[AutoPR- Security] Patch perl-XML-Parser for CVE-2006-10003, CVE-2006-10002 [HIGH]

[azurelinux-security]

Auto Patch perl-XML-Parser for CVE-2006-10003, CVE-2006-10002.

Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1073447&view=results

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

What does the PR accomplish, why was it needed?

• Auto Patch perl-XML-Parser for CVE-2006-10003 (HIGH), CVE-2006-10002 (MEDIUM).

Change Log

• CVE-2006-10003
• CVE-2006-10002

Does this affect the toolchain?

YES/NO

Associated issues

• N/A

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2006-10003
• https://nvd.nist.gov/vuln/detail/CVE-2006-10002

Test Methodology

• Pipeline build id: Buddy Build URL

[v-aaditya]

The 3rd subtest in test-suite t/partial.t is getting failed which is a known issue and has been introduced after the CVE-2024-8176 in expat package with version <2.7.0> has been fixed. This issue is resolved in expat package version <2.7.1> and can be fixed by upgrading core package expat to version <2.7.4>.

Reference:

1. 2.7.0 breaks Perl XML-Parser module libexpat/libexpat#980
2. Test failure with expat-2.7.0 cpan-authors/XML-Parser#104
3. [CVE-2024-8176] Long linear chains of enties crash Expat with stack overflow due to use of unlimited recursion libexpat/libexpat#893

This issue is present in current expat version <2.6.4> as we have applied patch for CVE-2024-8176.
Therefore, the condition to check if the 3rd subtest has failed, has been removed by applying patch SPECS/perl-XML-Parser/skip-subtest-in-partial-t.patch.

[v-aaditya]

The Buddy Build has been re-triggered and it has passed !

[jslobodzian]

The 3rd subtest in test-suite t/partial.t is getting failed which is a known issue and has been introduced after the CVE-2024-8176 in expat package with version <2.7.0> has been fixed. This issue is resolved in expat package version <2.7.1> and can be fixed by upgrading core package expat to version <2.7.4>.

Reference:

1. 2.7.0 breaks Perl XML-Parser module libexpat/libexpat#980
2. Test failure with expat-2.7.0 cpan-authors/XML-Parser#104
3. [CVE-2024-8176] Long linear chains of enties crash Expat with stack overflow due to use of unlimited recursion libexpat/libexpat#893

This issue is present in current expat version <2.6.4> as we have applied patch for CVE-2024-8176. Therefore, the condition to check if the 3rd subtest has failed, has been removed by applying patch SPECS/perl-XML-Parser/skip-subtest-in-partial-t.patch.

Can you provide more details here. Why is it ok to ignore the failing test if this change introduces the failure?

[jslobodzian]

This test wasn't failing before these patches were applied?

[v-aaditya]

Yes, I have checked locally. The ptests in package perl-XML-Parser are getting passed once I remove the patch for CVE-2024-8176 in core package expat.

[v-aaditya]

The 3rd subtest in test-suite t/partial.t is getting failed which is a known issue and has been introduced after the CVE-2024-8176 in expat package with version <2.7.0> has been fixed. This issue is resolved in expat package version <2.7.1> and can be fixed by upgrading core package expat to version <2.7.4>.
Reference:

1. 2.7.0 breaks Perl XML-Parser module libexpat/libexpat#980
2. Test failure with expat-2.7.0 cpan-authors/XML-Parser#104
3. [CVE-2024-8176] Long linear chains of enties crash Expat with stack overflow due to use of unlimited recursion libexpat/libexpat#893

This issue is present in current expat version <2.6.4> as we have applied patch for CVE-2024-8176. Therefore, the condition to check if the 3rd subtest has failed, has been removed by applying patch SPECS/perl-XML-Parser/skip-subtest-in-partial-t.patch.

Can you provide more details here. Why is it ok to ignore the failing test if this change introduces the failure?

The reason to skip the test is that it is introduced because of CVE-2024-8176 fix in core package expat. The issue exist not because we have incorrectly backported the CVE fix but because the upstream fix for this CVE breaks the ptest in perl-XML-Parser package. Kindly refer this link - 2.7.0 breaks Perl XML-Parser module libexpat/libexpat#980

The only way to fix the ptest failure is to upgrade the core package expat to version <2.7.1> or beyond. I have verified this locally by upgrading the expat package to version <2.7.4> and the ptests in package perl-XMl-Parser got passed.

CC: @Kanishk-Bansal

[Kanishk-Bansal]

Buddy Build

[v-aaditya]

Buddy Build

Buddy Build has passed !

[jslobodzian]

The 3rd subtest in test-suite t/partial.t is getting failed which is a known issue and has been introduced after the CVE-2024-8176 in expat package with version <2.7.0> has been fixed. This issue is resolved in expat package version <2.7.1> and can be fixed by upgrading core package expat to version <2.7.4>.
Reference:

1. 2.7.0 breaks Perl XML-Parser module libexpat/libexpat#980
2. Test failure with expat-2.7.0 cpan-authors/XML-Parser#104
3. [CVE-2024-8176] Long linear chains of enties crash Expat with stack overflow due to use of unlimited recursion libexpat/libexpat#893

This issue is present in current expat version <2.6.4> as we have applied patch for CVE-2024-8176. Therefore, the condition to check if the 3rd subtest has failed, has been removed by applying patch SPECS/perl-XML-Parser/skip-subtest-in-partial-t.patch.

Can you provide more details here. Why is it ok to ignore the failing test if this change introduces the failure?

The reason to skip the test is that it is introduced because of CVE-2024-8176 fix in core package expat. The issue exist not because we have incorrectly backported the CVE fix but because the upstream fix for this CVE breaks the ptest in perl-XML-Parser package. Kindly refer this link - 2.7.0 breaks Perl XML-Parser module libexpat/libexpat#980

The only way to fix the ptest failure is to upgrade the core package expat to version <2.7.1> or beyond. I have verified this locally by upgrading the expat package to version <2.7.4> and the ptests in package perl-XMl-Parser got passed.

CC: @Kanishk-Bansal

To close the loop here, I understand that the CVE was fixed properly. This issue is that something that worked before the CVE fix, now fails to work. If the test is failing then it's possible that this CVE fix will cause other usage of perl-XML-parser to start failing too. My recommendation is that we also patch expat with the necessary change, or we upgrade expat and understand the impacts the upgrade has to expat and any of its dependencies.