Bug 31020

Summary: libxml2 new security issues CVE-2022-4030[34]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: libxml2-2.9.10-7.5.mga8.src.rpm CVE: CVE-2022-40303, CVE-2022-40304
Status comment:
Attachments: py script to run
testdata for py script
Correct testdata for py script

Description David Walser 2022-10-24 18:02:54 CEST 
openSUSE has issued an advisory on October 21:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GF5AQ5CKRNM4375JOAHV5NMVNYQGEASN/

The issues are fixed upstream in 2.10.3.

Mageia 8 is also affected.
David Walser 2022-10-24 18:03:09 CEST

Status comment: (none) => Fixed upstream in 2.10.3
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2022-10-25 23:26:09 CEST 
Fedora has issued an advisory for this today (October 25):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MNZAUJGHSPCIYDNVSWTSDYNJMQW7Z2JZ/
Comment 2 Lewis Smith 2022-10-26 09:15:30 CEST 
Various packagers deal with this SRPM, so assigning globally.

Assignee: bugsquad => pkg-bugs

Comment 3 David Walser 2022-10-26 19:04:45 CEST 
SUSE has issued an advisory for this on October 25:
https://lists.suse.com/pipermail/sle-security-updates/2022-October/012663.html

We may be missing the fix for CVE-2016-3709 in Mageia 8.
Comment 4 David Walser 2022-10-31 15:23:02 CET 
Debian-LTS has issued an advisory for this on October 30:
https://www.debian.org/lts/security/2022/dla-3172
Comment 5 Nicolas Salguero 2022-11-02 15:37:39 CET 
(In reply to David Walser from comment #3)
> SUSE has issued an advisory for this on October 25:
> https://lists.suse.com/pipermail/sle-security-updates/2022-October/012663.
> html
> 
> We may be missing the fix for CVE-2016-3709 in Mageia 8.

I found that CVE-2016-3709 was fixed in bug 30712.

CC: (none) => nicolas.salguero

Comment 6 Nicolas Salguero 2022-11-02 15:52:14 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Integer overflows with XML_PARSE_HUGE. (CVE-2022-40303)

Dict corruption caused by entity reference cycles. (CVE-2022-40304)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40303
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40304
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GF5AQ5CKRNM4375JOAHV5NMVNYQGEASN/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MNZAUJGHSPCIYDNVSWTSDYNJMQW7Z2JZ/
https://lists.suse.com/pipermail/sle-security-updates/2022-October/012663.html
https://www.debian.org/lts/security/2022/dla-3172
========================

Updated packages in core/updates_testing:
========================
lib(64)xml2_2-2.9.10-7.6.mga8
lib(64)xml2-devel-2.9.10-7.6.mga8
libxml2-python3-2.9.10-7.6.mga8
libxml2-utils-2.9.10-7.6.mga8

from SRPM:
libxml2-2.9.10-7.6.mga8.src.rpm

CVE: (none) => CVE-2022-40303, CVE-2022-40304
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 2.10.3 => (none)
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Source RPM: libxml2-2.10.2-1.mga9.src.rpm => libxml2-2.9.10-7.5.mga8.src.rpm
Assignee: pkg-bugs => qa-bugs

Comment 7 Herman Viaene 2022-11-04 14:22:46 CET 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Followed the wiki, but the last line of the py script throws an error now. I will upload the files as I used them here.
$ python testxml.py 
Tested OK
$ python3 testxml.py 
Tested OK
$ xmllint --auto
<?xml version="1.0"?>
<info>abc</info>
$ xmlcatalog --create
<?xml version="1.0"?>
<!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd">
<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/>
This all looks OK. Took Len's suggestion and used chromium to browse around in the libxml2 tutorial, worked perfectly OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 8 Herman Viaene 2022-11-04 14:23:31 CET 
Created attachment 13474 [details]
py script to run
Comment 9 Herman Viaene 2022-11-04 14:24:06 CET 
Created attachment 13475 [details]
testdata for py script
Comment 10 Thomas Andrews 2022-11-04 22:57:23 CET 
Validating. Advisory in Comment 6.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-11-08 15:57:03 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 11 Mageia Robot 2022-11-08 20:45:50 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0412.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 12 Thomas Andrews 2023-10-22 01:13:27 CEST 
Created attachment 14078 [details]
Correct testdata for py script

Original testdata file was actually a second copy of the py script.

Attachment 13475 is obsolete: 0 => 1