| Summary: | libxml2 new security issues CVE-2018-9251, CVE-2018-14404, CVE-2018-14567 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | herman.viaene, lewyssmith, mageia, marja11, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-32-OK MGA6-64-OK | ||
| Source RPM: | libxml2-2.9.8-2.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2018-08-08 15:14:53 CEST
David Walser
2018-08-08 15:14:59 CEST
Whiteboard:
(none) =>
MGA6TOO Assigning to the registered maintainer. CC:
(none) =>
marja11 Ubuntu has issued an advisory today (August 14): https://usn.ubuntu.com/3739-1/ It fixes one new issue CVE-2018-14567: https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14567.html Summary:
libxml2 new security issues CVE-2018-9251 and CVE-2018-14404 =>
libxml2 new security issues CVE-2018-9251, CVE-2018-14404, CVE-2018-14567 openSUSE has issued an advisory for this today (October 12): https://lists.opensuse.org/opensuse-updates/2018-10/msg00054.html The openSUSE 15 version of the advisory of the above advisory: https://lists.opensuse.org/opensuse-updates/2018-10/msg00057.html CVE-2018-9251 and CVE-2018-14567 were fixed in the same commit. All of these fixes are in 2.9.9 (in Cauldron). Whiteboard:
MGA6TOO =>
(none) Advisory: ======================== Updated libxml2 packages fix security vulnerabilities: A flaw was found in libxml2 2.9.8. The xz_decomp function in xzlib.c, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (CVE-2018-9251, CVE-2018-14567). A null pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 when parsing invalid XPath expression. Applications processing untrusted XSL format inputs with the use of libxml2 library may be vulnerable to denial of service attack due to crash of the application (CVE-2018-14404). The libxml2 package has been updated to version 2.9.9 to fix these issues and other bugs. The perl-XML-LibXML package has been rebuilt against the updated libxml2. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9251 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14404 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14567 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/G5AFZARX7BUSU24J2MJ4AHX5OE47UXQA/ https://usn.ubuntu.com/3739-1/ ======================== Updated packages in core/updates_testing: ======================== libxml2_2-2.9.9-1.mga6 libxml2-utils-2.9.9-1.mga6 libxml2-python-2.9.9-1.mga6 libxml2-python3-2.9.9-1.mga6 libxml2-devel-2.9.9-1.mga6 libxml2-debuginfo-2.9.9-1.mga6 perl-XML-LibXML-2.13.200-1.1.mga6 from SRPMS: libxml2-2.9.9-1.mga6.src.rpm perl-XML-LibXML-2.13.200-1.1.mga6.src.rpm Assignee:
shlomif =>
qa-bugs Installed and tested without issue. Since these are packages that touch lots of stuff I will not mark it as OK and wait for more testers. Tested using: - php-xml, php-xsl, php-xmlreader, php-xmlwriter, php-dom using CLI (php-cli) and HTTP (apache plus mod_php); - xsltproc; - MySQL Workbench; - twinkle; - tellico; - inkspace; - chromium-browser-stable; - amarok; - normal desktop usage since lots of packages use lib64xml2. Packages updated: - lib64xml2-devel-2.9.9-1.mga6.x86_64 - lib64xml2_2-2.9.9-1.mga6.x86_64 - libxml2-python-2.9.9-1.mga6.x86_64 - libxml2-utils-2.9.9-1.mga6.x86_64 - perl-XML-LibXML-2.13.200-1.1.mga6.x86_64 System: Mageia 6, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver. $ uname -a Linux marte 4.14.89-desktop-1.mga6 #1 SMP Mon Dec 17 13:14:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux CC:
(none) =>
mageia MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Installed and used chromium-browser-stable with strace and browsed to my usual newspaper site.
at CLI:
$ strace -o libxml2.txt chromium-browser
Gtk-Message: Failed to load module "canberra-gtk-module"
[11631:11631:0122/103511.616038:ERROR:context_group.cc(372)] ContextResult::kFatalFailure: too few texture image units supported (0, should be 8).
[11581:11581:0122/103511.832595:ERROR:gpu_process_transport_factory.cc(1016)] Lost UI shared context.
libpng warning: iCCP: known incorrect sRGB profile
[11581:11596:0122/103523.012009:ERROR:service_manager_context.cc(250)] Attempting to run unsupported native service: /usr/lib/chromium-browser/content_utility.service
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
and in the trace I get
open("/usr/lib/libxml2.so.2.9.9", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 129
Seems OK to me. No problems in normal desktop usage.CC:
(none) =>
herman.viaene M6/x64 (In reply to PC LX from comment #7) > Since these are packages that touch lots of stuff I will not mark it as OK > and wait for more testers. > Tested using: > etc etc etc You are too modest! After pre-update tests, I UPDATED to: - lib64xml2-devel-2.9.9-1.mga6.x86_64 - lib64xml2_2-2.9.9-1.mga6.x86_64 - libxml2-python-2.9.9-1.mga6.x86_64 - libxml2-utils-2.9.9-1.mga6.x86_64 - perl-XML-LibXML-2.13.200-1.1.mga6.x86_64 I found a few PoCs. 1) CVE-2018-9251, from https://bugzilla.gnome.org/show_bug.cgi?id=794914 "in libxml2 if liblzma-dev package is enabled" [?] + compiling details. https://bugzilla.gnome.org/attachment.cgi?id=370463 $ xmllint poc -o /tmp/null BEFORE update, without any messing about, this command looped, hogging all of one processor. AFTER update: $ xmllint poc -o /tmp/null poc:1: parser error : Document is empty ^ GOOD. 2) CVE-2018-14404, from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817 -> https://bugs.debian.org/cgi-bin/bugreport.cgi?att=2;bug=901817;filename=reproducers.zip;msg=5 has: chrome-safari/ ├── libxml2-xmlXPathCompOpEval-and.html └── libxml2-xmlXPathCompOpEval-or.html "For browser reproduction open the html reproducers with your target browser (chrome/safari)." Or chromium-browser as per Herman c8. BEFORE update, with Chromium-browser, file:///home/lewis/tmp/chrome-safari/libxml2-xmlXPathCompOpEval-and.html yielded "Aw Snap, something went wrong while displaying this web page". The console showed basically a crash. Same for file:///home/lewis/tmp/chrome-safari/libxml2-xmlXPathCompOpEval-or.html AFTER update: file:///home/lewis/tmp/chrome-safari/libxml2-xmlXPathCompOpEval-and.html Popped up "This page says [object XMLDocument]". Clicking OK led to a blank page. No crash at the console. GOOD file:///home/lewis/tmp/chrome-safari/libxml2-xmlXPathCompOpEval-or.html Same result. GOOD. php5.6/ ├── and.xsl ├── or.xsl ├── xpath_and.php ├── xpath_or.php ├── xpath_xmlXPathCompOpExal_XPATH_OP_AND_output.txt └── xpath_xmlXPathCompOpExal_XPATH_OP_OR_output.txt "For php reproduction run the following (php needs the xml module for DOM)" [?] I could find nothing that combined php+xml+dom, but what I had were: php-xml-5.6.40-1.mga6, php-xmlreader-5.6.40-1.mga6, php-dom-5.6.40-1.mga6; to which I added php-xsl-5.6.40-1.mga6 "make sure the php files and .xsl files reside in same directory and run the following commands:" $ php -f xpath_or.php $ php -f xpath_and.php BEFORE update: $ php -f xpath_or.php ... Segmentation fault (core dumped) $ php -f xpath_and.php ... Segmentation fault (core dumped) AFTER update: $ php -f xpath_or.php Lots of errors, but NO crash. GOOD. $ php -f xpath_and.php Same result. GOOD. All this reinforces the other tests done. Whiteboard:
MGA6-32-OK =>
MGA6-32-OK MGA6-64-OK An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0047.html Resolution:
(none) =>
FIXED CVE-2017-8872 also fixed in this update: https://www.debian.org/lts/security/2020/dla-2369 |