Bug 6985

Summary: libxml2 new security issue CVE-2012-2807
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: critical    
Priority: Normal CC: davidwhodgins, stormi-mageia, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: MGA1TOO has_procedure MGA2-32-OK MGA2-64-OK MGA1-32-OK MGA1-64-OK
Source RPM: libxml2 CVE:
Status comment:

Description David Walser 2012-08-08 14:24:36 CEST 
Mandriva has issued an advisory on August 6:
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:126
David Walser 2012-08-08 14:24:45 CEST

Whiteboard: (none) => MGA2TOO, MGA1TOO

Comment 1 David Walser 2012-08-08 16:50:21 CEST 
Patched package uploaded for Mageia 1, Mageia 2, and Cauldron.

Advisory:
========================

Updated libxml2 packages fix security vulnerability:

Multiple integer overflows in libxml2, on 64-bit Linux platforms
allow remote attackers to cause a denial of service or possibly have
unspecified other impact via unknown vectors (CVE-2012-2807).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2807
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:126
========================

Updated packages in core/updates_testing:
========================
libxml2_2-2.7.8-9.7.mga1
libxml2-utils-2.7.8-9.7.mga1
libxml2-python-2.7.8-9.7.mga1
libxml2-devel-2.7.8-9.7.mga1
libxml2_2-2.7.8-14.20120229.3.mga2
libxml2-utils-2.7.8-14.20120229.3.mga2
libxml2-python-2.7.8-14.20120229.3.mga2
libxml2-devel-2.7.8-14.20120229.3.mga2

from SRPMS:
libxml2-2.7.8-9.7.mga1.src.rpm
libxml2-2.7.8-14.20120229.3.mga2.src.rpm

Version: Cauldron => 2
Assignee: bugsquad => qa-bugs
Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO

Comment 2 Samuel Verschelde 2012-08-08 20:33:33 CEST 
I haven't found any POCs, so let's test for regressions. We've got a testing procedure in the wiki: https://wiki.mageia.org/en/QA_procedure:Libxml2

CC: (none) => stormi
Whiteboard: MGA1TOO => MGA1TOO has_procedure

David Walser 2012-08-08 22:40:55 CEST

Severity: normal => critical

Comment 3 Dave Hodgins 2012-08-09 01:34:03 CEST 
Testing complete on Mageia 2 i586.  I'll test 2 x86-64 shortly.

CC: (none) => davidwhodgins
Whiteboard: MGA1TOO has_procedure => MGA1TOO has_procedure MGA2-32-OK

Comment 4 Dave Hodgins 2012-08-09 01:49:02 CEST 
Testing complete on Mageia 2 x86-64.  Testing Mageia 1 i586 shortly.

Whiteboard: MGA1TOO has_procedure MGA2-32-OK => MGA1TOO has_procedure MGA2-32-OK MGA2-64-OK

Comment 5 Dave Hodgins 2012-08-09 01:55:01 CEST 
Testing complete on Mageia 1 i586.  Testing 1 x86-64 shortly.

Whiteboard: MGA1TOO has_procedure MGA2-32-OK MGA2-64-OK => MGA1TOO has_procedure MGA2-32-OK MGA2-64-OK MGA1-32-OK

Comment 6 Dave Hodgins 2012-08-09 02:01:05 CEST 
Testing complete on Mageia 1 x86-64.

Could someone from the sysadmin team push the srpm
libxml2-2.7.8-14.20120229.3.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
libxml2-2.7.8-9.7.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated libxml2 packages fix security vulnerability:

Multiple integer overflows in libxml2, on 64-bit Linux platforms
allow remote attackers to cause a denial of service or possibly have
unspecified other impact via unknown vectors (CVE-2012-2807).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2807
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:126

https://bugs.mageia.org/show_bug.cgi?id=6985

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO has_procedure MGA2-32-OK MGA2-64-OK MGA1-32-OK => MGA1TOO has_procedure MGA2-32-OK MGA2-64-OK MGA1-32-OK MGA1-64-OK

Comment 7 Thomas Backlund 2012-08-12 21:28:59 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0213

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED