CVEs were assigned for two buffer overread issues in libxml2 today (November 18): http://openwall.com/lists/oss-security/2015/11/18/23 The first, CVE-2015-8241, has been fixed upstream in git, and I've committed the patch to our SVN. The second issue, CVE-2015-8242, has not been fixed yet. Reproducible: Steps to Reproduce:
libxml2 2.9.3 has been released, fixing all of the issues we have patches for, fixing regressions caused by a couple of the patches, fixing the issues in this bug, and additional fixing some previously unannounced (AFAIK) CVEs. Upgrading to 2.9.3 fixes: CVE-2015-5312 CVE-2015-7497 CVE-2015-7498 CVE-2015-7499 CVE-2015-7500 CVE-2015-8241 CVE-2015-8242 Updating to 2.9.3...
Summary: libxml2 new security issues CVE-2015-8241 and CVE-2015-8242 => libxml2 new security issues CVE-2015-5312, CVE-2015-749[7-9], CVE-2015-7500, CVE-2015-824[12]
Testing procedure: https://wiki.mageia.org/en/QA_procedure:Libxml2 Advisory: ======================== Updated libxml2 packages fix security vulnerabilities: In libxml2 before 2.9.3, one case where when dealing with entities expansion, it failed to exit, leading to a denial of service (CVE-2015-5312). In libxml2 before 2.9.3, it was possible to hit a negative offset in the name indexing used to randomize the dictionary key generation, causing a heap buffer overflow in xmlDictComputeFastQKey (CVE-2015-7497). In libxml2 before 2.9.3, after encoding conversion failures, the parser was continuing to process to extract more errors, which can potentially lead to unexpected behaviour (CVE-2015-7498). In libxml2 before 2.9.3, the parser failed to detect a case where the current pointer to the input was out of range, leaving it in an incoherent state (CVE-2015-7499). In libxml2 before 2.9.3, a memory access error could happen while processing a start tag due to incorrect entities boundaries (CVE-2015-7500). In libxml2 before 2.9.3, a buffer overread in xmlNextChar due to extra processing of MarkupDecl after EOF has been reached (CVE-2015-8241). In libxml2 before 2.9.3, stack-basedb uffer overead with HTML parser in push mode (CVE-2015-8242). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5312 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7497 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7498 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7499 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7500 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8241 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8242 http://openwall.com/lists/oss-security/2015/11/18/23 http://www.xmlsoft.org/news.html ======================== Updated packages in core/updates_testing: ======================== libxml2_2-2.9.3-1.mga5 libxml2-utils-2.9.3-1.mga5 libxml2-python-2.9.3-1.mga5 libxml2-devel-2.9.3-1.mga5 from libxml2-2.9.3-1.mga5.src.rpm
Assignee: bugsquad => qa-bugsWhiteboard: (none) => has_procedure
MGA5-32 on Acer D620 Xfce No installation issues Followed procedure as per Comment 2 and got at the CLI: $ python testxml.py Tested OK $ xmllint --auto <?xml version="1.0"?> <info>abc</info> $ xmlcatalog --create <?xml version="1.0"?> <!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd"> <catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/> $ strace -o xml2.out chromium-browser [3923:3923:1121/110925:ERROR:whitelist.cc(61)] Component extension with id nmmhkkegccagdldgiimedpiccmgmieda not in whitelist and is not being loaded as a result. $ grep xml xml2.out open("/usr/lib/chromium-browser/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("tls/i686/sse2/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("tls/i686/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("tls/sse2/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("tls/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("i686/sse2/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("i686/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("sse2/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/lib/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3 read(18, "<?xml version=\"1.0\"?>\n<!DOCTYPE "..., 8192) = 5553 read(20, "<?xml version=\"1.0\"?>\n<!DOCTYPE "..., 8192) = 221 and more of those lines $ rpm -qif /usr/lib/libxml2.so.2 Name : libxml2_2 Version : 2.9.3 Release : 1.mga5 Architecture: i586 Install Date: za 21 nov 2015 11:02:39 CET Group : System/Libraries Size : 1604488 License : MIT Signature : RSA/SHA1, vr 20 nov 2015 16:48:12 CET, Key ID b742fa8b80420f66 Source RPM : libxml2-2.9.3-1.mga5.src.rpm Build Date : vr 20 nov 2015 16:44:40 CET Build Host : rabbit.mageia.org Relocations : (not relocatable) Packager : luigiwalser <luigiwalser> Vendor : Mageia.Org URL : http://www.xmlsoft.org/ Summary : Shared libraries providing XML and HTML support Description : This library allows you to manipulate XML files. It includes support for reading, modifying and writing XML and HTML files. There is DTDs support: this includes parsing and validation even with complex DtDs, either at parse time or later once the document has been modified. Seems all OK
CC: (none) => herman.viaeneWhiteboard: has_procedure => has_procedure MGA5-32-OK
One more CVE assignment for bugs fixed in 2.9.3: http://openwall.com/lists/oss-security/2015/11/22/3 Advisory: ======================== Updated libxml2 packages fix security vulnerabilities: In libxml2 before 2.9.3, one case where when dealing with entities expansion, it failed to exit, leading to a denial of service (CVE-2015-5312). In libxml2 before 2.9.3, it was possible to hit a negative offset in the name indexing used to randomize the dictionary key generation, causing a heap buffer overflow in xmlDictComputeFastQKey (CVE-2015-7497). In libxml2 before 2.9.3, after encoding conversion failures, the parser was continuing to process to extract more errors, which can potentially lead to unexpected behaviour (CVE-2015-7498). In libxml2 before 2.9.3, the parser failed to detect a case where the current pointer to the input was out of range, leaving it in an incoherent state (CVE-2015-7499). In libxml2 before 2.9.3, a memory access error could happen while processing a start tag due to incorrect entities boundaries (CVE-2015-7500). In libxml2 before 2.9.3, a buffer overread in xmlNextChar due to extra processing of MarkupDecl after EOF has been reached (CVE-2015-8241). In libxml2 before 2.9.3, stack-basedb uffer overead with HTML parser in push mode (CVE-2015-8242). In libxml2 before 2.9.3, out of bounds heap reads could happen due to failure processing the encoding declaration of the XMLDecl in xmlParseEncodingDecl (CVE-2015-8317). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5312 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7497 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7498 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7499 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7500 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8241 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8242 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8317 http://openwall.com/lists/oss-security/2015/11/18/23 http://openwall.com/lists/oss-security/2015/11/22/3 http://www.xmlsoft.org/news.html
Validating. Advisory from comment 4 uploaded. Please push to 5 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK => has_procedure advisory MGA5-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0457.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/665976/
Summary: libxml2 new security issues CVE-2015-5312, CVE-2015-749[7-9], CVE-2015-7500, CVE-2015-824[12] => libxml2 new security issues CVE-2015-5312, CVE-2015-749[7-9], CVE-2015-7500, CVE-2015-824[12], CVE-2015-8317
This update also fixed CVE-2015-8710: http://lwn.net/Vulnerabilities/672567/ http://www.ubuntu.com/usn/usn-2875-1/ http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8710.html
Summary: libxml2 new security issues CVE-2015-5312, CVE-2015-749[7-9], CVE-2015-7500, CVE-2015-824[12], CVE-2015-8317 => libxml2 new security issues CVE-2015-5312, CVE-2015-749[7-9], CVE-2015-7500, CVE-2015-824[12], CVE-2015-8317, CVE-2015-8710