Bug 6025

Summary: libxml2 new security issue CVE-2011-3102
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, olivier.delaune, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/498212/
Whiteboard: mga2-64-OK, mga2-i586-OK, mga1-i586-OK, mga1-64-OK
Source RPM: libxml2-2.7.8-9.5.mga1.src.rpm CVE:
Status comment:
Attachments: libxml2-2.7.8-CVE-2011-3102.diff

Description David Walser 2012-05-22 21:20:08 CEST 
Ubuntu has issued an advisory on May 21:
http://www.ubuntu.com/usn/usn-1447-1/

Cauldron/Mageia 2 are also affected.

Patch is here:
http://launchpadlibrarian.net/105753006/libxml2_2.7.8.dfsg-5.1ubuntu4_2.7.8.dfsg-5.1ubuntu4.1.diff.gz
Comment 1 David Walser 2012-05-22 21:30:48 CEST 
Created attachment 2360 [details]
libxml2-2.7.8-CVE-2011-3102.diff

Adding the patch as an attachment.
Comment 2 David Walser 2012-05-28 03:04:26 CEST 
Patched packages uploaded for Mageia 1, Mageia 2, and Cauldron.

Advisory:
========================

Updated libxml2 packages fix security vulnerabilities:

Juri Aedla discovered that libxml2 contained an off by one error in its
XPointer functionality. If a user or application linked against libxml2
were tricked into opening a specially crafted XML file, an attacker could
cause the application to crash or possibly execute arbitrary code with the
privileges of the user invoking the program (CVE-2011-3102).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3102
http://www.ubuntu.com/usn/usn-1447-1/
========================

Updated packages in core/updates_testing:
========================
libxml2_2-2.7.8-9.6.mga1
libxml2-utils-2.7.8-9.6.mga1
libxml2-python-2.7.8-9.6.mga1
libxml2-devel-2.7.8-9.6.mga1
libxml2_2-2.7.8-14.20120229.2.mga2
libxml2-utils-2.7.8-14.20120229.2.mga2
libxml2-python-2.7.8-14.20120229.2.mga2
libxml2-devel-2.7.8-14.20120229.2.mga2

from SRPMS:
libxml2-2.7.8-9.6.mga1.src.rpm
libxml2-2.7.8-14.20120229.2.mga2.src.rpm

Assignee: bugsquad => qa-bugs

Comment 3 Olivier Delaune 2012-05-30 15:30:17 CEST 
Installed on Mageia 2, 64-bits. Everything seems to work fine. Is there any particular point to check to validate this package?

CC: (none) => olivier.delaune

Comment 4 claire robinson 2012-05-30 15:39:15 CEST 
It's great that you are helping Olivier, thankyou :)

We do have a page for this one on the wiki..

https://wiki.mageia.org/en/Testing_procedure_for_libxml2
Comment 5 Olivier Delaune 2012-05-30 16:27:44 CEST 
Ok, I have followed https://wiki.mageia.org/en/Testing_procedure_for_libxml2
and everything looks good. So I think these packages are validated for me.
Comment 6 claire robinson 2012-06-05 17:28:32 CEST 
Tested OK i586 mga2.

Adding some some bits to the whiteboard to help keep track.

Whiteboard: (none) => mga2-64-OK, mga2-i586-OK

Comment 7 Dave Hodgins 2012-06-05 21:49:37 CEST 
Testing i586 mga1 shortly.

CC: (none) => davidwhodgins

Comment 8 Dave Hodgins 2012-06-05 21:59:33 CEST 
Testing complete on i586 for Mageia 1 for the srpm
libxml2-2.7.8-9.6.mga1.src.rpm

Whiteboard: mga2-64-OK, mga2-i586-OK => mga2-64-OK, mga2-i586-OK, mga1-i586-OK

Comment 9 claire robinson 2012-06-06 15:36:29 CEST 
Tested OK mga1 x86_64

Validating

Please see comment for advisory and SRPM's

(Please note this bug contains updates for mga1 and mga2)

Could sysadmin please push both from core/updates_testing to core/updates.

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: mga2-64-OK, mga2-i586-OK, mga1-i586-OK => mga2-64-OK, mga2-i586-OK, mga1-i586-OK, mga1-64-OK

Comment 10 claire robinson 2012-06-06 15:37:11 CEST 
comment 2 for advisory and srpm's
Comment 11 Thomas Backlund 2012-06-10 13:39:28 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0111

CC: (none) => tmb
Status: NEW => RESOLVED
Resolution: (none) => FIXED