Bug 17170

Summary:	libxml2 new security issues CVE-2015-5312, CVE-2015-749[7-9], CVE-2015-7500, CVE-2015-824[12], CVE-2015-8317, CVE-2015-8710
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	herman.viaene, sysadmin-bugs
Version:	5	Keywords:	validated_update
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/665976/
Whiteboard:	has_procedure advisory MGA5-32-OK
Source RPM:	libxml2-2.9.1-11.3.mga5.src.rpm	CVE:
Status comment:

Description David Walser 2015-11-18 17:45:14 CET

CVEs were assigned for two buffer overread issues in libxml2 today (November 18):
http://openwall.com/lists/oss-security/2015/11/18/23

The first, CVE-2015-8241, has been fixed upstream in git, and I've committed the patch to our SVN.  The second issue, CVE-2015-8242, has not been fixed yet.

Reproducible: 

Steps to Reproduce:

Comment 1 David Walser 2015-11-20 16:42:55 CET

libxml2 2.9.3 has been released, fixing all of the issues we have patches for, fixing regressions caused by a couple of the patches, fixing the issues in this bug, and additional fixing some previously unannounced (AFAIK) CVEs.  Upgrading to 2.9.3 fixes:
CVE-2015-5312
CVE-2015-7497
CVE-2015-7498
CVE-2015-7499
CVE-2015-7500
CVE-2015-8241
CVE-2015-8242

Updating to 2.9.3...

Summary: libxml2 new security issues CVE-2015-8241 and CVE-2015-8242 => libxml2 new security issues CVE-2015-5312, CVE-2015-749[7-9], CVE-2015-7500, CVE-2015-824[12]

Comment 2 David Walser 2015-11-20 17:01:25 CET

Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Libxml2

Advisory:
========================

Updated libxml2 packages fix security vulnerabilities:

In libxml2 before 2.9.3, one case where when dealing with entities expansion,
it failed to exit, leading to a denial of service (CVE-2015-5312).

In libxml2 before 2.9.3, it was possible to hit a negative offset in the name
indexing used to randomize the dictionary key generation, causing a heap
buffer overflow in xmlDictComputeFastQKey (CVE-2015-7497).

In libxml2 before 2.9.3, after encoding conversion failures, the parser was
continuing to process to extract more errors, which can potentially lead to
unexpected behaviour (CVE-2015-7498).

In libxml2 before 2.9.3, the parser failed to detect a case where the current
pointer to the input was out of range, leaving it in an incoherent state
(CVE-2015-7499).

In libxml2 before 2.9.3, a memory access error could happen while processing
a start tag due to incorrect entities boundaries (CVE-2015-7500).

In libxml2 before 2.9.3, a buffer overread in xmlNextChar due to extra
processing of MarkupDecl after EOF has been reached (CVE-2015-8241).

In libxml2 before 2.9.3, stack-basedb uffer overead with HTML parser in push
mode (CVE-2015-8242).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5312
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7497
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7498
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7499
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7500
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8241
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8242
http://openwall.com/lists/oss-security/2015/11/18/23
http://www.xmlsoft.org/news.html
========================

Updated packages in core/updates_testing:
========================
libxml2_2-2.9.3-1.mga5
libxml2-utils-2.9.3-1.mga5
libxml2-python-2.9.3-1.mga5
libxml2-devel-2.9.3-1.mga5

from libxml2-2.9.3-1.mga5.src.rpm

Assignee: bugsquad => qa-bugs
Whiteboard: (none) => has_procedure

Comment 3 Herman Viaene 2015-11-21 11:19:40 CET

MGA5-32 on Acer D620 Xfce
No installation issues
Followed procedure as per Comment 2 and got at the CLI:
$ python testxml.py
Tested OK

$ xmllint --auto
<?xml version="1.0"?>
<info>abc</info>

$ xmlcatalog --create
<?xml version="1.0"?>
<!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd">
<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/>

$ strace -o xml2.out chromium-browser 
[3923:3923:1121/110925:ERROR:whitelist.cc(61)] Component extension with id nmmhkkegccagdldgiimedpiccmgmieda not in whitelist and is not being loaded as a result.

$ grep xml xml2.out 
open("/usr/lib/chromium-browser/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("tls/i686/sse2/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("tls/i686/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("tls/sse2/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("tls/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("i686/sse2/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("i686/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("sse2/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/lib/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3
read(18, "<?xml version=\"1.0\"?>\n<!DOCTYPE "..., 8192) = 5553
read(20, "<?xml version=\"1.0\"?>\n<!DOCTYPE "..., 8192) = 221
and more of those lines

$ rpm -qif /usr/lib/libxml2.so.2
Name        : libxml2_2
Version     : 2.9.3
Release     : 1.mga5
Architecture: i586
Install Date: za 21 nov 2015 11:02:39 CET
Group       : System/Libraries
Size        : 1604488
License     : MIT
Signature   : RSA/SHA1, vr 20 nov 2015 16:48:12 CET, Key ID b742fa8b80420f66
Source RPM  : libxml2-2.9.3-1.mga5.src.rpm
Build Date  : vr 20 nov 2015 16:44:40 CET
Build Host  : rabbit.mageia.org
Relocations : (not relocatable)
Packager    : luigiwalser <luigiwalser>
Vendor      : Mageia.Org
URL         : http://www.xmlsoft.org/
Summary     : Shared libraries providing XML and HTML support
Description :
This library allows you to manipulate XML files. It includes support
for reading, modifying and writing XML and HTML files. There is DTDs
support: this includes parsing and validation even with complex DtDs,
either at parse time or later once the document has been modified.

Seems all OK

CC: (none) => herman.viaene
Whiteboard: has_procedure => has_procedure MGA5-32-OK

Comment 4 David Walser 2015-11-23 20:32:52 CET

One more CVE assignment for bugs fixed in 2.9.3:
http://openwall.com/lists/oss-security/2015/11/22/3

Advisory:
========================

Updated libxml2 packages fix security vulnerabilities:

In libxml2 before 2.9.3, one case where when dealing with entities expansion,
it failed to exit, leading to a denial of service (CVE-2015-5312).

In libxml2 before 2.9.3, it was possible to hit a negative offset in the name
indexing used to randomize the dictionary key generation, causing a heap
buffer overflow in xmlDictComputeFastQKey (CVE-2015-7497).

In libxml2 before 2.9.3, after encoding conversion failures, the parser was
continuing to process to extract more errors, which can potentially lead to
unexpected behaviour (CVE-2015-7498).

In libxml2 before 2.9.3, the parser failed to detect a case where the current
pointer to the input was out of range, leaving it in an incoherent state
(CVE-2015-7499).

In libxml2 before 2.9.3, a memory access error could happen while processing
a start tag due to incorrect entities boundaries (CVE-2015-7500).

In libxml2 before 2.9.3, a buffer overread in xmlNextChar due to extra
processing of MarkupDecl after EOF has been reached (CVE-2015-8241).

In libxml2 before 2.9.3, stack-basedb uffer overead with HTML parser in push
mode (CVE-2015-8242).

In libxml2 before 2.9.3, out of bounds heap reads could happen due to failure
processing the encoding declaration of the XMLDecl in xmlParseEncodingDecl
(CVE-2015-8317).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5312
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7497
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7498
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7499
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7500
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8241
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8242
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8317
http://openwall.com/lists/oss-security/2015/11/18/23
http://openwall.com/lists/oss-security/2015/11/22/3
http://www.xmlsoft.org/news.html

Comment 5 claire robinson 2015-11-26 18:04:00 CET

Validating. Advisory from comment 4 uploaded.

Please push to 5 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK => has_procedure advisory MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2015-11-26 21:48:30 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0457.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-11-27 17:15:10 CET

URL: (none) => http://lwn.net/Vulnerabilities/665976/

David Walser 2015-12-09 16:36:47 CET

Summary: libxml2 new security issues CVE-2015-5312, CVE-2015-749[7-9], CVE-2015-7500, CVE-2015-824[12] => libxml2 new security issues CVE-2015-5312, CVE-2015-749[7-9], CVE-2015-7500, CVE-2015-824[12], CVE-2015-8317

Comment 7 David Walser 2016-01-20 20:46:19 CET

This update also fixed CVE-2015-8710:
http://lwn.net/Vulnerabilities/672567/
http://www.ubuntu.com/usn/usn-2875-1/
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8710.html

Summary: libxml2 new security issues CVE-2015-5312, CVE-2015-749[7-9], CVE-2015-7500, CVE-2015-824[12], CVE-2015-8317 => libxml2 new security issues CVE-2015-5312, CVE-2015-749[7-9], CVE-2015-7500, CVE-2015-824[12], CVE-2015-8317, CVE-2015-8710