Bug 18486 - libxml2 new security issues CVE-2015-8806, CVE-2016-1762, CVE-2016-183[3-9], CVE-2016-1840, CVE-2016-2073, CVE-2016-4483, CVE-2016-444[7-9]
Summary: libxml2 new security issues CVE-2015-8806, CVE-2016-1762, CVE-2016-183[3-9], ...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/688826/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK a...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-05-18 23:04 CEST by David Walser
Modified: 2016-07-26 23:59 CEST (History)
3 users (show)

See Also:
Source RPM: libxml2-2.9.3-3.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-05-18 23:04:36 CEST
A CVE was assigned for a security issue in libxml2 on May 4:
http://openwall.com/lists/oss-security/2016/05/04/7

There is no fix for the issue that I am aware of at this time.

Mageia 5 is also affected.
David Walser 2016-05-18 23:04:42 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2016-05-27 18:48:46 CEST
Arch apparently has a patch for this and several other new CVEs (see the URL).

URL: (none) => http://lwn.net/Vulnerabilities/688826/
Summary: libxml2 new security issue CVE-2016-4483 => libxml2 new security issues CVE-2016-1762, CVE-2016-183[3-9], CVE-2016-1840, CVE-2016-4483

Comment 2 David Walser 2016-06-01 13:33:51 CEST
Slackware has fixed three additional CVEs, CVE-2016-444[7-9]:
http://lwn.net/Vulnerabilities/689279/

Summary: libxml2 new security issues CVE-2016-1762, CVE-2016-183[3-9], CVE-2016-1840, CVE-2016-4483 => libxml2 new security issues CVE-2016-1762, CVE-2016-183[3-9], CVE-2016-1840, CVE-2016-4483, CVE-2016-444[7-9]

Comment 3 David Walser 2016-06-03 14:55:28 CEST
Debian has issued an advisory for this on June 2:
https://www.debian.org/security/2016/dsa-3593
Comment 4 David Walser 2016-06-03 20:36:11 CEST
(In reply to David Walser from comment #3)
> Debian has issued an advisory for this on June 2:
> https://www.debian.org/security/2016/dsa-3593

Also fixing two more CVEs: CVE-2015-8806 CVE-2016-2073

LWN references:
http://lwn.net/Vulnerabilities/689714/

Summary: libxml2 new security issues CVE-2016-1762, CVE-2016-183[3-9], CVE-2016-1840, CVE-2016-4483, CVE-2016-444[7-9] => libxml2 new security issues CVE-2015-8806, CVE-2016-1762, CVE-2016-183[3-9], CVE-2016-1840, CVE-2016-2073, CVE-2016-4483, CVE-2016-444[7-9]

Comment 5 David Walser 2016-06-07 12:17:29 CEST
CVE-2016-4483 is a duplicate of CVE-2016-3627, according to this:
http://www.openwall.com/lists/oss-security/2016/06/07/4

However, the commit linked there does not match the patch we added for CVE-2016-3627 in Bug 18346.  The reply to the message above links to yet another commit for CVE-2016-4483.  I think we missed a patch for CVE-2016-3627.
Comment 6 David Walser 2016-07-21 17:58:59 CEST
CVE-2016-5131 in the latest Chrome update may affect this too:
http://googlechromereleases.blogspot.com/2016/07/stable-channel-update.html
Comment 7 Shlomi Fish 2016-07-21 23:18:12 CEST
According to a conversation on #archlinux on Freenode, all of these CVEs are fixed in libxml2-2.9.4, see http://www.xmlsoft.org/news.html . So we should just push the libxml2 2.9.4 in the mageia svn to Cauldron (and issue an update for mageia v5).
Comment 8 David Walser 2016-07-21 23:31:35 CEST
I'm not just going to take Arch's word for it.  The xmlsoft.org page doesn't mention any CVEs at all.  Before I updated it to 2.9.4, there were two CVE patches in the package.  One was merged upstream in 2.9.4, the other wasn't.  So, on the one hand, we see one CVE that was fixed, yet wasn't mentioned in the changelog.  Yet, we also see another known outstanding CVE that had a fix available well before the 2.9.4 release, and it wasn't merged.  So, the patches for the other CVEs need to be checked to make sure they're actually in there.
Comment 9 David Walser 2016-07-22 18:20:26 CEST
Shlomi verified that these are fixed in 2.9.4.  Should be able to get this updated soon.
Comment 10 David Walser 2016-07-22 18:25:32 CEST
CVE-2015-8806 and CVE-2016-2073 are fixed by the fix for CVE-2016-1839.
Comment 11 David Walser 2016-07-22 20:56:34 CEST
Updated package uploaded by Shlomi.

Updated packages in core/updates_testing:
========================
libxml2_2-2.9.4-1.1.mga5
libxml2-utils-2.9.4-1.1.mga5
libxml2-python-2.9.4-1.1.mga5
libxml2-devel-2.9.4-1.1.mga5

from libxml2-2.9.4-1.1.mga5.src.rpm

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 12 Shlomi Fish 2016-07-22 21:15:50 CEST
Suggested advisory -

An update for libxml2 is now available for Mageia 5.

Suggested advisory:
===================

Updated libxml2 update it to 2.9.4 (rel 1.1.mgav5)

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

The libxml2 library is a development toolbox providing the implementation of
various XML standards.

Security Fix(es):

A heap-based buffer overflow flaw was found in the way libxml2 parsed certain
crafted XML input. A remote attacker could provide a specially crafted XML file
that, when opened in an application linked against libxml2, would cause the
application to crash or execute arbitrary code with the permissions of the user
running the application. (CVE-2016-1834, CVE-2016-1840)

Multiple denial of service flaws were found in libxml2. A remote attacker could
provide a specially crafted XML file that, when processed by an application
using libxml2, could cause that application to crash.
(CVE-2016-1762, CVE-2016-1833, CVE-2016-1835, CVE-2016-1836, CVE-2016-1837,
CVE-2016-1838, CVE-2016-1839,  CVE-2015-8806, CVE-2016-2073, CVE-2016-4483,
CVE-2016-4447, CVE-2016-4448, CVE-2016-4449)

References:

http://www.xmlsoft.org/news.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1762
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1834
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1833
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1835
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1836
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1837
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1838
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1839
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1840
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8806
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2073
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4483
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4447
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4448
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4449
https://rhn.redhat.com/errata/RHSA-2016-1292.html
http://lwn.net/Vulnerabilities/688826/

Updated packages in core/updates_testing:
=========================================

libxml2_2-2.9.4-1.1.mga5
libxml2-utils-2.9.4-1.1.mga5
libxml2-python-2.9.4-1.1.mga5
libxml2-devel-2.9.4-1.1.mga5
Comment 13 Shlomi Fish 2016-07-22 21:16:40 CEST
Assigning to QA

Status: NEW => ASSIGNED
Assignee: shlomif => qa-bugs

Comment 14 David Walser 2016-07-22 21:26:06 CEST
Thanks Shlomi!  Condensing the advisory just a bit.

Suggested advisory:
===================

A heap-based buffer overflow flaw was found in the way libxml2 parsed certain
crafted XML input. A remote attacker could provide a specially crafted XML file
that, when opened in an application linked against libxml2, would cause the
application to crash or execute arbitrary code with the permissions of the user
running the application (CVE-2016-1834, CVE-2016-1840).

Multiple denial of service flaws were found in libxml2. A remote attacker could
provide a specially crafted XML file that, when processed by an application
using libxml2, could cause that application to crash (CVE-2016-1762,
CVE-2016-1833, CVE-2016-1835, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838,
CVE-2016-1839,  CVE-2015-8806, CVE-2016-2073, CVE-2016-4483, CVE-2016-4447,
CVE-2016-4448, CVE-2016-4449).

The libxml2 package has been updated to version 2.9.4, fixing these issues and
other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8806
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1762
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1834
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1833
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1835
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1836
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1837
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1838
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1839
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1840
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2073
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4447
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4448
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4449
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4483
http://www.xmlsoft.org/news.html
https://rhn.redhat.com/errata/RHSA-2016-1292.html
Comment 15 Shlomi Fish 2016-07-22 21:43:04 CEST
Procedure here - marking as 'has_procedure':

https://wiki.mageia.org/en/QA_procedure:Libxml2

CC: (none) => shlomif
Whiteboard: (none) => has_procedure

Comment 16 David Walser 2016-07-24 00:40:11 CEST
Tested fine with the procedure on Mageia 5 i586.

Whiteboard: has_procedure => has_procedure MGA5-32-OK

Comment 17 David Walser 2016-07-25 20:09:40 CEST
Tested fine with the procedure on Mageia 5 x86_64.

Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK

Dave Hodgins 2016-07-26 23:19:17 CEST

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 18 Mageia Robot 2016-07-26 23:59:51 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0263.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.