Bug 888769

Summary: exiv2: embedded copy of exempi should be compiled with BanAllEntityUsage
Product: [Fedora] Fedora Reporter: Florian Weimer <fweimer>
Component: exiv2Assignee: Rex Dieter <rdieter>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 24CC: mcepl, mcepl, rdieter, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: exiv2-0.24-5.fc22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-06 23:18:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 888768    
Bug Blocks: 888729    

Description Florian Weimer 2012-12-19 13:04:23 UTC 
See bug 888765:

exempi contains code to protect against a denial-service-attack related to XML entity expansion ("billion laughs attack"), but it is not compiled into the Fedora package because BanAllEntityUsage is not defined when the package is compiled.
Comment 1 Jan Kurik 2015-12-22 11:30:28 UTC 
This bug is currently assigned to an unsupported release. If you think this bug is still valid and should remain open, please re-assign it to a supported release (F22, F23) or to rawhide.

Bugs which will be assigned to an unsupported release are going to be closed as EOL (End Of Life) on January 26th, 2016.
Comment 2 Rex Dieter 2016-02-22 14:24:59 UTC 
Added to fedora packaging now, and asking upstream for feedback,

http://dev.exiv2.org/boards/3/topics/2366
Comment 3 Jan Kurik 2016-02-24 13:12:00 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
Comment 4 Fedora Update System 2016-02-29 16:06:52 UTC 
exiv2-0.25-3.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-f802cade15
Comment 5 Fedora Update System 2016-02-29 16:07:34 UTC 
exiv2-0.24-5.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ff39572e31
Comment 6 Fedora Update System 2016-02-29 23:49:56 UTC 
exiv2-0.24-5.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ff39572e31
Comment 7 Fedora Update System 2016-02-29 23:52:10 UTC 
exiv2-0.25-3.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-f802cade15
Comment 8 Fedora Update System 2016-03-03 20:23:52 UTC 
exiv2-0.25-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2016-03-06 23:18:08 UTC 
exiv2-0.24-5.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.