Bug 26222

Summary: libxml2 new security issues CVE-2019-20388 and CVE-2020-7595
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, shlomif, sysadmin-bugs, tarazed25, thierry.vignaud, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: libxml2-2.9.10-2.mga8.src.rpm CVE:
Status comment:

Description David Walser 2020-02-19 23:40:52 CET 
Ubuntu has issued an advisory on February 10:
https://usn.ubuntu.com/4274-1/

Mageia 7 is also affected.
David Walser 2020-02-19 23:41:02 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-02-20 20:04:57 CET 
Assigning globally, CC a couple of recent committers.

CC: (none) => shlomif, thierry.vignaud
Assignee: bugsquad => pkg-bugs

Comment 2 Shlomi Fish 2020-02-20 22:27:58 CET 
(In reply to David Walser from comment #0)
> Ubuntu has issued an advisory on February 10:
> https://usn.ubuntu.com/4274-1/
> 
> Mageia 7 is also affected.

Patch applied in mga8 in:

------------------------------------------------------------------------
r1547369 | shlomif | 2020-02-20 23:24:14 +0200 (Thu, 20 Feb 2020) | 1 line
Changed paths:
   A /cauldron/libxml2/current/SOURCES/CVE-2020-7595.patch
   M /cauldron/libxml2/current/SPECS/libxml2.spec

security: patch for MGA#26222; other patch was already applied

Package submitted to BS.
Comment 3 Shlomi Fish 2020-02-20 22:41:31 CET 
Now submitted to mga7 core/updates_testing
Comment 4 David Walser 2020-02-20 22:50:59 CET 
Thanks Shlomi.  I found another CVE.

Fedora has issued an advisory on February 15:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/

Summary: libxml2 new security issue CVE-2020-7595 => libxml2 new security issues CVE-2019-20388 and CVE-2020-7595

Comment 5 Shlomi Fish 2020-02-21 11:27:46 CET 
(In reply to David Walser from comment #4)
> Thanks Shlomi.  I found another CVE.
> 
> Fedora has issued an advisory on February 15:
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/

Patch applied and submitted to mga8 and mga7.
Comment 6 David Walser 2020-02-21 13:59:11 CET 
Advisory:
========================

Updated libxml2 packages fix security vulnerabilities:

xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an
xmlSchemaValidateStream memory leak (CVE-2019-20388).

xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop
in a certain end-of-file situation (CVE-2020-7595).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20388
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7595
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/
========================

Updated packages in core/updates_testing:
========================
libxml2_2-2.9.9-2.3.mga7
libxml2-utils-2.9.9-2.3.mga7
libxml2-python-2.9.9-2.3.mga7
libxml2-python3-2.9.9-2.3.mga7
libxml2-devel-2.9.9-2.3.mga7

from libxml2_2-2.9.9-2.3.mga7.src.rpm

Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 7 Len Lawrence 2020-02-21 20:53:23 CET 
Mageia7, x86_64

No obvious PoC out there.

The five packages installed cleanly.
Referred to the wiki for the tests: https://wiki.mageia.org/en/QA_procedure:Libxml2

$ xmlcatalog --create
<?xml version="1.0"?>
<!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd">
<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/>

$ xmllint --auto
<?xml version="1.0"?>
<info>abc</info>

Test file for the next command was already available, with an edit to cover python3 syntax.
$ python testxml.py
Tested OK

$ python3 testxml.py
Tested OK

qarte 4.6.0 is not working at present - don't know if that has been reported.
$ strace -o qarte.trace qarte 
19:45:10: INFO - core Set workspace
19:45:10: INFO - core Load config from: /home/lcl/.Qarte/user_config
19:45:10: INFO - core Build main window
19:45:10: INFO - artetv Fetch page: https://www.arte.tv/fr/guide/20200211/
19:45:11: WARNING - artetv Read json error: Extra data: line 1 column 130120 (char 130119)

However, it does open the library:
$ grep xml2 qarte.trace
openat(AT_FDCWD, "/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/libxml2.so.2.9.9", O_RDONLY) = 18

Somewhat inconclusive as a test of real world usage.

calibre works fine and appears to use libxml2.
$ grep xml2 calibre.trace 
openat(AT_FDCWD, "/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 7
openat(AT_FDCWD, "/usr/lib64/libxml2.so.2.9.9", O_RDONLY) = 23

This is OK for 64-bits.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Comment 8 Thomas Andrews 2020-02-22 15:19:06 CET 
Validating. Advisory in Comment 6.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-02-24 21:59:43 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 9 Mageia Robot 2020-02-24 22:46:08 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0101.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED