Bug 32703

Summary: tinyxml new security issue CVE-2023-34194
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, marja11, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: tinyxml-2.6.2-14.mga9 CVE: CVE-2023-34194
Status comment:

Description Nicolas Salguero 2024-01-08 16:59:54 CET 
Fedora has issued an advisory today:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4QCR5PIOBGDIDS6SYRESTMDJSEDFSCOE/

Mageia 9 is also affected.
Nicolas Salguero 2024-01-08 17:00:47 CET

CVE: (none) => CVE-2023-34194
Source RPM: (none) => tinyxml-2.6.2-14.mga9.src.rpm
Whiteboard: (none) => MGA9TOO
Status comment: (none) => Patch available from Fedora

Comment 1 Lewis Smith 2024-01-08 20:21:11 CET 
tinyxml is very seldom updated, and by different people; so assigning this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2024-01-12 11:58:57 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

StringEqual in TiXmlDeclaration::Parse in tinyxmlparser.cpp in TinyXML through 2.6.2 has a reachable assertion (and application exit) via a crafted XML document with a '\0' located after whitespace. (CVE-2023-34194)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4QCR5PIOBGDIDS6SYRESTMDJSEDFSCOE/
========================

Updated packages in core/updates_testing:
========================
lib(64)tinyxml0-2.6.2-14.1.mga9
lib(64)tinyxml-devel-2.6.2-14.1.mga9

from SRPM:
tinyxml-2.6.2-14.1.mga9.src.rpm

Status comment: Patch available from Fedora => (none)
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 9
Status: NEW => ASSIGNED
Whiteboard: MGA9TOO => (none)

Marja Van Waes 2024-01-12 18:40:35 CET

CC: (none) => marja11
Source RPM: tinyxml-2.6.2-14.mga9.src.rpm => tinyxml-2.6.2-14.mga9

Comment 3 Marja Van Waes 2024-01-12 18:44:20 CET 
Advisory from comment 2 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

Keywords: (none) => advisory

Comment 4 Thomas Andrews 2024-01-17 18:33:27 CET 
Tested in VirtualBox, MGA9-64 Plasma.

Looking for previous updates, I found bug 29642. Taking Herman's lead but choosing a different application, I installed blobby, AKA Blobby Volley," an old-school volleyball game that reminds me of the Pong arcade game I first played in a tavern 50 years ago. 

After updating lib64tinyxml0 (no installation issues), I ran "strace -o blob.txt blobby" on the command line. The gui came up, and I visited a few screens, changed a few options, and played the game a bit against myself. I used the mouse for the right player, and the keyboard for the left. An interesting experience, showing I needed practice with both to become proficient.

I stopped the game before completion, exercised the option to save for replay, and closed it. Examining the resulting blob.txt file, I found one reference to "/lib64/libtinyxml.so.0" near the beginning.

Giving this an OK, and validating.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 Mageia Robot 2024-01-18 00:52:54 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0014.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED