Bug 26753

Summary: libxml2 CVE-2019-19956 fix introduced more serious security issues
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, mageia, shlomif, sysadmin-bugs, tarazed25
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: libxml2-2.9.10-4.mga8.src.rpm CVE:
Status comment:

Description David Walser 2020-06-09 19:43:15 CEST 
openSUSE has issued an advisory on June 8:
https://lists.opensuse.org/opensuse-updates/2020-06/msg00026.html

They reverted the upstream fix (upstream is doing the same).

Mageia 7 is also affected.
David Walser 2020-06-09 19:43:39 CEST

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Upstream change needs to be reverted

Comment 1 Lewis Smith 2020-06-09 20:55:43 CEST 
Assigning this to you, Shlomi, as its active maintainer.

Assignee: bugsquad => shlomif

Comment 2 David Walser 2020-06-10 15:56:43 CEST 
Fixed in Cauldron in libxml2-2.9.10-5.mga8 by Shlomi.

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 3 Shlomi Fish 2020-06-30 15:04:42 CEST 
submitted libxml2-2.9.9-2.4.mga7 to 7/updates-testing: http://pkgsubmit.mageia.org/ .
Comment 4 David Walser 2020-06-30 15:20:41 CEST 
Advisory:
========================

Updated libxml2 packages fix security vulnerability:

The fix for CVE-2019-19956 introduced regressions which can cause invalid xmlns
references in output and memory leaks, possibly leading to more serious
security issues.  The broken fix has been reverted.

References:
https://lists.opensuse.org/opensuse-updates/2020-06/msg00026.html
https://advisories.mageia.org/MGASA-2020-0020.html
========================

Updated packages in core/updates_testing:
========================
libxml2_2-2.9.9-2.4.mga7
libxml2-utils-2.9.9-2.4.mga7
libxml2-python-2.9.9-2.4.mga7
libxml2-python3-2.9.9-2.4.mga7
libxml2-devel-2.9.9-2.4.mga7

from libxml2-2.9.9-2.4.mga7.src.rpm

Status comment: Upstream change needs to be reverted => (none)
Assignee: shlomif => qa-bugs
CC: (none) => shlomif

Comment 5 Len Lawrence 2020-07-01 02:17:25 CEST 
mga7, x86_64

$ rpm -q lib64xml2_2
lib64xml2_2-2.9.9-2.3.mga7

CVE-2019-19956
https://bugzilla.suse.com/show_bug.cgi?id=1172021
$ valgrind perl test.pl
[...]
==19218== For lists of detected and suppressed errors, rerun with: -s
==19218== ERROR SUMMARY: 5 errors from 2 contexts (suppressed: 0 from 0)

Installed Calibre to establish that it works and to build a library.

Enabled updates testing.
$ urpmi.update -a
$ MageiaUpdate
- lib64xml2-devel-2.9.9-2.4.mga7.x86_64
- lib64xml2_2-2.9.9-2.4.mga7.x86_64
- libxml2-python-2.9.9-2.4.mga7.x86_64
- libxml2-python3-2.9.9-2.4.mga7.x86_64
- libxml2-utils-2.9.9-2.4.mga7.x86_64

$ valgrind perl test.pl
[...]
==30953== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

That agrees with the result at Suse.

Exercized calibre.  Browsed the library and added more books and tried out various menu functions.  All good.

$ grep libxml calibre.trace
getcwd("/data/qa/libxml2", 1026)        = 17
getcwd("/data/qa/libxml2", 1024)        = 17
openat(AT_FDCWD, "/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 7
....

Many references of that kind.

$ rpm -qil libxml-utils
[...]
/usr/bin/xmlcatalog
/usr/bin/xmllint
[...]

Mageia documentation at https://wiki.mageia.org/en/QA_procedure:Libxml2

$ xmlcatalog --create
<?xml version="1.0"?>
<!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd">
<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/>

Looks like this tool can be used with various options to build a catalogue of ?

$ xmllint --auto
<?xml version="1.0"?>
<info>abc</info>

$ xmllint ~/data/tv/channels.xspf
<?xml version="1.0" encoding="UTF-8"?>
<playlist xmlns="http://xspf.org/ns/0/" xmlns:vlc="http://www.videolan.org/vlc/playlist/ns/0/" version="1">
        <title>DVB Playlist</title>
        <creator>w_scan2-1.0.3</creator>
        <info>https://github.com/stefantalpalaru/w_scan2</info>
        <trackList>
[...]
		<track>
			<title>0131. NOW 90s</title>
			<location>dvb-t2://frequency=754000000</location>
			<extension application="http://www.videolan.org/vlc/playlist/0">
				<vlc:option>dvb-bandwidth=8</vlc:option>
				<vlc:option>dvb-ts-id=45056</vlc:option>
				<vlc:id>132</vlc:id>
				<vlc:option>program=45408</vlc:option>
			</extension>
		</track>
	</trackList>
</playlist>

which is just an echo of the file contents since there are no syntax errors.

$ python testxml.py
Tested OK
$ python3 testxml.py
Tested OK

Note that python3 requires parentheses around argument lists for all function calls:
print( getStatus( cases[0] ) )

This all looks fine including the PoC result.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Comment 6 Thomas Andrews 2020-07-02 23:48:32 CEST 
Thank you, Len. Looks like a thorough test to me.

Validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Nicolas Lécureuil 2020-07-04 23:54:59 CEST

CC: (none) => mageia
Keywords: (none) => advisory

Comment 7 Mageia Robot 2020-07-05 00:48:35 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0271.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED