Bug#1006337: libexpat1: Latest security updates of libexpat on buster and bullseye break libwbxml

[Hanno Stock]

Package: libexpat1
Version: 2.2.10-2+deb11u2
Severity: important
X-Debbugs-Cc: te...@security.debian.org

Dear Maintainer,

after several hours of debugging our SOGo installation, we found out
that libwbxml in general was not able to parse any previously parseable
XML documents.

Expected result:

$ xml2wbxml sample_xml_minimal.xml
xml2wbxml succeded

Result after latest security upgrade:

$ xml2wbxml sample_xml_minimal.xml
xml2wbxml failed: Parsing of XML Document Failed

Minimal XML file:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE ActiveSync PUBLIC "-//MICROSOFT//DTD ActiveSync//EN" "http://www.microsoft.com/">
<FolderSync xmlns="FolderHierarchy:">
<Status>1</Status>
</FolderSync>

This happened on Debian 10 and Debian 11 with the Debian supplied
version of libwbxml.

HTH,

Hanno

-- System Information:
Debian Release: 11.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-11-amd64 (SMP w/6 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libexpat1 depends on:
ii libc6 2.31-13+deb11u2

libexpat1 recommends no packages.

libexpat1 suggests no packages.

-- no debconf information

[László Böszörményi]

Control: tags -1 +confirmed

On Wed, Feb 23, 2022 at 9:30 PM Hanno Stock <opens...@hanno-stock.de> wrote:
> after several hours of debugging our SOGo installation, we found out
> that libwbxml in general was not able to parse any previously parseable
> XML documents.
>
> Expected result:
>
> $ xml2wbxml sample_xml_minimal.xml
> xml2wbxml succeded
>
> Result after latest security upgrade:
>
> $ xml2wbxml sample_xml_minimal.xml
> xml2wbxml failed: Parsing of XML Document Failed
>
> Minimal XML file:
>
> <?xml version="1.0" encoding="utf-8"?>
> <!DOCTYPE ActiveSync PUBLIC "-//MICROSOFT//DTD ActiveSync//EN" "http://www.microsoft.com/">
> <FolderSync xmlns="FolderHierarchy:">
> <Status>1</Status>
> </FolderSync>
>
> This happened on Debian 10 and Debian 11 with the Debian supplied
> version of libwbxml.

Please note that the stable update is not done by me and I'm
attending some sort of event (meaning I'm far from my development
machine and GnuPG key). But quick testing shows Debian/Sid is also
affected by this (the backport is irrelevant of the reason). Meaning
it's caused by the way expat works now. Will consult with its upstream
developer to resolve this problem. Please give us some days to isolate
the root cause.

Thanks,
Laszlo/GCS

[Sebastian Pipping]

Hi everyone,

a quick look at libwbxml code revealed that libwbxml is using ':'
(colon) for a namespace separator. I have opened a ticket with libwbxml
upstream now at https://github.com/libwbxml/libwbxml/issues/76 .

Best, Sebastian

[László Böszörményi]

Control: forwarded -1 https://github.com/libwbxml/libwbxml/issues/76

On Wed, Feb 23, 2022 at 9:30 PM Hanno Stock <opens...@hanno-stock.de> wrote:

> after several hours of debugging our SOGo installation, we found out
> that libwbxml in general was not able to parse any previously parseable
> XML documents.

As noted, this is a bug in libwbxml. If it gets fixed would you be
available for testing it on the stable release of Debian?

Regards,
Laszlo/GCS

[Hanno Stock]

Yes, I'd be available. Thank you for tracking down the source of the issue!