Bug 8248

Summary: libxml2 new security issue CVE-2012-5134
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: critical    
Priority: Normal CC: oe, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/527719/
Whiteboard: MGA1TOO has_procedure mga1-32-OK mga1-64-OK mga2-32-OK mga2-64-OK
Source RPM: libxml2 CVE:
Status comment:

Description David Walser 2012-11-30 14:04:28 CET 
RedHat has issued an advisory on November 29:
https://rhn.redhat.com/errata/RHSA-2012-1512.html
David Walser 2012-11-30 14:04:40 CET

Whiteboard: (none) => MGA2TOO, MGA1TOO

David Walser 2012-11-30 14:04:47 CET

CC: (none) => oe

Comment 1 David Walser 2012-11-30 16:30:11 CET 
Patched package uploaded for Mageia 1, Mageia 2, and Cauldron.

Advisory:
========================

Updated libxml2 packages fix security vulnerability:

Heap-based buffer underflow, in the xmlParseAttValueComplex function in
parser.c in libxml2 2.9.0 and earlier, allows remote attackers to cause a
denial of service or possibly execute arbitrary code via crafted entities
in an XML document (CVE-2012-5134).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5134
https://rhn.redhat.com/errata/RHSA-2012-1512.html
========================

Updated packages in core/updates_testing:
========================
libxml2_2-2.7.8-9.8.mga1
libxml2-utils-2.7.8-9.8.mga1
libxml2-python-2.7.8-9.8.mga1
libxml2-devel-2.7.8-9.8.mga1
libxml2_2-2.7.8-14.20120229.4.mga2
libxml2-utils-2.7.8-14.20120229.4.mga2
libxml2-python-2.7.8-14.20120229.4.mga2
libxml2-devel-2.7.8-14.20120229.4.mga2

from SRPMS:
libxml2-2.7.8-9.8.mga1.src.rpm
libxml2-2.7.8-14.20120229.4.mga2.src.rpm

Version: Cauldron => 2
Assignee: bugsquad => qa-bugs
Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO
Severity: major => critical

Comment 2 David Walser 2012-11-30 16:31:26 CET 
Testing procedure here:
https://wiki.mageia.org/en/QA_procedure:Libxml2
David Walser 2012-11-30 16:32:38 CET

Whiteboard: MGA1TOO => MGA1TOO has_procedure

Comment 3 claire robinson 2012-11-30 16:56:06 CET 
Testing complete mga2 32

Whiteboard: MGA1TOO has_procedure => MGA1TOO has_procedure mga2-32-OK

Comment 4 claire robinson 2012-11-30 17:19:05 CET 
Testing complete mga1 32 & 64 and Mga2 64

Validating

SRPMs and advisory in comment 1

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO has_procedure mga2-32-OK => MGA1TOO has_procedure mga1-32-OK mga1-64-OK mga2-32-OK mga2-64-OK

David Walser 2012-11-30 20:15:28 CET

URL: (none) => http://lwn.net/Vulnerabilities/527719/

Comment 5 Thomas Backlund 2012-11-30 23:31:55 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0350

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED