Bug 30394

Summary: libxml2 new security issue CVE-2022-29824
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, nicolas.salguero, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: libxml2-2.9.10-7.3.mga8.src.rpm CVE: CVE-2022-29824
Status comment:

Description David Walser 2022-05-07 22:10:05 CEST 
Fedora has issued an advisory today (May 7):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FZOBT5Y6Y2QLDDX2HZGMV7MJMWGXORKK/

The issue is fixed upstream in 2.9.14.
David Walser 2022-05-07 22:10:21 CEST

CC: (none) => nicolas.salguero
Status comment: (none) => Fixed upstream in 2.9.14

Comment 1 Nicolas Salguero 2022-05-09 13:15:31 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well. (CVE-2022-29824)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29824
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FZOBT5Y6Y2QLDDX2HZGMV7MJMWGXORKK/
========================

Updated packages in core/updates_testing:
========================
lib(64)xml2_2-2.9.10-7.4.mga8
lib(64)xml2-devel-2.9.10-7.4.mga8
libxml2-python3-2.9.10-7.4.mga8
libxml2-utils-2.9.10-7.4.mga8

from SRPM:
libxml2-2.9.10-7.4.mga8.src.rpm

CVE: (none) => CVE-2022-29824
Assignee: bugsquad => qa-bugs
Status comment: Fixed upstream in 2.9.14 => (none)
Status: NEW => ASSIGNED

Comment 2 Len Lawrence 2022-05-10 11:24:35 CEST 
mga8, x64
Before updating:
$ urpmq --whatrequires lib64xml2_2 | sort -u | wc -l
470

Ran the simple tests from earlier bugs on this package (30094, 29039, 28902).  They worked.
Installed chromium-browser and checked an XML tutorial site.

Updated the four packages:
$ python testxml.py
Tested OK
 xmllint --auto
<?xml version="1.0"?>
<info>abc</info>
$ xmlcatalog --create
<?xml version="1.0"?>
<!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd">
<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/>

No regressions there.

$ strace -o chromium.trace chromium-browser
Previous session restored.  Looked at the XML tutorial site and browsed a bit.
$ grep xml2 chromium.trace
openat(AT_FDCWD, "/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/libxml2.so.2.9.10", O_RDONLY|O_CLOEXEC) = 95

Looks like libxml2 is working as designed.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 3 Thomas Andrews 2022-05-10 14:22:16 CEST 
Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-05-11 23:32:29 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Mageia Robot 2022-05-12 12:26:20 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0177.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED