Bug 30712

Summary: libxml2 new security issue CVE-2016-3709
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, mhrambo3501, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: libxml2-2.9.10-7.4.mga8.src.rpm CVE: CVE-2016-3709
Status comment:

Description David Walser 2022-08-05 18:39:08 CEST 
Ubuntu has issued an advisory on August 4:
https://ubuntu.com/security/notices/USN-5548-1

The issue is fixed upstream in 2.9.11.
David Walser 2022-08-05 18:39:19 CEST

Status comment: (none) => Patches available from upstream and Ubuntu

Comment 1 Lewis Smith 2022-08-06 21:14:28 CEST 
This SRPM is maintained by various people, so have to assign this update globally.

Curious about the need for the patch if the newest version 2.9.11 fixes it.

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2022-08-06 22:48:00 CEST 
We have 2.9.10 in Mageia 8.
Comment 3 David Walser 2022-08-06 22:48:20 CEST 
Also 2.9.11 isn't the newest version.
Comment 4 Mike Rambo 2022-08-09 23:29:03 CEST 
Updated package built for Mageia 8


Advisory:
========================

Patched libxml2 package fixes security vulnerability:

It was discovered that libxml2 incorrectly handled certain XML files. An attacker could possibly use this issue to execute arbitrary code (CVE-2016-3709).


References:
https://ubuntu.com/security/notices/USN-5548-1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3709
========================

Updated packages in core/updates_testing:
========================
lib64xml2_2-2.9.10-7.5.mga8
lib64xml2-devel-2.9.10-7.5.mga8
libxml2-python3-2.9.10-7.5.mga8
libxml2-utils-2.9.10-7.5.mga8

from libxml2-2.9.10-7.5.mga8.src.rpm


Test procedure: https://bugs.mageia.org/show_bug.cgi?id=30094#c3

Keywords: (none) => has_procedure
CVE: (none) => CVE-2016-3709
Assignee: pkg-bugs => qa-bugs
Status comment: Patches available from upstream and Ubuntu => (none)
CC: (none) => mhrambo3501

Comment 5 Len Lawrence 2022-08-16 10:31:41 CEST 
mga8, x64
Packages updated OK.
Referring to the earlier bug, ran the simple test script which uses testdata.xml.
$ cat testdata.xml
<?xml version="1.0" encoding="UTF-8"?>
<testsuites tests="10" failures="0" disabled="0" errors="0" time="0.001" name="AllTests">
  <testsuite name="TestOne" tests="5" failures="0" disabled="0" errors="0" time="0.001">
    <testcase name="DefaultConstructor" status="run" time="0" classname="TestOne" />
    <testcase name="DefaultDestructor" status="run" time="0" classname="TestOne" />
    <testcase name="VHDL_EMIT_Passthrough" status="run" time="0" classname="TestOne" />
    <testcase name="VHDL_BUILD_Passthrough" status="Tested OK" time="0" classname="TestOne" />
    <testcase name="VHDL_SIMULATE_Passthrough" status="run" time="0.001" classname="TestOne" />
</testsuite>
</testsuites>
$ python testxml.py
Tested OK

Installed chromium-browser and ran it under strace.  Tried a few websites like the XML examples at w3schools.com, APOD and some of the 4K images of the Martian surface provided by NASA.
$ grep lib chromium.trace | grep xmlopenat(AT_FDCWD, "/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/libxml2.so.2.9.10", O_RDONLY|O_CLOEXEC) = 89

This looks good for release.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 6 Thomas Andrews 2022-08-17 14:32:06 CEST 
Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-08-20 02:52:29 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2022-08-20 12:05:38 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0290.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED