Bug 28902

Summary:	libxml2 new security issues CVE-2021-351[6-8], CVE-2021-3537
Product:	Mageia	Reporter:	Nicolas Salguero <nicolas.salguero>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	andrewsfarm, herman.viaene, sysadmin-bugs, tarazed25
Version:	8	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA7TOO MGA7-64-OK MGA8-64-OK
Source RPM:	libxml2-2.9.10-7.mga8.src.rpm	CVE:
Status comment:

Description Nicolas Salguero 2021-05-11 09:54:47 CEST

Debian, Fedora and openSUSE have issued an advisory on May 9 and 10.

References:
https://www.debian.org/lts/security/2021/dla-2653
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/HLCJPB5W3FKJ7HO6DH6UVA3GP6IVZ37L/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/

Nicolas Salguero 2021-05-11 09:55:04 CEST

Whiteboard: (none) => MGA8TOO, MGA7TOO
Source RPM: (none) => libxml2-2.9.10-8.mga9.src.rpm

Comment 1 Lewis Smith 2021-05-11 20:53:23 CEST

Another SRPM with no obvious maintainer, so having to assign this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2021-05-12 13:58:35 CEST

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Use-after-free in xmlEncodeEntitiesInternal() in entities.c. (CVE-2021-3516)

Heap-based buffer overflow in xmlEncodeEntitiesInternal() in entities.c. (CVE-2021-3517)

Use-after-free in xmlXIncludeDoProcess() in xinclude.c. (CVE-2021-3518)

NULL pointer dereference in valid.c in xmlValidBuildAContentModel. (CVE-2021-3537)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3516
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3517
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3518
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3537
https://www.debian.org/lts/security/2021/dla-2653
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/HLCJPB5W3FKJ7HO6DH6UVA3GP6IVZ37L/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/
========================

Updated packages in 7/core/updates_testing:
========================
lib(64)xml2_2-2.9.9-2.6.mga7
libxml2-utils-2.9.9-2.6.mga7
libxml2-python-2.9.9-2.6.mga7
libxml2-python3-2.9.9-2.6.mga7
lib(64)xml2-devel-2.9.9-2.6.mga7

from SRPM:
libxml2-2.9.9-2.6.mga7.src.rpm

Updated packages in 8/core/updates_testing:
========================
lib(64)xml2_2-2.9.10-7.1.mga8
libxml2-utils-2.9.10-7.1.mga8
libxml2-python3-2.9.10-7.1.mga8
lib(64)xml2-devel-2.9.10-7.1.mga8

from SRPM:
libxml2-2.9.10-7.1.mga8.src.rpm

Assignee: pkg-bugs => qa-bugs
Source RPM: libxml2-2.9.10-8.mga9.src.rpm => libxml2-2.9.10-7.mga8.src.rpm
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Status: NEW => ASSIGNED
Version: Cauldron => 8

Comment 3 Herman Viaene 2021-05-12 17:59:45 CEST

MGA7-64 Plasma on Lenovo B50
No isntallation issues
Followed wiki for testing with success
$ python testxml.py
Tested OK

$ xmllint --auto
<?xml version="1.0"?>
<info>abc</info>

$ xmlcatalog --create
<?xml version="1.0"?>
<!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd">
<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/>

$ strace -o xmlchromiumtest.txt chromium-browser
[9680:9680:0512/175358.270516:ERROR:allowlist.cc(66)] Component extension with manifest resource id 11690 not in allowlist and is not being loaded as a result.
[9680:9680:0512/175358.275691:ERROR:allowlist.cc(66)] Component extension with manifest resource id 11691 not in allowlist and is not being loaded as a result.
[9710:9710:0512/175358.835798:ERROR:sandbox_linux.cc(374)] InitializeSandbox() called with multiple threads in process gpu-process.

$ grep xml xmlchromiumtest.txt 
openat(AT_FDCWD, "/usr/lib64/chromium-browser/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "tls/haswell/x86_64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "tls/haswell/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "tls/x86_64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "tls/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "haswell/x86_64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "haswell/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "x86_64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3
pread64(5, "xmlCopyEntity:: malloc failed\0--"..., 64, 139692712329216) = 64
openat(AT_FDCWD, "/usr/lib64/libxml2.so.2.9.9", O_RDONLY|O_CLOEXEC) = 135
read(189, "<?xml version=\"1.0\"?>\n<!DOCTYPE "..., 8192) = 2721
read(190, "<?xml version=\"1.0\"?>\n<!DOCTYPE "..., 8192) = 221
and a lot moreof this last line.
OK for me.

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
CC: (none) => herman.viaene

Comment 4 Len Lawrence 2021-05-17 22:46:12 CEST

mga8, x64

Only one of the CVEs led to a useful reproducer.
CVE-2021-3537
Null pointer dereference in library in xmlSnprintfElementContent__internal_alias
https://gitlab.gnome.org/GNOME/libxml2/-/issues/245
$ xmllint --recover --postvalid poc
poc:1: parser error : xmlParseDocTypeDecl : no DOCTYPE name !
<!DOCTYP[<!ELEMENT
         ^
poc:1: parser error : DOCTYPE improperly terminated
<!DOCTYP[<!ELEMENT
[...]
)))&gt;)))))))))))))--exc-c14W!DOCT</:></:>
validity error : Found NULL content in content model of :
Segmentation fault (core dumped)

Updated the four packages.
$ xmllint --recover --postvalid poc
....
<?xml version="1.0"?>
<!DOCTYPE >
validity error : no root element
Document poc does not validate

Good result for CVE-2021-3537.

$ xmlcatalog --create
<?xml version="1.0"?>
<!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd">
<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/>

Installed chromium browser.
$ strace -o chromium.trace chromium-browser
$ strace -o chromium.trace chromium-browser
[674628:674628:0517/214043.249203:ERROR:allowlist.cc(66)] Component extension with manifest resource id 11690 not in allowlist and is not being loaded as a resu...
$ grep xml chromium.trace
stat("/home/lcl/qa/libxml2", {st_mode=S_IFDIR|0755, st_size=498, ...}) = 0
stat("/home/lcl/qa/libxml2", {st_mode=S_IFDIR|0755, st_size=498, ...}) = 0
openat(AT_FDCWD, "/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/libxml2.so.2.9.10", O_RDONLY|O_CLOEXEC) = 99
read(179, "<?xml version=\"1.0\"?>\n<!DOCTYPE "..., 8192) = 2851
read(180, "<?xml version=\"1.0\"?>\n<!DOCTYPE "..., 8192) = 240
read(180, "<?xml version=\"1.0\"?>\n<!DOCTYPE "..., 8192) = 536
....

Seems to be working OK for Mageia8.

CC: (none) => tarazed25
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 5 Thomas Andrews 2021-05-19 19:05:37 CEST

Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2021-05-19 20:10:54 CEST

Keywords: (none) => advisory

Comment 6 Mageia Robot 2021-05-19 21:32:30 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0213.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED