Bug 32304

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. (CVE-2023-39615)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39615
https://lists.suse.com/pipermail/sle-security-updates/2023-September/016186.html
========================

Updated packages in 9/core/updates_testing:
========================
lib(64)xml2_2-2.10.4-1.1.mga9
lib(64)xml2-devel-2.10.4-1.1.mga9
libxml2-python3-2.10.4-1.1.mga9
libxml2-utils-2.10.4-1.1.mga9

from SRPM:
libxml2-2.10.4-1.1.mga9.src.rpm

Updated packages in 8/core/updates_testing:
========================
lib(64)xml2_2-2.9.10-7.8.mga8
lib(64)xml2-devel-2.9.10-7.8.mga8
libxml2-python3-2.9.10-7.8.mga8
libxml2-utils-2.9.10-7.8.mga8

from SRPM:
libxml2-2.9.10-7.8.mga8.src.rpm

Status comment: Patch available from upstream => (none)
Version: Cauldron => 9
Status: NEW => ASSIGNED
Whiteboard: MGA9TOO, MGA8TOO => MGA8TOO
Assignee: bugsquad => qa-bugs

MGA8-64 Xfce on Acer Aspire 5253
No installation issues
Ref QA Wiki and bug 31020
Updated the wiki (last line of the py command file) to reflect a change n syntax as stated in bug 31020.
$ xmllint --auto
<?xml version="1.0"?>
<info>abc</info>

$ xmlcatalog --create
<?xml version="1.0"?>
<!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd">
<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/>

$ python testxml.py
Tested OK

Run chromium-browser and confirm it can read an xml file.
OK for me.

CC: (none) => herman.viaene
Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK

Mid-air collision! 

Mageia9, x86_64
Tried out the PoC for CVE-2023-39615 at
https://gitlab.gnome.org/GNOME/libxml2/-/issues/535

$ xmllint --recover --sax1 --sax poc2_min
SAX.setDocumentLocator()
SAX.error: parsing XML declaration: '?>' expected
SAX.characters(
, 1)
SAX.endDocument()

This result is different from the one published upstream in that there is no SIGSEGV termination.  Could be good.
Updated the packages.
Ran the PoC with the same result, which would suggest that the repair was already in place.

$ xmllint --auto
<?xml version="1.0"?>
<info>abc</info>
$ xmlcatalog --create
<?xml version="1.0"?>
<!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd">
<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/>

Tried xmllint against a channels.xspf XML file for vlc.  All lines parsed correctly.
Deleted a </ field which terminates a clause and that was spotted immediately.
$ xmllint test.xspf
test.xspf:25: parser error : Opening and ending tag mismatch: extension line 20 and track
		</track>
		        ^
test.xspf:536: parser error : Opening and ending tag mismatch: track line 17 and trackList
	</trackList>
	            ^

Installed chromium-browser and ran it under trace.
$ grep xml2 chromium.trace
openat(AT_FDCWD, "/usr/lib64/chromium-browser/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/libxml2.so.2.10.4", O_RDONLY|O_CLOEXEC) = 94

Giving this an OK for 64-bit.

CC: (none) => tarazed25

Believing Len above, set the OK for M9.

Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK

Thank you, Gentlemen! 

Validating. Advisory in comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0279.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED