Bug 30094

No particular packager evident for this, so assigning it globally.

Assignee: bugsquad => pkg-bugs

Suggested advisory:
========================

The updated packages fix a security vulnerability:

valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes. (CVE-2022-23308)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23308
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MVLDYFVW63Y6ZSHIC6VGRIM6UJ6XLSR4/
========================

Updated packages in core/updates_testing:
========================
libxml2-python3-2.9.10-7.3.mga8
libxml2-utils-2.9.10-7.3.mga8
lib(64)xml2_2-2.9.10-7.3.mga8
lib(64)xml2-devel-2.9.10-7.3.mga8

from SRPM:
libxml2-2.9.10-7.3.mga8.src.rpm

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Status comment: Fixed upstream in 2.9.13 => (none)
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Assignee: pkg-bugs => qa-bugs
CVE: (none) => CVE-2022-23308

mga8, x64

The four packages updated cleanly.
Following bug 29039 for testing.

Checked an old PoC.
$ xmllint billionlaughs.xml
<?xml version="1.0"?>
<!--
  "Parameter Laughs", i.e. variant of Billion Laughs Attack
                           using delayed interpretation
                           of parameter entities
  Copyright (C) Sebastian Pipping <sebastian@pipping.org>
-->
<!DOCTYPE r [
.....

$ cat testxml.py
import libxml2

def getStatus(case):
    prop = case.properties
    props={}
    props['name']=""
    props['classname']=""
    props['status']=""
    while prop:
        props[prop.name]=prop.content
        prop=prop.next
    if props['name'] == 'VHDL_BUILD_Passthrough' and props['classname'] == 'TestOne':
        return props['status']
    return None

x = libxml2.parseFile("testdata.xml")
allcases=[c for c in x.children if c.name == 'testcase']
cases = [c for c in allcases if getStatus(c) != None]
print( getStatus(cases[0]) )

$ python testxml.py
Tested OK
$ xmllint --auto
<?xml version="1.0"?>
<info>abc</info>
$ xmlcatalog --create
<?xml version="1.0"?>
<!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd">
<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/>

Installed chromium-browser.
Ran chromium-browser under strace.  Invoking the browser brought up an XML tutorial site.  Viewed several simple XML files on that site.
$ grep lib chromium.trace | grep xml
[...]
openat(AT_FDCWD, "/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/libxml2.so.2.9.10", O_RDONLY|O_CLOEXEC) = 94

Reckon that is good enough.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0084.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED