Bug 3061

Summary: CVE-2011-2821, CVE-2011-2834: security update for libxml2
Product: Mageia Reporter: Jani Välimaa <jani.valimaa>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: libxml2 CVE:
Status comment:

Description Jani Välimaa 2011-10-15 15:40:10 CEST 
Description of problem:

====
Double free vulnerabilities in libxml2 allows remote attackers to cause
a denial of service or possibly have unspecified other impact via a
crafted XPath expression and via vectors related to XPath handling
(CVE-2011-2821, CVE-2011-2834).

Updated packages corrects these issues.
====

More info:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2821
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2834

Pushed new release [1] to core/updates_testing which fixes this issue.

[1] libxml2-2.7.8-9.2.mga1
Comment 1 claire robinson 2011-10-15 18:31:21 CEST 
Not much more info :\ Caertainly nothing we can use for testing.

This relates to google chrome but numerous applications make use of libxml2_2

I suggest testing with a few to make sure they work as expected, unless anybody knows a better way to test this one?

$ urpmq --whatrequires libxml2_2
0ad
GConf2
abiword
amarok
amarok
anjuta
anjuta-extras
apache-mod_php
ardour
aria2
armagetron
audacious-plugins
audacious-plugins
autofs
autogen
autopano-sift-C
autoscan
autoscan-agent
avidemux
avidemux
avidemux
avidemux-cli
avidemux-cli
avidemux-cli
avidemux-gtk
avidemux-gtk
avidemux-gtk
avidemux-qt
avidemux-qt
avidemux-qt
beid-middleware
beid-middleware
bind
bind
bind-utils
bind-utils
bluefish
brasero
bug-buddy
cairo-dock
cairo-dock-rssreader
cairo-dock-weather
calligra-core
calligra-mobile
chromium-browser-beta
chromium-browser-stable
chromium-browser-stable
chromium-browser-stable
chromium-browser-unstable
claws-mail-gtkhtml2_viewer-plugin
claws-mail-rssyl-plugin
clisp
cman
compiz
compiz-fusion-plugins-main
conky
dconf-editor
deja-dup
dia
dvbtune
dvdauthor
e_modules
ekiga
empathy
eog
epiphany
evince
evolution
evolution-data-server
evolution-exchange
evolution-mono
fence-agents
ffado
fizmo
fizmo
folks
foomatic-db-engine
fwbuilder
gcalctool
gcompris
gda2.0
gedit
geoclue
glabels
gmpc
gmpc-discogs
gmpc-jamendo
gmpc-lastfm
gmpc-lyrics
gmpc-wikipedia
gnome-applets
gnome-control-center
gnome-media
gnome-pilot
gnome-system-monitor
gnote
gok
google-gadgets-common
graphicsmagick
grisbi
gromacs
gstreamer0.10-plugins-base
gstreamer0.10-plugins-good
gtkdive
gtkmathview
halevt
heartbeat
heartbeat-stonith
hivex
hotkeys
icecast
ices
inkscape
kdelibs4-core
kdelibs4-core
kdelibs4-core
kiba-dock
kino
kipi-plugins-htmlexport
kipi-plugins-htmlexport
kmess
kopete
kopete
Comment 2 claire robinson 2011-10-15 18:46:20 CEST 
Tested i586 with chromium, avidemux, inkscape
Comment 3 claire robinson 2011-10-15 19:03:24 CEST 
Dave previously tested libxml and gave some useful info here..

https://bugs.mageia.org/show_bug.cgi?id=1669#c3

All of which tested OK i586 too
Comment 4 claire robinson 2011-10-16 11:58:30 CEST 
Tested OK x86_64 too

Validating

Advisory
--------------
Double free vulnerabilities in libxml2 allows remote attackers to cause
a denial of service or possibly have unspecified other impact via a
crafted XPath expression and via vectors related to XPath handling
(CVE-2011-2821, CVE-2011-2834).

Updated packages corrects these issues.
====

More info:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2821
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2834

---------------

SRPM: libxml2-2.7.8-9.2.mga1.src.rpm

Could sysadmin please push from core/updates_testing to core/updates

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Hardware: i586 => All

Comment 5 Thomas Backlund 2011-10-19 21:38:39 CEST 
Update pushed.

CC: (none) => tmb

Comment 6 Thomas Backlund 2011-10-19 21:39:00 CEST 
.

Status: NEW => RESOLVED
Resolution: (none) => FIXED