| Summary: | libxml2 new security issues CVE-2017-5130, CVE-2017-15412, CVE-2017-16932 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | brtians1, davidwhodgins, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, has_procedure, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-32-OK MGA6-64-OK | ||
| Source RPM: | libxml2-2.9.4-8.mga6.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 19695 | ||
|
Description
David Walser
2017-12-05 23:11:19 CET
David Walser
2017-12-05 23:11:29 CET
Blocks:
(none) =>
19695 There's also CVE-2017-15412, fixed in the latest Chromium: https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop.html Ubuntu has issued an advisory for this today (December 13): https://usn.ubuntu.com/usn/usn-3513-1/ openSUSE has issued an advisory on August 17: https://lists.opensuse.org/opensuse-updates/2017-08/msg00067.html It fixes CVE-2017-8872. It was not fixed upstream. (In reply to David Walser from Bug 19695) > CVE-2017-5130 has been fixed in Chrome (October 17): > https://chromereleases.googleblog.com/2017/10/stable-channel-update-for- > desktop.html Fixed upstream in 2.9.5, according to Debian. (In reply to David Walser from comment #1) > There's also CVE-2017-15412, fixed in the latest Chromium: > https://chromereleases.googleblog.com/2017/12/stable-channel-update-for- > desktop.html Fixed upstream in 2.9.6, according to Debian. Summary:
libxml2 new security issue CVE-2017-16932 =>
libxml2 new security issues CVE-2017-5130, CVE-2017-8872, CVE-2017-15412, CVE-2017-16932 (In reply to David Walser from comment #2) > openSUSE has issued an advisory on August 17: > https://lists.opensuse.org/opensuse-updates/2017-08/msg00067.html > > It fixes CVE-2017-8872. It was not fixed upstream. Forward porting openSUSE's patch to 2.9.7 breaks on the test suite. openSUSE didn't carry their own patch forward to openSUSE Factory, so it'll either have to go on unfixed or hopefully upstream has addressed it some sort of way (the upstream bug says they haven't though). Summary:
libxml2 new security issues CVE-2017-5130, CVE-2017-8872, CVE-2017-15412, CVE-2017-16932 =>
libxml2 new security issues CVE-2017-5130, CVE-2017-15412, CVE-2017-16932 Advisory: ======================== Updated libxml2 packages fix security vulnerability: Integer overflow in memory debug code in libxml2 before 2.9.5 (CVE-2017-5130). It was discovered that libxml2 incorrecty handled certain files. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service (CVE-2017-15412). Wei Lei discovered that libxml2 incorrecty handled certain parameter entities. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service (CVE-2017-16932). The libxml2 package has been updated to version 2.9.7 to fix these issues and several other bugs. Also, the perl-XML-LibXML package has been updated to version 2.13.200 to allow it to be rebuilt against the updated libxml2. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5130 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15412 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16932 https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop.html https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop.html https://usn.ubuntu.com/usn/usn-3513-1/ https://usn.ubuntu.com/usn/usn-3504-1/ ======================== Updated packages in core/updates_testing: ======================== libxml2_2-2.9.7-1.mga6 libxml2-utils-2.9.7-1.mga6 libxml2-python-2.9.7-1.mga6 libxml2-python3-2.9.7-1.mga6 libxml2-devel-2.9.7-1.mga6 perl-XML-LibXML-2.13.200-1.mga6 from SRPMS: libxml2-2.9.7-1.mga6.src.rpm perl-XML-LibXML-2.13.200-1.mga6.src.rpm Assignee:
shlomif =>
qa-bugs x86_64 The following 4 packages are going to be installed: - lib64xml2_2-2.9.7-1.mga6.x86_64 - libxml2-python-2.9.7-1.mga6.x86_64 - libxml2-utils-2.9.7-1.mga6.x86_64 - perl-XML-LibXML-2.13.200-1.mga6.x86_64 Ran a couple of utilities: xmlcatalog - create xmllint I generated an XML document from Libreoffice Writer - saved as fodt format. Next I used xmllint to run a scrube $ xmllint libxml2.fodt > scrubed.fodt Then I open scrubed.fodt $ soffice scrubed.fodt It opens properly. Looks fine to me. ----- I don't feel like writing C code, does anyone have a standard program that uses this library? CC:
(none) =>
brtians1
Brian Rockwell
2017-12-31 00:31:52 CET
Keywords:
(none) =>
feedback Use this to test it: https://wiki.mageia.org/en/QA_procedure:Libxml2 Keywords:
feedback =>
has_procedure Ok on Mageia 6 i586. CC:
(none) =>
davidwhodgins Ok on Mageia 6 x86_64. Advisory committed to svn. Validating the update. Whiteboard:
MGA6-32-OK =>
MGA6-32-OK MGA6-64-OK An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0050.html Resolution:
(none) =>
FIXED CVE-2017-18258 was also fixed in 2.9.6: https://usn.ubuntu.com/3739-1/ https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18258.html |