14315 – libxml2 new security issue CVE-2014-3660

Bug 14315 - libxml2 new security issue CVE-2014-3660

Summary: libxml2 new security issue CVE-2014-3660

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/616707/
Whiteboard:	MGA3TOO has_procedure MGA3-32-OK MGA3...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2014-10-17 14:45 CEST by David Walser
Modified:	2014-10-23 15:28 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	libxml2-2.9.1-2.1.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-10-17 14:45:40 CEST

RedHat has issued an advisory on October 16:
https://rhn.redhat.com/errata/RHSA-2014-1655.html

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated openssl packages fix security vulnerability:

A denial of service flaw was found in libxml2, a library providing support
to read, modify and write XML and HTML files. A remote attacker could
provide a specially crafted XML file that, when processed by an application
using libxml2, would lead to excessive CPU consumption (denial of service)
based on excessive entity substitutions, even if entity substitution was
disabled, which is the parser default behavior (CVE-2014-3660).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3660
https://rhn.redhat.com/errata/RHSA-2014-1655.html
========================

Updated packages in core/updates_testing:
========================
libxml2_2-2.9.0-5.4.mga3
libxml2-utils-2.9.0-5.4.mga3
libxml2-python-2.9.0-5.4.mga3
libxml2-devel-2.9.0-5.4.mga3
libxml2_2-2.9.1-2.2.mga4
libxml2-utils-2.9.1-2.2.mga4
libxml2-python-2.9.1-2.2.mga4
libxml2-devel-2.9.1-2.2.mga4

from SRPMS:
libxml2-2.9.0-5.4.mga3.src.rpm
libxml2-2.9.1-2.2.mga4.src.rpm

Reproducible: 

Steps to Reproduce:

Comment 1 David Walser 2014-10-17 14:45:54 CEST

Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Libxml2

Whiteboard: (none) => MGA3TOO has_procedure

David Walser 2014-10-17 18:22:48 CEST

URL: (none) => http://lwn.net/Vulnerabilities/616707/

Comment 2 David Walser 2014-10-18 00:57:53 CEST

Tested successfully using the procedure on Mageia 3 i586 and Mageia 4 i586.

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK

Comment 3 Len Lawrence 2014-10-18 11:16:02 CEST

Using the same procedure, tested fine on Mageia 4 x86_64.

CC: (none) => tarazed25

Len Lawrence 2014-10-18 11:16:30 CEST

Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA4-64-OK

Comment 4 olivier charles 2014-10-21 19:15:23 CEST

Testing on Mageia 3-64, hardware

Tested with current packages and then with updates-testing following procedure in comment 1:

- lib64xml2_2-2.9.0-5.4.mga3.x86_64
- libxml2-devel-2.9.0-5.4.mga3.i586
- libxml2-python-2.9.0-5.4.mga3.x86_64
- libxml2-utils-2.9.0-5.4.mga3.x86_64
- libxml2_2-2.9.0-5.4.mga3.i586

All went well

CC: (none) => olchal
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK

Comment 5 Rémi Verschelde 2014-10-23 11:09:54 CEST

Advisory uploaded. Validating update, please push to 3 & 4 core/updates.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory
CC: (none) => remi, sysadmin-bugs

Comment 6 Mageia Robot 2014-10-23 15:28:39 CEST

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0418.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.