Bug 10774

Summary: libxml2 new security issue CVE-2013-2877
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: sysadmin-bugs
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/558924/
Whiteboard: MGA2TOO has_procedure mga2-64-ok mga2-32-ok mga3-64-ok mga3-32-ok
Source RPM: libxml2-2.9.0-5.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-07-15 23:33:21 CEST 
Ubuntu has issued an advisory today (July 15):
http://www.ubuntu.com/usn/usn-1904-1/

Cauldron is not affected, as it was fixed in 2.9.1 (as noted by Ubuntu).

Patched packages uploaded for Mageia 2 and Mageia 3.

Advisory:
========================

Updated libxml2 packages fix security vulnerability:

It was discovered that libxml2 incorrectly handled documents that end
abruptly. If a user or automated system were tricked into opening a
specially crafted document, an attacker could possibly cause libxml2 to
crash, resulting in a denial of service (CVE-2013-2877).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2877
http://www.ubuntu.com/usn/usn-1904-1/
========================

Updated packages in core/updates_testing:
========================
libxml2_2-2.7.8-14.20120229.7.mga2
libxml2-utils-2.7.8-14.20120229.7.mga2
libxml2-python-2.7.8-14.20120229.7.mga2
libxml2-devel-2.7.8-14.20120229.7.mga2
libxml2_2-2.9.0-5.2.mga3
libxml2-utils-2.9.0-5.2.mga3
libxml2-python-2.9.0-5.2.mga3
libxml2-devel-2.9.0-5.2.mga3

from SRPMS:
libxml2-2.7.8-14.20120229.7.mga2.src.rpm
libxml2-2.9.0-5.2.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2013-07-15 23:33:30 CEST

Whiteboard: (none) => MGA2TOO

Comment 1 Samuel Verschelde 2013-07-16 10:31:55 CEST 
I haven't found a POC. We have a procedure for libxml2

https://wiki.mageia.org/en/QA_procedure:Libxml2

You can also search for previous updates of libxml2 to see what people tested.

Whiteboard: MGA2TOO => MGA2TOO has_procedure

Comment 2 David Walser 2013-07-16 16:07:09 CEST 
I messed up the CVE name in the source for the Mageia 2 update.  It's rebuilt.

Advisory:
========================

Updated libxml2 packages fix security vulnerability:

It was discovered that libxml2 incorrectly handled documents that end
abruptly. If a user or automated system were tricked into opening a
specially crafted document, an attacker could possibly cause libxml2 to
crash, resulting in a denial of service (CVE-2013-2877).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2877
http://www.ubuntu.com/usn/usn-1904-1/
========================

Updated packages in core/updates_testing:
========================
libxml2_2-2.7.8-14.20120229.8.mga2
libxml2-utils-2.7.8-14.20120229.8.mga2
libxml2-python-2.7.8-14.20120229.8.mga2
libxml2-devel-2.7.8-14.20120229.8.mga2
libxml2_2-2.9.0-5.2.mga3
libxml2-utils-2.9.0-5.2.mga3
libxml2-python-2.9.0-5.2.mga3
libxml2-devel-2.9.0-5.2.mga3

from SRPMS:
libxml2-2.7.8-14.20120229.8.mga2.src.rpm
libxml2-2.9.0-5.2.mga3.src.rpm
Comment 3 claire robinson 2013-07-16 17:56:02 CEST 
Testing complete mga2 64

No public PoC that I can find so just testing with our procedure.

Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure mga2-64-ok

Comment 4 claire robinson 2013-07-18 14:08:48 CEST 
Testing complete mga2 32

Whiteboard: MGA2TOO has_procedure mga2-64-ok => MGA2TOO has_procedure mga2-64-ok mga2-32-ok

Comment 5 claire robinson 2013-07-18 14:12:52 CEST 
Testing complete mga3 64

Whiteboard: MGA2TOO has_procedure mga2-64-ok mga2-32-ok => MGA2TOO has_procedure mga2-64-ok mga2-32-ok mga3-64-ok

Comment 6 claire robinson 2013-07-18 14:15:15 CEST 
Testing complete mga3 32

Whiteboard: MGA2TOO has_procedure mga2-64-ok mga2-32-ok mga3-64-ok => MGA2TOO has_procedure mga2-64-ok mga2-32-ok mga3-64-ok mga3-32-ok

Comment 7 claire robinson 2013-07-18 14:21:31 CEST 
Validating. Advisory from comment 2 uploaded.

Could sysadmin please push from 2 & 3 core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Nicolas Vigier 2013-07-21 11:37:51 CEST 
http://advisories.mageia.org/MGASA-2013-0218.html

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:05:19 CEST

CC: boklm => (none)