A CVE has been assigned for a denial of service issue since fixed in libxml2: http://openwall.com/lists/oss-security/2015/11/02/4 Patched packages uploaded for Mageia 5 and Cauldron. Note that the PoC file is attached here: http://seclists.org/oss-sec/2015/q4/206 Advisory: ======================== Updated libxml2 packages fix security vulnerability: A denial of service in libxml2 when parsing a specially crafted XML file if XZ support is enabled may cause applications to hang as the parsing never terminates (CVE-2015-8035). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8035 http://openwall.com/lists/oss-security/2015/11/02/4 ======================== Updated packages in core/updates_testing: ======================== libxml2_2-2.9.1-11.3.mga5 libxml2-utils-2.9.1-11.3.mga5 libxml2-python-2.9.1-11.3.mga5 libxml2-devel-2.9.1-11.3.mga5 from libxml2-2.9.1-11.3.mga5.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: https://wiki.mageia.org/en/QA_procedure:Libxml2 Also note the PoC linked in Comment 0.
Whiteboard: (none) => has_procedure
Tested the general procedure on Mageia 5 i586, verified OK. Confirmed the infinite loop in the PoC before the update. After the update it errors out with: $ xmllint test.xz test.xz:1: parser error : Document is empty ^ test.xz:1: parser error : Start tag expected, '<' not found ^
Whiteboard: has_procedure => has_procedure MGA5-32-OK
Trying this on x86_64. First tried reproducing the PoC before the update. $ gdb --quiet --args xmllint test.xz Reading symbols from xmllint...Reading symbols from /home/lcl/Downloads/xmllint...(no debugging symbols found)...done. (no debugging symbols found)...done. Missing separate debuginfos, use: debuginfo-install libxml2-utils-2.9.1-11.2.mga5.x86_64 (gdb) q So forget that... $ xmllint test.xz ^C It hangs there forever until a Ctrl-C. strace produces several lines of output before the hang. It shows that the test file is opened and a couple of read operations performed and then nothing. stat("test.xz", {st_mode=S_IFREG|0644, st_size=28, ...}) = 0 stat("test.xz", {st_mode=S_IFREG|0644, st_size=28, ...}) = 0 stat("test.xz", {st_mode=S_IFREG|0644, st_size=28, ...}) = 0 open("test.xz", O_RDONLY) = 3 lseek(3, 0, SEEK_CUR) = 0 getcwd("/home/lcl/Downloads", 1024) = 20 read(3, "\v\0\2\0\0\0\0\0\0@\0\0\0\0\20\20\20\20\20\20\20\20\0\0\377\377\0\0", 8192) = 28 read(3, "", 8164) = 0 Presumably this is a successful PoC.
CC: (none) => tarazed25
After the update: $ xmllint test.xz test.xz:1: parser error : Document is empty ^ test.xz:1: parser error : Start tag expected, '<' not found ^ Created the files indicated in the testing procedure and ran the preliminary tests: [lcl@vega ~]$ python testxml.py Tested OK [lcl@vega ~]$ xmllint --auto <?xml version="1.0"?> <info>abc</info> [lcl@vega ~]$ xmlcatalog --create <?xml version="1.0"?> <!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd"> <catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/> [lcl@vega ~]$ sudo urpmi chromium-browser The chromium-browser test seemed to come a bit unstuck: [lcl@vega ~]$ strace -o strace.out chromium-browser [2879:2879:1104/142117:ERROR:whitelist.cc(61)] Component extension with id nmmhkkegccagdldgiimedpiccmgmieda not in whitelist and is not being loaded as a result. libpng warning: iCCP: known incorrect sRGB profile libpng warning: iCCP: known incorrect sRGB profile [2879:2879:1104/142122:ERROR:navigation_entry_screenshot_manager.cc(141)] Invalid entry with unique id: 1 [lcl@vega ~]$ grep xml strace.out open("/usr/lib64/chromium-browser/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("tls/x86_64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("tls/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("x86_64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3 open("/usr/lib64/libxml2.so.2.9.1", O_RDONLY) = 3 read(14, "<?xml version=\"1.0\"?>\n<!DOCTYPE "..., 8192) = 5553 then a succession of read messages. libpng warnings often crop up and can probably be ignored but I am puzzled by the missing files messages. The output differs from what is expected.
Len, your tests look fine.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0433.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/663515/