Bug 17076

Summary: libxml2 new security issue CVE-2015-8035
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/663515/
Whiteboard: has_procedure MGA5-32-OK advisory
Source RPM: libxml2-2.9.1-11.2.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-11-03 15:13:44 CET 
A CVE has been assigned for a denial of service issue since fixed in libxml2:
http://openwall.com/lists/oss-security/2015/11/02/4

Patched packages uploaded for Mageia 5 and Cauldron.

Note that the PoC file is attached here:
http://seclists.org/oss-sec/2015/q4/206

Advisory:
========================

Updated libxml2 packages fix security vulnerability:

A denial of service in libxml2 when parsing a specially crafted XML file
if XZ support is enabled may cause applications to hang as the parsing never
terminates (CVE-2015-8035).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8035
http://openwall.com/lists/oss-security/2015/11/02/4
========================

Updated packages in core/updates_testing:
========================
libxml2_2-2.9.1-11.3.mga5
libxml2-utils-2.9.1-11.3.mga5
libxml2-python-2.9.1-11.3.mga5
libxml2-devel-2.9.1-11.3.mga5

from libxml2-2.9.1-11.3.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-11-03 15:14:06 CET 
Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Libxml2

Also note the PoC linked in Comment 0.

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2015-11-03 21:11:54 CET 
Tested the general procedure on Mageia 5 i586, verified OK.

Confirmed the infinite loop in the PoC before the update.  After the update it errors out with:
$ xmllint test.xz
test.xz:1: parser error : Document is empty

^
test.xz:1: parser error : Start tag expected, '<' not found

^

Whiteboard: has_procedure => has_procedure MGA5-32-OK

Comment 3 Len Lawrence 2015-11-04 14:52:56 CET 
Trying this on x86_64.

First tried reproducing the PoC before the update.
$ gdb --quiet --args xmllint test.xz
Reading symbols from xmllint...Reading symbols from /home/lcl/Downloads/xmllint...(no debugging symbols found)...done.
(no debugging symbols found)...done.
Missing separate debuginfos, use: debuginfo-install libxml2-utils-2.9.1-11.2.mga5.x86_64
(gdb) q

So forget that...
$ xmllint test.xz
^C
It hangs there forever until a Ctrl-C.
strace produces several lines of output before the hang.
It shows that the test file is opened and a couple of read operations performed and then nothing.

stat("test.xz", {st_mode=S_IFREG|0644, st_size=28, ...}) = 0
stat("test.xz", {st_mode=S_IFREG|0644, st_size=28, ...}) = 0
stat("test.xz", {st_mode=S_IFREG|0644, st_size=28, ...}) = 0
open("test.xz", O_RDONLY)               = 3
lseek(3, 0, SEEK_CUR)                   = 0
getcwd("/home/lcl/Downloads", 1024)     = 20
read(3, "\v\0\2\0\0\0\0\0\0@\0\0\0\0\20\20\20\20\20\20\20\20\0\0\377\377\0\0", 8192) = 28
read(3, "", 8164)                       = 0

Presumably this is a successful PoC.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2015-11-04 15:33:31 CET 
After the update:
$ xmllint test.xz
test.xz:1: parser error : Document is empty

^
test.xz:1: parser error : Start tag expected, '<' not found

^

Created the files indicated in the testing procedure and ran the preliminary tests:

[lcl@vega ~]$ python testxml.py
Tested OK
[lcl@vega ~]$ xmllint --auto
<?xml version="1.0"?>
<info>abc</info>
[lcl@vega ~]$ xmlcatalog --create
<?xml version="1.0"?>
<!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd">
<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/>

[lcl@vega ~]$ sudo urpmi chromium-browser

The chromium-browser test seemed to come a bit unstuck:

[lcl@vega ~]$ strace -o strace.out chromium-browser
[2879:2879:1104/142117:ERROR:whitelist.cc(61)] Component extension with id nmmhkkegccagdldgiimedpiccmgmieda not in whitelist and is not being loaded as a result.
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
[2879:2879:1104/142122:ERROR:navigation_entry_screenshot_manager.cc(141)] Invalid entry with unique id: 1
[lcl@vega ~]$ grep xml strace.out
open("/usr/lib64/chromium-browser/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("tls/x86_64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("tls/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("x86_64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libxml2.so.2.9.1", O_RDONLY) = 3
read(14, "<?xml version=\"1.0\"?>\n<!DOCTYPE "..., 8192) = 5553

then a succession of read messages.

libpng warnings often crop up and can probably be ignored but I am puzzled by the missing files messages.  The output differs from what is expected.
Comment 5 David Walser 2015-11-04 18:48:05 CET 
Len, your tests look fine.
Dave Hodgins 2015-11-05 22:25:16 CET

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2015-11-05 23:47:06 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0433.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-11-06 18:26:10 CET

URL: (none) => http://lwn.net/Vulnerabilities/663515/