A CVE was assigned for a security issue in libxml2 on May 4: http://openwall.com/lists/oss-security/2016/05/04/7 There is no fix for the issue that I am aware of at this time. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Arch apparently has a patch for this and several other new CVEs (see the URL).
URL: (none) => http://lwn.net/Vulnerabilities/688826/Summary: libxml2 new security issue CVE-2016-4483 => libxml2 new security issues CVE-2016-1762, CVE-2016-183[3-9], CVE-2016-1840, CVE-2016-4483
Slackware has fixed three additional CVEs, CVE-2016-444[7-9]: http://lwn.net/Vulnerabilities/689279/
Summary: libxml2 new security issues CVE-2016-1762, CVE-2016-183[3-9], CVE-2016-1840, CVE-2016-4483 => libxml2 new security issues CVE-2016-1762, CVE-2016-183[3-9], CVE-2016-1840, CVE-2016-4483, CVE-2016-444[7-9]
Debian has issued an advisory for this on June 2: https://www.debian.org/security/2016/dsa-3593
(In reply to David Walser from comment #3) > Debian has issued an advisory for this on June 2: > https://www.debian.org/security/2016/dsa-3593 Also fixing two more CVEs: CVE-2015-8806 CVE-2016-2073 LWN references: http://lwn.net/Vulnerabilities/689714/
Summary: libxml2 new security issues CVE-2016-1762, CVE-2016-183[3-9], CVE-2016-1840, CVE-2016-4483, CVE-2016-444[7-9] => libxml2 new security issues CVE-2015-8806, CVE-2016-1762, CVE-2016-183[3-9], CVE-2016-1840, CVE-2016-2073, CVE-2016-4483, CVE-2016-444[7-9]
CVE-2016-4483 is a duplicate of CVE-2016-3627, according to this: http://www.openwall.com/lists/oss-security/2016/06/07/4 However, the commit linked there does not match the patch we added for CVE-2016-3627 in Bug 18346. The reply to the message above links to yet another commit for CVE-2016-4483. I think we missed a patch for CVE-2016-3627.
CVE-2016-5131 in the latest Chrome update may affect this too: http://googlechromereleases.blogspot.com/2016/07/stable-channel-update.html
According to a conversation on #archlinux on Freenode, all of these CVEs are fixed in libxml2-2.9.4, see http://www.xmlsoft.org/news.html . So we should just push the libxml2 2.9.4 in the mageia svn to Cauldron (and issue an update for mageia v5).
I'm not just going to take Arch's word for it. The xmlsoft.org page doesn't mention any CVEs at all. Before I updated it to 2.9.4, there were two CVE patches in the package. One was merged upstream in 2.9.4, the other wasn't. So, on the one hand, we see one CVE that was fixed, yet wasn't mentioned in the changelog. Yet, we also see another known outstanding CVE that had a fix available well before the 2.9.4 release, and it wasn't merged. So, the patches for the other CVEs need to be checked to make sure they're actually in there.
Shlomi verified that these are fixed in 2.9.4. Should be able to get this updated soon.
CVE-2015-8806 and CVE-2016-2073 are fixed by the fix for CVE-2016-1839.
Updated package uploaded by Shlomi. Updated packages in core/updates_testing: ======================== libxml2_2-2.9.4-1.1.mga5 libxml2-utils-2.9.4-1.1.mga5 libxml2-python-2.9.4-1.1.mga5 libxml2-devel-2.9.4-1.1.mga5 from libxml2-2.9.4-1.1.mga5.src.rpm
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
Suggested advisory - An update for libxml2 is now available for Mageia 5. Suggested advisory: =================== Updated libxml2 update it to 2.9.4 (rel 1.1.mgav5) Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The libxml2 library is a development toolbox providing the implementation of various XML standards. Security Fix(es): A heap-based buffer overflow flaw was found in the way libxml2 parsed certain crafted XML input. A remote attacker could provide a specially crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or execute arbitrary code with the permissions of the user running the application. (CVE-2016-1834, CVE-2016-1840) Multiple denial of service flaws were found in libxml2. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, could cause that application to crash. (CVE-2016-1762, CVE-2016-1833, CVE-2016-1835, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, CVE-2016-1839, CVE-2015-8806, CVE-2016-2073, CVE-2016-4483, CVE-2016-4447, CVE-2016-4448, CVE-2016-4449) References: http://www.xmlsoft.org/news.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1762 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1834 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1833 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1835 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1836 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1837 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1838 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1839 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1840 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8806 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2073 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4483 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4447 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4448 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4449 https://rhn.redhat.com/errata/RHSA-2016-1292.html http://lwn.net/Vulnerabilities/688826/ Updated packages in core/updates_testing: ========================================= libxml2_2-2.9.4-1.1.mga5 libxml2-utils-2.9.4-1.1.mga5 libxml2-python-2.9.4-1.1.mga5 libxml2-devel-2.9.4-1.1.mga5
Assigning to QA
Status: NEW => ASSIGNEDAssignee: shlomif => qa-bugs
Thanks Shlomi! Condensing the advisory just a bit. Suggested advisory: =================== A heap-based buffer overflow flaw was found in the way libxml2 parsed certain crafted XML input. A remote attacker could provide a specially crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or execute arbitrary code with the permissions of the user running the application (CVE-2016-1834, CVE-2016-1840). Multiple denial of service flaws were found in libxml2. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, could cause that application to crash (CVE-2016-1762, CVE-2016-1833, CVE-2016-1835, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, CVE-2016-1839, CVE-2015-8806, CVE-2016-2073, CVE-2016-4483, CVE-2016-4447, CVE-2016-4448, CVE-2016-4449). The libxml2 package has been updated to version 2.9.4, fixing these issues and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8806 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1762 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1834 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1833 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1835 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1836 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1837 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1838 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1839 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1840 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2073 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4447 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4448 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4449 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4483 http://www.xmlsoft.org/news.html https://rhn.redhat.com/errata/RHSA-2016-1292.html
Procedure here - marking as 'has_procedure': https://wiki.mageia.org/en/QA_procedure:Libxml2
CC: (none) => shlomifWhiteboard: (none) => has_procedure
Tested fine with the procedure on Mageia 5 i586.
Whiteboard: has_procedure => has_procedure MGA5-32-OK
Tested fine with the procedure on Mageia 5 x86_64.
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0263.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED