Bug 14315

Summary: libxml2 new security issue CVE-2014-3660
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: olchal, rverschelde, sysadmin-bugs, tarazed25
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/616707/
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory
Source RPM: libxml2-2.9.1-2.1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-10-17 14:45:40 CEST 
RedHat has issued an advisory on October 16:
https://rhn.redhat.com/errata/RHSA-2014-1655.html

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated openssl packages fix security vulnerability:

A denial of service flaw was found in libxml2, a library providing support
to read, modify and write XML and HTML files. A remote attacker could
provide a specially crafted XML file that, when processed by an application
using libxml2, would lead to excessive CPU consumption (denial of service)
based on excessive entity substitutions, even if entity substitution was
disabled, which is the parser default behavior (CVE-2014-3660).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3660
https://rhn.redhat.com/errata/RHSA-2014-1655.html
========================

Updated packages in core/updates_testing:
========================
libxml2_2-2.9.0-5.4.mga3
libxml2-utils-2.9.0-5.4.mga3
libxml2-python-2.9.0-5.4.mga3
libxml2-devel-2.9.0-5.4.mga3
libxml2_2-2.9.1-2.2.mga4
libxml2-utils-2.9.1-2.2.mga4
libxml2-python-2.9.1-2.2.mga4
libxml2-devel-2.9.1-2.2.mga4

from SRPMS:
libxml2-2.9.0-5.4.mga3.src.rpm
libxml2-2.9.1-2.2.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-10-17 14:45:54 CEST 
Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Libxml2

Whiteboard: (none) => MGA3TOO has_procedure

David Walser 2014-10-17 18:22:48 CEST

URL: (none) => http://lwn.net/Vulnerabilities/616707/

Comment 2 David Walser 2014-10-18 00:57:53 CEST 
Tested successfully using the procedure on Mageia 3 i586 and Mageia 4 i586.

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK

Comment 3 Len Lawrence 2014-10-18 11:16:02 CEST 
Using the same procedure, tested fine on Mageia 4 x86_64.

CC: (none) => tarazed25

Len Lawrence 2014-10-18 11:16:30 CEST

Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA4-64-OK

Comment 4 olivier charles 2014-10-21 19:15:23 CEST 
Testing on Mageia 3-64, hardware

Tested with current packages and then with updates-testing following procedure in comment 1:

- lib64xml2_2-2.9.0-5.4.mga3.x86_64
- libxml2-devel-2.9.0-5.4.mga3.i586
- libxml2-python-2.9.0-5.4.mga3.x86_64
- libxml2-utils-2.9.0-5.4.mga3.x86_64
- libxml2_2-2.9.0-5.4.mga3.i586

All went well

CC: (none) => olchal
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK

Comment 5 RĂ©mi Verschelde 2014-10-23 11:09:54 CEST 
Advisory uploaded. Validating update, please push to 3 & 4 core/updates.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory
CC: (none) => remi, sysadmin-bugs

Comment 6 Mageia Robot 2014-10-23 15:28:39 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0418.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED