Bug 27300

I think it should be OK to assign this to you, Shlomi.

Assignee: bugsquad => shlomif

openSUSE has issued an advisory for this on September 19:
https://lists.opensuse.org/opensuse-security-announce/2020-09/msg00061.html

Fedora has issued an advisory for this on September 16:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2NQ5GTDYOVH26PBCPYXXMGW5ZZXWMGZC/

Fedora has issued an updated advisory for this on November 14:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ENEHQIBMSI6TZVS35Y6I4FCTYUQDLJVP/

Patched packages uploaded for Mageia 7 and Cauldron.

Advisory:
========================

Updated libxml2 packages fix security vulnerability:

libxml2 v2.9.10 and earlier has a global Buffer Overflow vulnerability in
xmlEncodeEntitiesInternal at libxml2/entities.c (CVE-2020-24977).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24977
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2NQ5GTDYOVH26PBCPYXXMGW5ZZXWMGZC/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ENEHQIBMSI6TZVS35Y6I4FCTYUQDLJVP/
========================

Updated packages in core/updates_testing:
========================
libxml2_2-2.9.9-2.5.mga7
libxml2-utils-2.9.9-2.5.mga7
libxml2-python-2.9.9-2.5.mga7
libxml2-python3-2.9.9-2.5.mga7
libxml2-devel-2.9.9-2.5.mga7

from libxml2-2.9.9-2.5.mga7.src.rpm

Assignee: shlomif => qa-bugs
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

mga7, x64

CVE-2020-24977
https://gitlab.gnome.org/GNOME/libxml2/-/issues/178
Upstream this leads to an ABORT under asan.
$ xmllint --htmlout poc.24977
<html>.....
<p>&#x2116;........</p>
<pre>
error : xmlEncodeEntities: input not UTF-8
[...]
</pre><p>poc.24977:64: <b>error</b>: Premature end of data in tag spec line 58
</p>
<pre>
te&gt;&lt;day&gt;&amp;draft.day;&lt;/day&gt;&lt;month&gt;&amp;draft.month;&lt;/month&gt;&lt;year&gt;&amp;draft.year;&lt;/y&#x45F;&#x45F;&#x8A;                                                                                ^
</pre></body></html>

This looks harmless, not very tidy, but may already be fixed.

Updated the packages:
- lib64xml2-devel-2.9.9-2.5.mga7.x86_64
- lib64xml2_2-2.9.9-2.5.mga7.x86_64
- libxml2-python-2.9.9-2.5.mga7.x86_64
- libxml2-python3-2.9.9-2.5.mga7.x86_64
- libxml2-utils-2.9.9-2.5.mga7.x86_64

The PoC produced exactly the same result as before, no ABORT.

$ urpmq --whatrequires lib64xml2_2 | sort -u | wc -l
513

Ran rhythmbox for a while under strace.
$ grep xml2 rbox.trace
openat(AT_FDCWD, "/usr/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/girepository-1.0/libxml2-2.0.typelib", O_RDONLY) = 15

$ urpmq --requires darktable | grep xml2
darktable: libxml2.so.2()(64bit)
darktable: libxml2.so.2(LIBXML2_2.4.30)(64bit)
darktable: libxml2.so.2(LIBXML2_2.6.0)(64bit)
darktable: libxml2.so.2()(64bit)
darktable: libxml2.so.2(LIBXML2_2.4.30)(64bit)
darktable: libxml2.so.2(LIBXML2_2.6.0)(64bit)

Ran darktable under strace.
$ grep xml2 dark.trace
openat(AT_FDCWD, "/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3

This looks OK to be pushed.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Validating. Advisory in Comment 5.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Advisory pushed to SVN.

CC: (none) => ouaurelien
Keywords: (none) => advisory

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0002.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED