Bug 22130 - libxml2 new security issues CVE-2017-5130, CVE-2017-15412, CVE-2017-16932
Summary: libxml2 new security issues CVE-2017-5130, CVE-2017-15412, CVE-2017-16932
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks: 19695
  Show dependency treegraph
 
Reported: 2017-12-05 23:11 CET by David Walser
Modified: 2018-08-14 23:26 CEST (History)
3 users (show)

See Also:
Source RPM: libxml2-2.9.4-8.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-12-05 23:11:19 CET
Ubuntu has issued an advisory today (December 5):
https://usn.ubuntu.com/usn/usn-3504-1/

It was fixed upstream in 2.9.5 and the upstream commit that fixed it is linked from the Ubuntu CVE page:
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16932.html

Mageia 5 is also affected (by this and several other issues).
David Walser 2017-12-05 23:11:29 CET

Blocks: (none) => 19695

Comment 1 David Walser 2017-12-13 17:44:36 CET
There's also CVE-2017-15412, fixed in the latest Chromium:
https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop.html

Ubuntu has issued an advisory for this today (December 13):
https://usn.ubuntu.com/usn/usn-3513-1/
Comment 2 David Walser 2017-12-27 18:04:55 CET
openSUSE has issued an advisory on August 17:
https://lists.opensuse.org/opensuse-updates/2017-08/msg00067.html

It fixes CVE-2017-8872.  It was not fixed upstream.

(In reply to David Walser from Bug 19695)
> CVE-2017-5130 has been fixed in Chrome (October 17):
> https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-
> desktop.html

Fixed upstream in 2.9.5, according to Debian.

(In reply to David Walser from comment #1)
> There's also CVE-2017-15412, fixed in the latest Chromium:
> https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-
> desktop.html

Fixed upstream in 2.9.6, according to Debian.

Summary: libxml2 new security issue CVE-2017-16932 => libxml2 new security issues CVE-2017-5130, CVE-2017-8872, CVE-2017-15412, CVE-2017-16932

Comment 3 David Walser 2017-12-27 18:29:58 CET
(In reply to David Walser from comment #2)
> openSUSE has issued an advisory on August 17:
> https://lists.opensuse.org/opensuse-updates/2017-08/msg00067.html
> 
> It fixes CVE-2017-8872.  It was not fixed upstream.

Forward porting openSUSE's patch to 2.9.7 breaks on the test suite.  openSUSE didn't carry their own patch forward to openSUSE Factory, so it'll either have to go on unfixed or hopefully upstream has addressed it some sort of way (the upstream bug says they haven't though).

Summary: libxml2 new security issues CVE-2017-5130, CVE-2017-8872, CVE-2017-15412, CVE-2017-16932 => libxml2 new security issues CVE-2017-5130, CVE-2017-15412, CVE-2017-16932

Comment 4 David Walser 2017-12-27 19:42:46 CET
Advisory:
========================

Updated libxml2 packages fix security vulnerability:

Integer overflow in memory debug code in libxml2 before 2.9.5 (CVE-2017-5130).

It was discovered that libxml2 incorrecty handled certain files. An attacker
could use this issue with specially constructed XML data to cause libxml2 to
consume resources, leading to a denial of service (CVE-2017-15412).

Wei Lei discovered that libxml2 incorrecty handled certain parameter
entities. An attacker could use this issue with specially constructed XML
data to cause libxml2 to consume resources, leading to a denial of service
(CVE-2017-16932).

The libxml2 package has been updated to version 2.9.7 to fix these issues and
several other bugs.

Also, the perl-XML-LibXML package has been updated to version 2.13.200 to
allow it to be rebuilt against the updated libxml2.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5130
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15412
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16932
https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop.html
https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop.html
https://usn.ubuntu.com/usn/usn-3513-1/
https://usn.ubuntu.com/usn/usn-3504-1/
========================

Updated packages in core/updates_testing:
========================
libxml2_2-2.9.7-1.mga6
libxml2-utils-2.9.7-1.mga6
libxml2-python-2.9.7-1.mga6
libxml2-python3-2.9.7-1.mga6
libxml2-devel-2.9.7-1.mga6
perl-XML-LibXML-2.13.200-1.mga6

from SRPMS:
libxml2-2.9.7-1.mga6.src.rpm
perl-XML-LibXML-2.13.200-1.mga6.src.rpm

Assignee: shlomif => qa-bugs

Comment 5 Brian Rockwell 2017-12-31 00:28:59 CET
x86_64

The following 4 packages are going to be installed:

- lib64xml2_2-2.9.7-1.mga6.x86_64
- libxml2-python-2.9.7-1.mga6.x86_64
- libxml2-utils-2.9.7-1.mga6.x86_64
- perl-XML-LibXML-2.13.200-1.mga6.x86_64

Ran a couple of utilities:

xmlcatalog - create 

xmllint

I generated an XML document from Libreoffice Writer - saved as fodt format.

Next I used xmllint to run a scrube

$ xmllint libxml2.fodt > scrubed.fodt

Then I open scrubed.fodt 

$ soffice scrubed.fodt

It opens properly.

Looks fine to me.

-----

I don't feel like writing C code, does anyone have a standard program that uses this library?

CC: (none) => brtians1

Brian Rockwell 2017-12-31 00:31:52 CET

Keywords: (none) => feedback

Comment 6 David Walser 2017-12-31 01:00:21 CET
Use this to test it:
https://wiki.mageia.org/en/QA_procedure:Libxml2

Keywords: feedback => has_procedure

Comment 7 Dave Hodgins 2018-01-03 16:11:58 CET
Ok on Mageia 6 i586.

CC: (none) => davidwhodgins
Whiteboard: (none) => MGA6-32-OK

Comment 8 Dave Hodgins 2018-01-03 16:20:37 CET
Ok on Mageia 6 x86_64.

Advisory committed to svn.

Validating the update.

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2018-01-03 16:51:45 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0050.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 10 David Walser 2018-08-14 23:26:46 CEST
CVE-2017-18258 was also fixed in 2.9.6:
https://usn.ubuntu.com/3739-1/
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18258.html

Note You need to log in before you can comment on or make changes to this bug.