Ubuntu has issued an advisory today (December 5): https://usn.ubuntu.com/usn/usn-3504-1/ It was fixed upstream in 2.9.5 and the upstream commit that fixed it is linked from the Ubuntu CVE page: https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16932.html Mageia 5 is also affected (by this and several other issues).
Blocks: (none) => 19695
There's also CVE-2017-15412, fixed in the latest Chromium: https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop.html Ubuntu has issued an advisory for this today (December 13): https://usn.ubuntu.com/usn/usn-3513-1/
openSUSE has issued an advisory on August 17: https://lists.opensuse.org/opensuse-updates/2017-08/msg00067.html It fixes CVE-2017-8872. It was not fixed upstream. (In reply to David Walser from Bug 19695) > CVE-2017-5130 has been fixed in Chrome (October 17): > https://chromereleases.googleblog.com/2017/10/stable-channel-update-for- > desktop.html Fixed upstream in 2.9.5, according to Debian. (In reply to David Walser from comment #1) > There's also CVE-2017-15412, fixed in the latest Chromium: > https://chromereleases.googleblog.com/2017/12/stable-channel-update-for- > desktop.html Fixed upstream in 2.9.6, according to Debian.
Summary: libxml2 new security issue CVE-2017-16932 => libxml2 new security issues CVE-2017-5130, CVE-2017-8872, CVE-2017-15412, CVE-2017-16932
(In reply to David Walser from comment #2) > openSUSE has issued an advisory on August 17: > https://lists.opensuse.org/opensuse-updates/2017-08/msg00067.html > > It fixes CVE-2017-8872. It was not fixed upstream. Forward porting openSUSE's patch to 2.9.7 breaks on the test suite. openSUSE didn't carry their own patch forward to openSUSE Factory, so it'll either have to go on unfixed or hopefully upstream has addressed it some sort of way (the upstream bug says they haven't though).
Summary: libxml2 new security issues CVE-2017-5130, CVE-2017-8872, CVE-2017-15412, CVE-2017-16932 => libxml2 new security issues CVE-2017-5130, CVE-2017-15412, CVE-2017-16932
Advisory: ======================== Updated libxml2 packages fix security vulnerability: Integer overflow in memory debug code in libxml2 before 2.9.5 (CVE-2017-5130). It was discovered that libxml2 incorrecty handled certain files. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service (CVE-2017-15412). Wei Lei discovered that libxml2 incorrecty handled certain parameter entities. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service (CVE-2017-16932). The libxml2 package has been updated to version 2.9.7 to fix these issues and several other bugs. Also, the perl-XML-LibXML package has been updated to version 2.13.200 to allow it to be rebuilt against the updated libxml2. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5130 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15412 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16932 https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop.html https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop.html https://usn.ubuntu.com/usn/usn-3513-1/ https://usn.ubuntu.com/usn/usn-3504-1/ ======================== Updated packages in core/updates_testing: ======================== libxml2_2-2.9.7-1.mga6 libxml2-utils-2.9.7-1.mga6 libxml2-python-2.9.7-1.mga6 libxml2-python3-2.9.7-1.mga6 libxml2-devel-2.9.7-1.mga6 perl-XML-LibXML-2.13.200-1.mga6 from SRPMS: libxml2-2.9.7-1.mga6.src.rpm perl-XML-LibXML-2.13.200-1.mga6.src.rpm
Assignee: shlomif => qa-bugs
x86_64 The following 4 packages are going to be installed: - lib64xml2_2-2.9.7-1.mga6.x86_64 - libxml2-python-2.9.7-1.mga6.x86_64 - libxml2-utils-2.9.7-1.mga6.x86_64 - perl-XML-LibXML-2.13.200-1.mga6.x86_64 Ran a couple of utilities: xmlcatalog - create xmllint I generated an XML document from Libreoffice Writer - saved as fodt format. Next I used xmllint to run a scrube $ xmllint libxml2.fodt > scrubed.fodt Then I open scrubed.fodt $ soffice scrubed.fodt It opens properly. Looks fine to me. ----- I don't feel like writing C code, does anyone have a standard program that uses this library?
CC: (none) => brtians1
Keywords: (none) => feedback
Use this to test it: https://wiki.mageia.org/en/QA_procedure:Libxml2
Keywords: feedback => has_procedure
Ok on Mageia 6 i586.
CC: (none) => davidwhodginsWhiteboard: (none) => MGA6-32-OK
Ok on Mageia 6 x86_64. Advisory committed to svn. Validating the update.
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OKKeywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0050.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
CVE-2017-18258 was also fixed in 2.9.6: https://usn.ubuntu.com/3739-1/ https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18258.html