Bug 33184

Summary: libxml2 new security issue CVE-2024-25062
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, sysadmin-bugs, tarazed25
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: libxml2-2.10.4-1.2.mga9.src.rpm CVE: CVE-2024-25062
Status comment:

Description Nicolas Salguero 2024-05-06 09:43:11 CEST 
RedHat has issued an advisory on May 2:
https://lwn.net/Articles/972329/
Nicolas Salguero 2024-05-06 09:43:29 CEST

Source RPM: (none) => libxml2-2.10.4-1.2.mga9.src.rpm
CVE: (none) => CVE-2024-25062

Comment 1 Nicolas Salguero 2024-05-06 10:03:26 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free. (CVE-2024-25062)

References:
https://lwn.net/Articles/972329/
========================

Updated packages in core/updates_testing:
========================
lib(64)xml2_2-2.10.4-1.3.mga9
lib(64)xml2-devel-2.10.4-1.3.mga9
libxml2-python3-2.10.4-1.3.mga9
libxml2-utils-2.10.4-1.3.mga9

from SRPM:
libxml2-2.10.4-1.3.mga9.src.rpm

Status: NEW => ASSIGNED
Assignee: bugsquad => qa-bugs

Comment 2 Herman Viaene 2024-05-06 15:22:14 CEST 
MGA9-64 Plasma Wayland on HP-Pavillion
No installation issues.
Ref bug 32364 for testing, but I don't have a vlc channel list.
$  xmllint --auto
<?xml version="1.0"?>
<info>abc</info>

$ xmlcatalog --create
<?xml version="1.0"?>
<!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd">
<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/>

Run chromium ald that works OK.
Good to go AFAICS.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

katnatek 2024-05-07 03:22:31 CEST

CC: (none) => andrewsfarm

Comment 3 Thomas Andrews 2024-05-08 03:41:58 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Len Lawrence 2024-05-08 17:25:07 CEST

CC: (none) => tarazed25
Keywords: (none) => advisory

Comment 4 Mageia Robot 2024-05-09 04:42:10 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0172.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED