Bug 25985

Summary: libxml2 new security issue CVE-2019-19956
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, nicolas.salguero, sysadmin-bugs, tarazed25, tmb
Version: 7Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: libxml2-2.9.9-2.mga7.src.rpm CVE: CVE-2019-19956
Status comment:

Description David Walser 2019-12-29 05:01:23 CET 
Debian-LTS has issued an advisory today (December 28):
https://www.debian.org/lts/security/2019/dla-2048

The issue is fixed upstream in 2.9.10.

Mageia 7 is also affected.
David Walser 2019-12-29 05:01:30 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Nicolas Salguero 2019-12-30 16:51:38 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs. (CVE-2019-19956)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19956
https://www.debian.org/lts/security/2019/dla-2048
========================

Updated packages in core/updates_testing:
========================
lib(64)xml2_2-2.9.9-2.1.mga7
libxml2-utils-2.9.9-2.1.mga7
libxml2-python-2.9.9-2.1.mga7
libxml2-python3-2.9.9-2.1.mga7
lib(64)xml2-devel-2.9.9-2.1.mga7

from SRPMS:
libxml2-2.9.9-2.1.mga7.src.rpm

Whiteboard: MGA7TOO => (none)
CVE: (none) => CVE-2019-19956
Source RPM: libxml2-2.9.9-7.mga8.src.rpm => libxml2-2.9.9-2.mga7.src.rpm
Version: Cauldron => 7
CC: (none) => nicolas.salguero
Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED

Comment 2 Len Lawrence 2020-01-03 11:28:19 CET 
Taking this on for Mageia7.  There is a good tutorial at http://www.xmlsoft.org/examples/.

CC: (none) => tarazed25

Comment 3 David Walser 2020-01-03 15:03:14 CET 
There is also:
https://wiki.mageia.org/en/QA_procedure:Libxml2

Keywords: (none) => has_procedure

Comment 4 Len Lawrence 2020-01-03 16:10:39 CET 
Thanks for that David.  Probably better to go with something tried and tested, especially as it covers the python angle.
Comment 5 Len Lawrence 2020-01-03 18:06:50 CET 
Mageia7, x86_64

Mageia QA tests at https://wiki.mageia.org/en/QA_procedure:Libxml2

Updated the five packages.  Ran the tests documented on the wiki above.

$ xmlcatalog --create
<?xml version="1.0"?>
<!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd">
<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/>

$ xmllint --auto
<?xml version="1.0"?>
<info>abc</info>

$ python testxml.py
Tested OK

$ python3 testxml.py
  File "testxml.py", line 19
    print getStatus(cases[0])
                  ^
SyntaxError: invalid syntax

Shucks!  Get caught by that one every time.  Added parentheses for print.
print( getStatus(cases[0]) )

$ python3 testxml.py
Tested OK

Ran qarte and chromium-browser under strace but neither would run.  Nevertheless the trace files showed that libxml2.so.2 was being accessed.
Ran calibre under strace which showed openat being called a couple of times on libxml2.so.2.

Green light for this one.

Whiteboard: (none) => MGA7-64-OK

Comment 6 Thomas Andrews 2020-01-03 20:01:45 CET 
Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-01-05 14:54:00 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 7 Mageia Robot 2020-01-05 16:40:15 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0020.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED