Debian-LTS has issued an advisory on October 31: http://lwn.net/Alerts/705199/ Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
CVE-2016-4658 is now fixed on cauldron SVN
Status comment: (none) => debian/patches/cve-201CC: (none) => mageia
openSUSE has issued an advisory on February 11: https://lists.opensuse.org/opensuse-updates/2017-02/msg00055.html It fixes two additional CVEs. Debian has announced that yet another will be fixed soon: http://openwall.com/lists/oss-security/2017/02/13/1
Summary: libxml2 new security issue CVE-2016-4658 and CVE-2016-5131 => libxml2 new security issue CVE-2016-4658, CVE-2016-5131, CVE-2016-9318, CVE-2016-9597, CVE-2017-5969
LWN reference for CVE-2016-9597: https://lwn.net/Vulnerabilities/714430/
(In reply to David Walser from comment #2) > Debian has announced that yet another will be fixed soon: > http://openwall.com/lists/oss-security/2017/02/13/1 Nothing ever came of this.
Removing CVE-2017-5969 from the subject for now, as it may be invalid. The others should be fixed in Cauldron now. I added CVE-2017-904[7-9], as I added patches for those from openSUSE Factory.
Whiteboard: MGA5TOO => (none)Summary: libxml2 new security issue CVE-2016-4658, CVE-2016-5131, CVE-2016-9318, CVE-2016-9597, CVE-2017-5969 => libxml2 new security issue CVE-2016-4658, CVE-2016-5131, CVE-2016-9318, CVE-2016-9597, CVE-2017-904[7-9]Version: Cauldron => 5
Status comment: debian/patches/cve-201 => (none)
Status comment: (none) => Mageia 5 should be synced with Cauldron
CVE-2017-904[7-9] were originally announced here: http://openwall.com/lists/oss-security/2017/05/22/1 There was also a CVE-2017-9050 announced there, but the upstream bug is private.
*** Bug 20909 has been marked as a duplicate of this bug. ***
Looks like the CVE-2017-9049 patch is also for CVE-2017-9050.
Summary: libxml2 new security issue CVE-2016-4658, CVE-2016-5131, CVE-2016-9318, CVE-2016-9597, CVE-2017-904[7-9] => libxml2 new security issue CVE-2016-4658, CVE-2016-5131, CVE-2016-9318, CVE-2016-9597, CVE-2017-904[7-9], CVE-2017-9050
openSUSE has issued an advisory for CVE-2017-904[7-9] and CVE-2017-9050 on June 8: https://lists.opensuse.org/opensuse-updates/2017-06/msg00022.html
(In reply to David Walser from comment #9) > openSUSE has issued an advisory for CVE-2017-904[7-9] and CVE-2017-9050 on > June 8: > https://lists.opensuse.org/opensuse-updates/2017-06/msg00022.html and another on June 19, also for 42.2: https://lists.opensuse.org/opensuse-updates/2017-06/msg00071.html
openSUSE has issued an advisory today (July 1): https://lists.opensuse.org/opensuse-updates/2017-07/msg00000.html It fixes CVE-2017-5969, which I'll now have to add back to the list, and CVE-2017-0663 which is a new one.
Summary: libxml2 new security issue CVE-2016-4658, CVE-2016-5131, CVE-2016-9318, CVE-2016-9597, CVE-2017-904[7-9], CVE-2017-9050 => libxml2 new security issue CVE-2016-4658, CVE-2016-5131, CVE-2016-9318, CVE-2016-9597, CVE-2017-0663, CVE-2017-5969, CVE-2017-904[7-9], CVE-2017-9050
openSUSE has issued an advisory tomorrow (July 7): https://lists.opensuse.org/opensuse-updates/2017-07/msg00040.html It fixes CVE-2017-737[56].
Summary: libxml2 new security issue CVE-2016-4658, CVE-2016-5131, CVE-2016-9318, CVE-2016-9597, CVE-2017-0663, CVE-2017-5969, CVE-2017-904[7-9], CVE-2017-9050 => libxml2 new security issue CVE-2016-4658, CVE-2016-5131, CVE-2016-9318, CVE-2016-9597, CVE-2017-0663, CVE-2017-5969, CVE-2017-737[56], CVE-2017-904[7-9], CVE-2017-9050
openSUSE has issued an advisory today (August 17): https://lists.opensuse.org/opensuse-updates/2017-08/msg00067.html It fixes CVE-2017-8872.
Summary: libxml2 new security issue CVE-2016-4658, CVE-2016-5131, CVE-2016-9318, CVE-2016-9597, CVE-2017-0663, CVE-2017-5969, CVE-2017-737[56], CVE-2017-904[7-9], CVE-2017-9050 => libxml2 new security issue CVE-2016-4658, CVE-2016-5131, CVE-2016-9318, CVE-2016-9597, CVE-2017-0663, CVE-2017-5969, CVE-2017-737[56], CVE-2017-8872, CVE-2017-904[7-9], CVE-2017-9050
CVE-2017-5130 has been fixed in Chrome (October 17): https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop.html We should be able to get the patch from the Chromium source code.
Summary: libxml2 new security issue CVE-2016-4658, CVE-2016-5131, CVE-2016-9318, CVE-2016-9597, CVE-2017-0663, CVE-2017-5969, CVE-2017-737[56], CVE-2017-8872, CVE-2017-904[7-9], CVE-2017-9050 => libxml2 new security issue CVE-2016-4658, CVE-2016-5131, CVE-2016-9318, CVE-2016-9597, CVE-2017-0663, CVE-2017-5130, CVE-2017-5969, CVE-2017-737[56], CVE-2017-8872, CVE-2017-904[7-9], CVE-2017-9050
Depends on: (none) => 22130
There's also CVE-2017-15412, fixed in the latest Chromium: https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop.html
CVE-2016-9597 is the same as CVE-2016-3705, fixed in libxml2 2.9.4, which we previously updated to, according to RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1408305
Summary: libxml2 new security issue CVE-2016-4658, CVE-2016-5131, CVE-2016-9318, CVE-2016-9597, CVE-2017-0663, CVE-2017-5130, CVE-2017-5969, CVE-2017-737[56], CVE-2017-8872, CVE-2017-904[7-9], CVE-2017-9050 => libxml2 new security issue CVE-2016-4658, CVE-2016-5131, CVE-2016-9318, CVE-2017-0663, CVE-2017-5130, CVE-2017-5969, CVE-2017-737[56], CVE-2017-8872, CVE-2017-904[7-9], CVE-2017-9050
(In reply to David Walser from comment #14) > CVE-2017-5130 has been fixed in Chrome (October 17): > https://chromereleases.googleblog.com/2017/10/stable-channel-update-for- > desktop.html Fixed upstream in 2.9.5, according to Debian. (In reply to David Walser from comment #15) > There's also CVE-2017-15412, fixed in the latest Chromium: > https://chromereleases.googleblog.com/2017/12/stable-channel-update-for- > desktop.html Fixed upstream in 2.9.6, according to Debian.
Moving CVE-2017-8872, CVE-2017-5130, and CVE-2017-15412 to Bug 22130, as they also haven't been fixed in Mageia 6 yet.
Summary: libxml2 new security issue CVE-2016-4658, CVE-2016-5131, CVE-2016-9318, CVE-2017-0663, CVE-2017-5130, CVE-2017-5969, CVE-2017-737[56], CVE-2017-8872, CVE-2017-904[7-9], CVE-2017-9050 => libxml2 new security issue CVE-2016-4658, CVE-2016-5131, CVE-2016-9318, CVE-2017-0663, CVE-2017-5969, CVE-2017-737[56], CVE-2017-904[7-9], CVE-2017-9050
Advisory: ======================== Updated libxml2 packages fix security vulnerability: Use-after-free error could lead to crash (CVE-2016-4658). Use-after-free vulnerability in libxml2 through 2.9.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function (CVE-2016-5131). libxml2 2.9.4 and earlier does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document (CVE-2016-9318). Heap buffer overflow in xmlAddID (CVE-2017-0663). Integer overflow in memory debug code in libxml2 before 2.9.5 (CVE-2017-5130). NULL pointer deref in xmlDumpElementContent (CVE-2017-5969). Prevent unwanted external entity reference (CVE-2017-7375). Increase buffer space for port in HTTP redirect support (CVE-2017-7376). The function xmlSnprintfElementContent in valid.c was vulnerable to a stack buffer overflow (CVE-2017-9047, CVE-2017-9048). The function xmlDictComputeFastKey in dict.c was vulnerable to a heap-based buffer over-read (CVE-2017-9049). The function xmlDictAddString was vulnerable to a heap-based buffer over-read (CVE-2017-9050). It was discovered that libxml2 incorrecty handled certain files. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service (CVE-2017-15412). Wei Lei discovered that libxml2 incorrecty handled certain parameter entities. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service (CVE-2017-16932). The libxml2 package has been updated to version 2.9.7 to fix these issues and several other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4658 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5131 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9318 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0663 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5130 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5969 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7375 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7376 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9047 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9048 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9049 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9050 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15412 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16932 https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop.html https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop.html https://lists.opensuse.org/opensuse-updates/2017-02/msg00055.html https://lists.opensuse.org/opensuse-updates/2017-06/msg00022.html https://lists.opensuse.org/opensuse-updates/2017-07/msg00000.html https://lists.opensuse.org/opensuse-updates/2017-07/msg00040.html https://usn.ubuntu.com/usn/usn-3513-1/ https://usn.ubuntu.com/usn/usn-3504-1/ ======================== Updated packages in core/updates_testing: ======================== libxml2_2-2.9.7-1.mga5 libxml2-utils-2.9.7-1.mga5 libxml2-python-2.9.7-1.mga5 libxml2-devel-2.9.7-1.mga5 perl-XML-LibXML-2.12.100-1.2.mga5 from SRPMS: libxml2-2.9.7-1.mga5.src.rpm perl-XML-LibXML-2.12.100-1.2.mga5.src.rpm
Assignee: shlomif => qa-bugs
Having a look at this for mga5 x86_64. Over 400 packages are dependent on these in some way. There is a tutorial on using it at http://xmlsoft.org/tutorial/index.html, not exactly a programming manual but it provides examples of code which can be compiled but does not explain how to use them. One of the examples, which I called codingconversion.c, compiled with $ gcc -o codingconversion `xml2-config --cflags` `xml2-config --libs` codingconversion.c $ file codingconversion codingconversion: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=f910ac3eb8db1bd4c0bbac46e81a98f82676b2d7, not stripped $ ./codingconversion Usage: ./codingconversion content Assuming that "content" would include the provided sample file: $ ./codingconversion sample.xml conversion wasn't successful. <?xml version="1.0" encoding="ISO-8859-1"?> <root/> Don't know what to make of that but the compilation generated an executable which at least runs. $ cat sample.xml <?xml version="1.0"?> <story> <storyinfo> <author>John Fleck</author> <datewritten>June 2, 2002</datewritten> <keyword>example keyword</keyword> </storyinfo> <body> <headline>This is the headline</headline> <para>This is the body text.</para> </body> </story> Shall persevere with the other programs and report back.
CC: (none) => tarazed25
We have a simple test procedure you can use for this one: https://wiki.mageia.org/en/QA_procedure:Libxml2
Keywords: (none) => has_procedure
$ gcc -o keyword `xml2-config --cflags` `xml2-config --libs` keyword.c $ ./keyword Usage: ./keyword docname $ ./keyword sample.xml keyword: example keyword $ gcc -o retrievevalue `xml2-config --cflags` `xml2-config --libs` retrievevalue.c $ ./retrievevalue sample.xml $ This implies that the document was successfully parsed. An strace shows this: $ cat trace.1 | grep xml execve("./retrievevalue", ["./retrievevalue", "sample.xml"], [/* 61 vars */]) = 0 open("/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3 stat("sample.xml", {st_mode=S_IFREG|0644, st_size=288, ...}) = 0 stat("sample.xml", {st_mode=S_IFREG|0644, st_size=288, ...}) = 0 stat("sample.xml", {st_mode=S_IFREG|0644, st_size=288, ...}) = 0 open("sample.xml", O_RDONLY) = 3 getcwd("/data/pad/qa/libxml", 1024) = 20 read(3, "<?xml version=\"1.0\"?>\n<story>\n "..., 8192) = 288 Compiled addkeyword.c and addattribute.c. $ ./addkeyword Usage: ./addkeyword docname, keyword $ ./addkeyword sample.xml trythis $ ./addattribute Usage: ./addattribute docname, uri $ ./addattribute sample.xml "file:///data/pad/qa/libxml/compile" $ cat sample.xml <?xml version="1.0"?> <story> <storyinfo> <author>John Fleck</author> <datewritten>June 2, 2002</datewritten> <keyword>example keyword</keyword> <keyword>trythis</keyword></storyinfo> <body> <headline>This is the headline</headline> <para>This is the body text.</para> </body> <reference uri="file:///data/pad/qa/libxml/compile"/></story> These are very basic tests of the libraries, or maybe just one library. Showing that they are used in the field is trickier. Finding the right scenario with any of the few hundred dependent applications would take more time than QA can afford at this time so I am giving this an OK on the basis of the current tests. Just collided with your suggestion David - thanks - shall give it a go.
Forgot to include the manifest: - lib64xml2-devel-2.9.7-1.mga5.x86_64 - lib64xml2_2-2.9.7-1.mga5.x86_64 - libxml2-python-2.9.7-1.mga5.x86_64 - libxml2-utils-2.9.7-1.mga5.x86_64 - perl-XML-LibXML-2.12.100-1.2.mga5.x86_64 Followed the procedure at https://wiki.mageia.org/en/QA_procedure:Libxml2. Cut and pasted.... $ edit testxml.py $ edit testdata.xml Testing libxml2-python: $ python testxml.py Tested OK Testing libxml2-utils: $ xmllint --auto <?xml version="1.0"?> <info>abc</info> $ xmlcatalog --create <?xml version="1.0"?> <!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd"> <catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/> $ strace -o strace.out chromium-browser [11130:11158:1229/200247.544154:ERROR:simple_version_upgrade.cc(164)] File structure does not match the disk cache backend. [11130:11158:1229/200247.544166:ERROR:simple_backend_impl.cc(630)] Simple Cache Backend: wrong file structure on disk: /home/lcl/.cache/chromium/Default/Cache <invoked the browser with an index page for "Welcome to Chromium" and "Chrome Web Store"> These XML files showed as document trees in the browser; https://msdn.microsoft.com/en-us/library/ms762271(v=vs.85).aspx https://www.w3schools.com/xml/xml_examples.asp The latter pointed to a combination of CSS and XML which provided a CD catalogue. Another showed a menu with an XSLT style sheet. That's enough of that. It all works. $ grep xml strace.out stat("/home/lcl/pad/qa/libxml", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 open("/usr/lib64/chromium-browser/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("tls/x86_64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("tls/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("x86_64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3 open("/usr/lib64/libxml2.so.2.9.7", O_RDONLY) = 3 open("/usr/lib64/libxml2.so.2.9.7", O_RDONLY|O_CLOEXEC) = 98 read(137, "<?xml version=\"1.0\"?>\n<!DOCTYPE "..., 8192) = 5553 ...................... OK for mga5 64 bits.
Whiteboard: (none) => MGA5-64-OK
To prioritise.
My previous remark was superfluous! I put it blindly, not noticing Len's prior exhaustive testing. Validating: one release, x64 OK. Advisoried.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0048.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
CVE-2017-18258 was also fixed in 2.9.6: https://usn.ubuntu.com/3739-1/ https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18258.html