Bug 9228

Summary: libxml2 new security issue CVE-2013-0338
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: oe, sysadmin-bugs, tmb, wrw105
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/540757/
Whiteboard: has_procedure MGA2-64-ok MGA2-32-OK
Source RPM: libxml2-2.7.8-14.20120229.4.mga2.src.rpm CVE:
Status comment:

Description David Walser 2013-03-01 17:21:06 CET 
RedHat has issued an advisory on February 28:
https://rhn.redhat.com/errata/RHSA-2013-0581.html

Patched packages uploaded for Mageia 2 and Cauldron.

Patch checked into Mageia 1 SVN.

Advisory:
========================

Updated libxml2 packages fix security vulnerability:

A denial of service flaw was found in the way libxml2 performed string
substitutions when entity values for entity references replacement was
enabled. A remote attacker could provide a specially-crafted XML file that,
when processed by an application linked against libxml2, would lead to
excessive CPU consumption (CVE-2013-0338).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0338
https://rhn.redhat.com/errata/RHSA-2013-0581.html
========================

Updated packages in core/updates_testing:
========================
libxml2_2-2.7.8-14.20120229.5.mga2
libxml2-utils-2.7.8-14.20120229.5.mga2
libxml2-python-2.7.8-14.20120229.5.mga2
libxml2-devel-2.7.8-14.20120229.5.mga2

from libxml2-2.7.8-14.20120229.5.mga2.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 claire robinson 2013-03-01 17:23:45 CET 
https://wiki.mageia.org/en/QA_procedure:Libxml2

Whiteboard: (none) => has_procedure

Comment 2 Bill Wilkinson 2013-03-02 17:09:54 CET 
tested mga2-64
python test and xml utils testing  All tested OK per the wiki procedure.

No PoC found on securityfocus.

CC: (none) => wrw105
Whiteboard: has_procedure => has_procedure MGA2-64-ok

Comment 3 Bill Wilkinson 2013-03-02 18:17:30 CET 
tested mga2-32
Python test and xml utils testing All tested OK per the wiki procedure

Validating

Can someone from the sysadmin team please push from core/updates_testing to core/updates?

Thanks!

Whiteboard: has_procedure MGA2-64-ok => has_procedure MGA2-64-ok MGA2-32-OK Validated-update

Bill Wilkinson 2013-03-02 18:20:25 CET

Whiteboard: has_procedure MGA2-64-ok MGA2-32-OK Validated-update => has_procedure MGA2-64-ok MGA2-32-OK Validated_update

Bill Wilkinson 2013-03-02 18:21:40 CET

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA2-64-ok MGA2-32-OK Validated_update => has_procedure MGA2-64-ok MGA2-32-OK

Comment 4 David Walser 2013-03-02 18:23:46 CET 
This has been validated (in Comment 3).  Advisory and SRPM in Comment 0.

CC: (none) => sysadmin-bugs

Comment 5 Thomas Backlund 2013-03-03 01:13:08 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0085

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 6 Oden Eriksson 2013-03-04 15:04:44 CET 
FYI. This was discussed on oss-sec:

http://seclists.org/oss-sec/2013/q1/391

CC: (none) => oe

Comment 7 David Walser 2013-03-04 22:09:32 CET 
Oden, do we need to take further action for CVE-2013-0339,0340,0341?
Comment 8 Oden Eriksson 2013-03-05 12:10:47 CET 
I think you should check which patches are applied to the RHEL6 package, which is quite a few. The redhat bug doesn't expose much, neither does the patches.

As for Mandriva MES5 I'm considering using their version + patches, which means a bump from 2.7.1 to 2.7.6. YUCK!

I think they silently fixed CVE-2013-0339 in RHEL6, maybe even dates back to july 2012(!).

As for the expat patches I found no further info, yet.
Comment 9 Oden Eriksson 2013-04-26 08:20:30 CEST 
======================================================
Name: CVE-2013-0338
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0338
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20121206
Category: 
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=912400
Reference: CONFIRM:https://git.gnome.org/browse/libxml2/commit/?id=23f05e0c33987d6605387b300c4be5da2120a7ab
Reference: MANDRIVA:MDVSA-2013:056
Reference: URL:http://www.mandriva.com/security/advisories?name=MDVSA-2013:056
Reference: SUSE:openSUSE-SU-2013:0552
Reference: URL:http://lists.opensuse.org/opensuse-updates/2013-03/msg00112.html
Reference: SUSE:openSUSE-SU-2013:0555
Reference: URL:http://lists.opensuse.org/opensuse-updates/2013-03/msg00114.html
Reference: UBUNTU:USN-1782-1
Reference: URL:http://www.ubuntu.com/usn/USN-1782-1

libxml2 2.9.0 and earlier allows context-dependent attackers to cause
a denial of service (CPU and memory consumption) via an XML file
containing an entity declaration with long replacement text and many
references to this entity, aka "internal entity expansion" with linear
complexity.