Bug 32364

Summary: libxml2 new security issue CVE-2023-45322
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, mageia, marja11, nicolas.salguero, sysadmin-bugs, tarazed25
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8TOO MGA8-64-OK MGA9-64-OK
Source RPM: libxml2-2.10.4-1.1.mga9.src.rpm CVE:
Status comment:

Description Nicolas Salguero 2023-10-09 16:31:56 CEST 
Hi,

CVE-2023-45322 was announced here:
https://www.openwall.com/lists/oss-security/2023/10/06/5.

The given link provides a patch.

Best regards,

Nico.
Nicolas Salguero 2023-10-09 16:32:34 CEST

CC: (none) => nicolas.salguero
Whiteboard: (none) => MGA9TOO, MGA8TOO
Status comment: (none) => Patch available from upstream
Source RPM: (none) => libxml2-2.10.4-2.mga10.src.rpm

Comment 1 Lewis Smith 2023-10-09 20:41:34 CEST 
The fix is in the git master branch, but not yet any release:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9

Different people commit this SRPM, so assigning this bug globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2023-10-11 13:23:15 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. (CVE-2023-45322)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45322
https://www.openwall.com/lists/oss-security/2023/10/06/5
========================

Updated packages in 9/core/updates_testing:
========================
lib(64)xml2_2-2.10.4-1.2.mga9
lib(64)xml2-devel-2.10.4-1.2.mga9
libxml2-python3-2.10.4-1.2.mga9
libxml2-utils-2.10.4-1.2.mga9

from SRPM:
libxml2-2.10.4-1.2.mga9.src.rpm

Updated packages in 8/core/updates_testing:
========================
lib(64)xml2_2-2.9.10-7.9.mga8
lib(64)xml2-devel-2.9.10-7.9.mga8
libxml2-python3-2.9.10-7.9.mga8
libxml2-utils-2.9.10-7.9.mga8

from SRPM:
libxml2-2.9.10-7.9.mga8.src.rpm

Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
Version: Cauldron => 9
Status comment: Patch available from upstream => (none)
Source RPM: libxml2-2.10.4-2.mga10.src.rpm => libxml2-2.10.4-1.1.mga9.src.rpm
Whiteboard: MGA9TOO, MGA8TOO => MGA8TOO

Comment 3 Marja Van Waes 2023-10-12 11:53:47 CEST 
Advisory from comment 2 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "absolete".

CC: (none) => marja11
Keywords: (none) => advisory

Comment 4 Len Lawrence 2023-10-14 17:10:40 CEST 
Mageia9, x86_64

Before updating the PoC from https://gitlab.gnome.org/GNOME/libxml2/-/issues/583 fails with a segfault.  The upstream behaviour is to ABORT but the test is run within an ASAN framework, which we cannot reproduce without detroying the integrity of the source (the testfiles would have to be recompiled with address sanitization built in).

After the update:
$ xmllint --copy --html --maxmem 315229 input.xml
[...]
Ran out of memory needs > 315229 bytes
Ran out of memory needs > 315229 bytes
input.xml:1361: parser error : out of memory error
  <graphic format="PNG"  fileref="figures/example_screenshot" srccredit="ME">

<and it hangs>
which may be an improvement.  Leaving that for others to judge.

Testing with xmllint as in previous tests.
 xmllint --auto
<?xml version="1.0"?>
<info>abc</info>
$ xmlcatalog --create
<?xml version="1.0"?>
<!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd">
<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/>

Checked a 538-line XML file used by vlc as a playlist for TV channels.
$ xmllint channels.xspf
That found no errors.

$ strace -o chromium.trace chromium-browser
Tried a couple of searches.
$ grep xml2 chromium.trace
openat(AT_FDCWD, "/usr/lib64/chromium-browser/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/libxml2.so.2.10.4", O_RDONLY|O_CLOEXEC) = 96

Giving this the OK.

Whiteboard: MGA8TOO => MGA8TOO MGA9-64-OK
CC: (none) => tarazed25

PC LX 2023-10-16 12:32:21 CEST

CC: (none) => mageia

Comment 5 Thomas Andrews 2023-10-22 01:25:02 CEST 
MGA8-64 Plasma in VirtualBox. No installation issues.

Tested according to the wiki, looks OK. Giving it an OK and validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: MGA8TOO MGA9-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK
Keywords: (none) => validated_update

Comment 6 Mageia Robot 2023-10-22 23:06:47 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0298.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED