Bug 18346 - libxml2 new security issues CVE-2016-3627 and CVE-2016-3705
Summary: libxml2 new security issues CVE-2016-3627 and CVE-2016-3705
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/687398/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK a...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-05-03 20:17 CEST by David Walser
Modified: 2016-05-20 18:08 CEST (History)
7 users (show)

See Also:
Source RPM: libxml2-2.9.3-1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-05-03 20:17:09 CEST
Information about security issues in libxml2 has been released today (May 3):
http://openwall.com/lists/oss-security/2016/05/03/4

Proposed patches are included in the message above.

Mageia 5 is also affected.
Comment 1 David Walser 2016-05-03 20:17:58 CEST
CVE request for an additional issue:
http://openwall.com/lists/oss-security/2016/05/03/8

Whiteboard: (none) => MGA5TOO

Comment 2 David Walser 2016-05-04 11:38:32 CEST
(In reply to David Walser from comment #1)
> CVE request for an additional issue:
> http://openwall.com/lists/oss-security/2016/05/03/8

CVE-2016-4483:
http://openwall.com/lists/oss-security/2016/05/04/7

Summary: libxml2 new security issues CVE-2016-3627 and CVE-2016-3705 => libxml2 new security issues CVE-2016-3627, CVE-2016-3705 and CVE-2016-4483

Comment 3 Marja Van Waes 2016-05-04 19:46:10 CEST
Assigning to all packagers collectively, since there is no maintainer for this package.

CC: (none) => makowski.mageia, marja11
Assignee: bugsquad => pkg-bugs

Comment 4 José Jorge 2016-05-05 20:31:12 CEST
I will grab this one.

CC: (none) => lists.jjorge
Assignee: pkg-bugs => qa-bugs

Comment 5 José Jorge 2016-05-05 20:39:29 CEST
In fact shlomif is the maintainer, I let him decide if he waits for 2.9.4 that is in RC1 since 3 days...

Status: NEW => ASSIGNED
Assignee: qa-bugs => shlomif

Comment 6 Marja Van Waes 2016-05-05 21:09:44 CEST
(In reply to José Jorge from comment #5)
> In fact shlomif is the maintainer,

Thanks for spotting that, I don't know why I erred
Comment 7 David Walser 2016-05-13 18:30:59 CEST
OpenSuSE has issued an advisory for CVE-2016-3627 today (May 13):
https://lists.opensuse.org/opensuse-updates/2016-05/msg00055.html

URL: (none) => http://lwn.net/Vulnerabilities/687398/

Comment 8 David Walser 2016-05-18 23:05:19 CEST
CVE-2016-4483 moved to Bug 18486.

Summary: libxml2 new security issues CVE-2016-3627, CVE-2016-3705 and CVE-2016-4483 => libxml2 new security issues CVE-2016-3627 and CVE-2016-3705

Comment 9 David Walser 2016-05-18 23:08:56 CEST
Patched packages uploaded for Mageia 5 and Cauldron.

Reproducer information attached to upstream bugs linked from:
http://openwall.com/lists/oss-security/2016/05/03/4

Advisory:
========================

Updated libxml2 packages fix security vulnerabilities:

When running in recovery mode, certain invalid XML documents would trigger an
infinite recursion in libxml2 that ran until all stack space was exhausted.
This vulnerability could have been used to facilitate a denial-of-sevice attack
(CVE-2016-3627).

libxml2 limits the number of recursions an XML document can contain so to
protect against the "Billion Laughs" denial-of-service attack. Unfortunately,
the underlying counter was not incremented properly in all necessary locations.
Therefore, specially crafted XML documents could exhaust all available stack
space and crash the XML parser without running into the recursion limit
(CVE-2016-3705).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3627
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3705
http://openwall.com/lists/oss-security/2016/05/03/4
https://lists.opensuse.org/opensuse-updates/2016-05/msg00055.html
========================

Updated packages in core/updates_testing:
========================
libxml2_2-2.9.3-1.1.mga5
libxml2-utils-2.9.3-1.1.mga5
libxml2-python-2.9.3-1.1.mga5
libxml2-devel-2.9.3-1.1.mga5

from libxml2-2.9.3-1.1.mga5.src.rpm

CC: (none) => shlomif
Version: Cauldron => 5
Assignee: shlomif => qa-bugs
Whiteboard: MGA5TOO => has_procedure

Comment 10 David Walser 2016-05-19 05:16:00 CEST
Tested on Mageia 5 i586.

Followed the general testing procedure and verified it was OK:
https://wiki.mageia.org/en/QA_procedure:Libxml2

Tested the PoC from here before the update:
http://openwall.com/lists/oss-security/2016/05/03/4

and reproduced the segfault.  Tested again after the update and it prints the following, with the first three (including the blank) lines repeated several times and then ends with the last line:
repo.xml:1: parser error : Detected an entity reference loop
9999;"><!ENTITY a29999 "&a30000;"><!ENTITY a30001 "&a1;">]> <bruces bogans="&a1;
                                                                               ^
repo.xml:1: parser error : Premature end of data in tag bruces line 1

Whiteboard: has_procedure => has_procedure MGA5-32-OK

Comment 11 David Walser 2016-05-19 05:20:04 CEST
Correction: on i586 before the update the PoC causes an infinite loop, on x86_64 it causes a segfault.
Comment 12 David Walser 2016-05-19 06:33:20 CEST
I just determined that the python testcase here:
https://wiki.mageia.org/en/QA_procedure:Libxml2

uses expat instead of libxml2.

Could someone update the wiki?

Here is a libxml2 version of the testxml.py program (I called it testxml2.py).  It could be improved, but it does the job.

import libxml2

def getStatus(case):
    prop = case.properties
    props={}
    props['name']=""
    props['classname']=""
    props['status']=""
    while prop:
        props[prop.name]=prop.content
        prop=prop.next
    if props['name'] == 'VHDL_BUILD_Passthrough' and props['classname'] == 'TestOne':
        return props['status']
    return None

x = libxml2.parseFile("testdata.xml")
allcases=[c for c in x.children if c.name == 'testcase']
cases = [c for c in allcases if getStatus(c) != None]
print getStatus(cases[0])
Comment 13 David Walser 2016-05-19 15:41:17 CEST
Fix confirmed on Mageia 5 x86_64 as well.

Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK

Comment 14 Lewis Smith 2016-05-19 20:44:08 CEST
Thanks David for your tests and the new script. I will update the Wiki appropriately.
Advisory to follow.

Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Dave Hodgins 2016-05-20 11:20:01 CEST

CC: (none) => davidwhodgins
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory

Comment 15 Mageia Robot 2016-05-20 13:39:21 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0187.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 16 David Walser 2016-05-20 18:08:26 CEST
LWN reference for CVE-2016-3705:
http://lwn.net/Vulnerabilities/688211/

Note You need to log in before you can comment on or make changes to this bug.