Ubuntu has issued an advisory today (December 5):
It was fixed upstream in 2.9.5 and the upstream commit that fixed it is linked from the Ubuntu CVE page:
Mageia 5 is also affected (by this and several other issues).
There's also CVE-2017-15412, fixed in the latest Chromium:
Ubuntu has issued an advisory for this today (December 13):
openSUSE has issued an advisory on August 17:
It fixes CVE-2017-8872. It was not fixed upstream.
(In reply to David Walser from Bug 19695)
> CVE-2017-5130 has been fixed in Chrome (October 17):
Fixed upstream in 2.9.5, according to Debian.
(In reply to David Walser from comment #1)
> There's also CVE-2017-15412, fixed in the latest Chromium:
Fixed upstream in 2.9.6, according to Debian.
libxml2 new security issue CVE-2017-16932 =>
libxml2 new security issues CVE-2017-5130, CVE-2017-8872, CVE-2017-15412, CVE-2017-16932
(In reply to David Walser from comment #2)
> openSUSE has issued an advisory on August 17:
> It fixes CVE-2017-8872. It was not fixed upstream.
Forward porting openSUSE's patch to 2.9.7 breaks on the test suite. openSUSE didn't carry their own patch forward to openSUSE Factory, so it'll either have to go on unfixed or hopefully upstream has addressed it some sort of way (the upstream bug says they haven't though).
libxml2 new security issues CVE-2017-5130, CVE-2017-8872, CVE-2017-15412, CVE-2017-16932 =>
libxml2 new security issues CVE-2017-5130, CVE-2017-15412, CVE-2017-16932
Updated libxml2 packages fix security vulnerability:
Integer overflow in memory debug code in libxml2 before 2.9.5 (CVE-2017-5130).
It was discovered that libxml2 incorrecty handled certain files. An attacker
could use this issue with specially constructed XML data to cause libxml2 to
consume resources, leading to a denial of service (CVE-2017-15412).
Wei Lei discovered that libxml2 incorrecty handled certain parameter
entities. An attacker could use this issue with specially constructed XML
data to cause libxml2 to consume resources, leading to a denial of service
The libxml2 package has been updated to version 2.9.7 to fix these issues and
several other bugs.
Also, the perl-XML-LibXML package has been updated to version 2.13.200 to
allow it to be rebuilt against the updated libxml2.
Updated packages in core/updates_testing:
The following 4 packages are going to be installed:
Ran a couple of utilities:
xmlcatalog - create
I generated an XML document from Libreoffice Writer - saved as fodt format.
Next I used xmllint to run a scrube
$ xmllint libxml2.fodt > scrubed.fodt
Then I open scrubed.fodt
$ soffice scrubed.fodt
It opens properly.
Looks fine to me.
I don't feel like writing C code, does anyone have a standard program that uses this library?
Use this to test it:
Ok on Mageia 6 i586.
Ok on Mageia 6 x86_64.
Advisory committed to svn.
Validating the update.
An update for this issue has been pushed to the Mageia Updates repository.
CVE-2017-18258 was also fixed in 2.9.6: