.com/55a2d106eda76d4248ba3415d4718afd7538f425/third_party/expat/files/lib/xmlrole.c
[modify] https://crrev.com/55a2d106eda76d4248ba3415d4718afd7538f425/third_party/expat/files/lib/xmltok.c
[add] https://crrev.com/55a2d106eda76d4248ba3415d4718afd7538f425/third_party/expat/files/lib/xmltok.c.origin
[modify] https://crrev.com/55a2d106eda76d4248ba3415d4718afd7538f425/third_party/expat/files/lib/xmltok.h
[modify] https://crrev.com/55a2d106eda76d4248ba3415d4718afd7538f425/third_party/expat/files/lib/xmltok_impl.c
[delete] https://crrev.com/623dc2bca68212e0f7e4617e84585a74fe63c7bc/third_party/expat/files/lib/xmltok_impl.c.original

Comment 19 by dominicc@chromium.org, Mar 27 2017 

My pleasure.
Project Member

Comment 20 by sheriffbot@chromium.org, Mar 28 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 21 by awhalley@google.com, Mar 28 2017

Labels: reward-NA

Comment 22 by awhalley@google.com, Mar 31 2017

Labels: -Hotlist-Merge-Approved

Comment 23 by awhalley@google.com, Apr 18 2017

Labels: Release-0-M58
Project Member

Comment 24 by sheriffbot@chromium.org, Jul 3 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment