Information about security issues in libxml2 has been released today (May 3):
Proposed patches are included in the message above.
Mageia 5 is also affected.
CVE request for an additional issue:
(In reply to David Walser from comment #1)
> CVE request for an additional issue:
libxml2 new security issues CVE-2016-3627 and CVE-2016-3705 =>
libxml2 new security issues CVE-2016-3627, CVE-2016-3705 and CVE-2016-4483
Assigning to all packagers collectively, since there is no maintainer for this package.
I will grab this one.
In fact shlomif is the maintainer, I let him decide if he waits for 2.9.4 that is in RC1 since 3 days...
(In reply to José Jorge from comment #5)
> In fact shlomif is the maintainer,
Thanks for spotting that, I don't know why I erred
OpenSuSE has issued an advisory for CVE-2016-3627 today (May 13):
CVE-2016-4483 moved to Bug 18486.
libxml2 new security issues CVE-2016-3627, CVE-2016-3705 and CVE-2016-4483 =>
libxml2 new security issues CVE-2016-3627 and CVE-2016-3705
Patched packages uploaded for Mageia 5 and Cauldron.
Reproducer information attached to upstream bugs linked from:
Updated libxml2 packages fix security vulnerabilities:
When running in recovery mode, certain invalid XML documents would trigger an
infinite recursion in libxml2 that ran until all stack space was exhausted.
This vulnerability could have been used to facilitate a denial-of-sevice attack
libxml2 limits the number of recursions an XML document can contain so to
protect against the "Billion Laughs" denial-of-service attack. Unfortunately,
the underlying counter was not incremented properly in all necessary locations.
Therefore, specially crafted XML documents could exhaust all available stack
space and crash the XML parser without running into the recursion limit
Updated packages in core/updates_testing:
Tested on Mageia 5 i586.
Followed the general testing procedure and verified it was OK:
Tested the PoC from here before the update:
and reproduced the segfault. Tested again after the update and it prints the following, with the first three (including the blank) lines repeated several times and then ends with the last line:
repo.xml:1: parser error : Detected an entity reference loop
9999;"><!ENTITY a29999 "&a30000;"><!ENTITY a30001 "&a1;">]> <bruces bogans="&a1;
repo.xml:1: parser error : Premature end of data in tag bruces line 1
Correction: on i586 before the update the PoC causes an infinite loop, on x86_64 it causes a segfault.
I just determined that the python testcase here:
uses expat instead of libxml2.
Could someone update the wiki?
Here is a libxml2 version of the testxml.py program (I called it testxml2.py). It could be improved, but it does the job.
prop = case.properties
if props['name'] == 'VHDL_BUILD_Passthrough' and props['classname'] == 'TestOne':
x = libxml2.parseFile("testdata.xml")
allcases=[c for c in x.children if c.name == 'testcase']
cases = [c for c in allcases if getStatus(c) != None]
Fix confirmed on Mageia 5 x86_64 as well.
has_procedure MGA5-32-OK =>
has_procedure MGA5-32-OK MGA5-64-OK
Thanks David for your tests and the new script. I will update the Wiki appropriately.
Advisory to follow.
has_procedure MGA5-32-OK MGA5-64-OK =>
has_procedure MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository.
LWN reference for CVE-2016-3705: