Information about security issues in libxml2 has been released today (May 3): http://openwall.com/lists/oss-security/2016/05/03/4 Proposed patches are included in the message above. Mageia 5 is also affected.
CVE request for an additional issue: http://openwall.com/lists/oss-security/2016/05/03/8
Whiteboard: (none) => MGA5TOO
(In reply to David Walser from comment #1) > CVE request for an additional issue: > http://openwall.com/lists/oss-security/2016/05/03/8 CVE-2016-4483: http://openwall.com/lists/oss-security/2016/05/04/7
Summary: libxml2 new security issues CVE-2016-3627 and CVE-2016-3705 => libxml2 new security issues CVE-2016-3627, CVE-2016-3705 and CVE-2016-4483
Assigning to all packagers collectively, since there is no maintainer for this package.
CC: (none) => makowski.mageia, marja11Assignee: bugsquad => pkg-bugs
I will grab this one.
CC: (none) => lists.jjorgeAssignee: pkg-bugs => qa-bugs
In fact shlomif is the maintainer, I let him decide if he waits for 2.9.4 that is in RC1 since 3 days...
Status: NEW => ASSIGNEDAssignee: qa-bugs => shlomif
(In reply to José Jorge from comment #5) > In fact shlomif is the maintainer, Thanks for spotting that, I don't know why I erred
OpenSuSE has issued an advisory for CVE-2016-3627 today (May 13): https://lists.opensuse.org/opensuse-updates/2016-05/msg00055.html
URL: (none) => http://lwn.net/Vulnerabilities/687398/
CVE-2016-4483 moved to Bug 18486.
Summary: libxml2 new security issues CVE-2016-3627, CVE-2016-3705 and CVE-2016-4483 => libxml2 new security issues CVE-2016-3627 and CVE-2016-3705
Patched packages uploaded for Mageia 5 and Cauldron. Reproducer information attached to upstream bugs linked from: http://openwall.com/lists/oss-security/2016/05/03/4 Advisory: ======================== Updated libxml2 packages fix security vulnerabilities: When running in recovery mode, certain invalid XML documents would trigger an infinite recursion in libxml2 that ran until all stack space was exhausted. This vulnerability could have been used to facilitate a denial-of-sevice attack (CVE-2016-3627). libxml2 limits the number of recursions an XML document can contain so to protect against the "Billion Laughs" denial-of-service attack. Unfortunately, the underlying counter was not incremented properly in all necessary locations. Therefore, specially crafted XML documents could exhaust all available stack space and crash the XML parser without running into the recursion limit (CVE-2016-3705). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3627 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3705 http://openwall.com/lists/oss-security/2016/05/03/4 https://lists.opensuse.org/opensuse-updates/2016-05/msg00055.html ======================== Updated packages in core/updates_testing: ======================== libxml2_2-2.9.3-1.1.mga5 libxml2-utils-2.9.3-1.1.mga5 libxml2-python-2.9.3-1.1.mga5 libxml2-devel-2.9.3-1.1.mga5 from libxml2-2.9.3-1.1.mga5.src.rpm
CC: (none) => shlomifVersion: Cauldron => 5Assignee: shlomif => qa-bugsWhiteboard: MGA5TOO => has_procedure
Tested on Mageia 5 i586. Followed the general testing procedure and verified it was OK: https://wiki.mageia.org/en/QA_procedure:Libxml2 Tested the PoC from here before the update: http://openwall.com/lists/oss-security/2016/05/03/4 and reproduced the segfault. Tested again after the update and it prints the following, with the first three (including the blank) lines repeated several times and then ends with the last line: repo.xml:1: parser error : Detected an entity reference loop 9999;"><!ENTITY a29999 "&a30000;"><!ENTITY a30001 "&a1;">]> <bruces bogans="&a1; ^ repo.xml:1: parser error : Premature end of data in tag bruces line 1
Whiteboard: has_procedure => has_procedure MGA5-32-OK
Correction: on i586 before the update the PoC causes an infinite loop, on x86_64 it causes a segfault.
I just determined that the python testcase here: https://wiki.mageia.org/en/QA_procedure:Libxml2 uses expat instead of libxml2. Could someone update the wiki? Here is a libxml2 version of the testxml.py program (I called it testxml2.py). It could be improved, but it does the job. import libxml2 def getStatus(case): prop = case.properties props={} props['name']="" props['classname']="" props['status']="" while prop: props[prop.name]=prop.content prop=prop.next if props['name'] == 'VHDL_BUILD_Passthrough' and props['classname'] == 'TestOne': return props['status'] return None x = libxml2.parseFile("testdata.xml") allcases=[c for c in x.children if c.name == 'testcase'] cases = [c for c in allcases if getStatus(c) != None] print getStatus(cases[0])
Fix confirmed on Mageia 5 x86_64 as well.
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK
Thanks David for your tests and the new script. I will update the Wiki appropriately. Advisory to follow.
Keywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
CC: (none) => davidwhodginsWhiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0187.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
LWN reference for CVE-2016-3705: http://lwn.net/Vulnerabilities/688211/