Bug 10774 - libxml2 new security issue CVE-2013-2877
: libxml2 new security issue CVE-2013-2877
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/558924/
: MGA2TOO has_procedure mga2-64-ok mga2...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-07-15 23:33 CEST by David Walser
Modified: 2014-05-08 18:05 CEST (History)
1 user (show)

See Also:
Source RPM: libxml2-2.9.0-5.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-07-15 23:33:21 CEST
Ubuntu has issued an advisory today (July 15):
http://www.ubuntu.com/usn/usn-1904-1/

Cauldron is not affected, as it was fixed in 2.9.1 (as noted by Ubuntu).

Patched packages uploaded for Mageia 2 and Mageia 3.

Advisory:
========================

Updated libxml2 packages fix security vulnerability:

It was discovered that libxml2 incorrectly handled documents that end
abruptly. If a user or automated system were tricked into opening a
specially crafted document, an attacker could possibly cause libxml2 to
crash, resulting in a denial of service (CVE-2013-2877).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2877
http://www.ubuntu.com/usn/usn-1904-1/
========================

Updated packages in core/updates_testing:
========================
libxml2_2-2.7.8-14.20120229.7.mga2
libxml2-utils-2.7.8-14.20120229.7.mga2
libxml2-python-2.7.8-14.20120229.7.mga2
libxml2-devel-2.7.8-14.20120229.7.mga2
libxml2_2-2.9.0-5.2.mga3
libxml2-utils-2.9.0-5.2.mga3
libxml2-python-2.9.0-5.2.mga3
libxml2-devel-2.9.0-5.2.mga3

from SRPMS:
libxml2-2.7.8-14.20120229.7.mga2.src.rpm
libxml2-2.9.0-5.2.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 Samuel Verschelde 2013-07-16 10:31:55 CEST
I haven't found a POC. We have a procedure for libxml2

https://wiki.mageia.org/en/QA_procedure:Libxml2

You can also search for previous updates of libxml2 to see what people tested.
Comment 2 David Walser 2013-07-16 16:07:09 CEST
I messed up the CVE name in the source for the Mageia 2 update.  It's rebuilt.

Advisory:
========================

Updated libxml2 packages fix security vulnerability:

It was discovered that libxml2 incorrectly handled documents that end
abruptly. If a user or automated system were tricked into opening a
specially crafted document, an attacker could possibly cause libxml2 to
crash, resulting in a denial of service (CVE-2013-2877).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2877
http://www.ubuntu.com/usn/usn-1904-1/
========================

Updated packages in core/updates_testing:
========================
libxml2_2-2.7.8-14.20120229.8.mga2
libxml2-utils-2.7.8-14.20120229.8.mga2
libxml2-python-2.7.8-14.20120229.8.mga2
libxml2-devel-2.7.8-14.20120229.8.mga2
libxml2_2-2.9.0-5.2.mga3
libxml2-utils-2.9.0-5.2.mga3
libxml2-python-2.9.0-5.2.mga3
libxml2-devel-2.9.0-5.2.mga3

from SRPMS:
libxml2-2.7.8-14.20120229.8.mga2.src.rpm
libxml2-2.9.0-5.2.mga3.src.rpm
Comment 3 claire robinson 2013-07-16 17:56:02 CEST
Testing complete mga2 64

No public PoC that I can find so just testing with our procedure.
Comment 4 claire robinson 2013-07-18 14:08:48 CEST
Testing complete mga2 32
Comment 5 claire robinson 2013-07-18 14:12:52 CEST
Testing complete mga3 64
Comment 6 claire robinson 2013-07-18 14:15:15 CEST
Testing complete mga3 32
Comment 7 claire robinson 2013-07-18 14:21:31 CEST
Validating. Advisory from comment 2 uploaded.

Could sysadmin please push from 2 & 3 core/updates_testing to core/updates

Thanks!
Comment 8 Nicolas Vigier 2013-07-21 11:37:51 CEST
http://advisories.mageia.org/MGASA-2013-0218.html

Note You need to log in before you can comment on or make changes to this bug.