Fedora has issued an advisory on August 7: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/G5AFZARX7BUSU24J2MJ4AHX5OE47UXQA/ Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => shlomif
Ubuntu has issued an advisory today (August 14): https://usn.ubuntu.com/3739-1/ It fixes one new issue CVE-2018-14567: https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14567.html
Summary: libxml2 new security issues CVE-2018-9251 and CVE-2018-14404 => libxml2 new security issues CVE-2018-9251, CVE-2018-14404, CVE-2018-14567
openSUSE has issued an advisory for this today (October 12): https://lists.opensuse.org/opensuse-updates/2018-10/msg00054.html
The openSUSE 15 version of the advisory of the above advisory: https://lists.opensuse.org/opensuse-updates/2018-10/msg00057.html
CVE-2018-9251 and CVE-2018-14567 were fixed in the same commit. All of these fixes are in 2.9.9 (in Cauldron).
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6
Advisory: ======================== Updated libxml2 packages fix security vulnerabilities: A flaw was found in libxml2 2.9.8. The xz_decomp function in xzlib.c, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (CVE-2018-9251, CVE-2018-14567). A null pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 when parsing invalid XPath expression. Applications processing untrusted XSL format inputs with the use of libxml2 library may be vulnerable to denial of service attack due to crash of the application (CVE-2018-14404). The libxml2 package has been updated to version 2.9.9 to fix these issues and other bugs. The perl-XML-LibXML package has been rebuilt against the updated libxml2. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9251 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14404 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14567 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/G5AFZARX7BUSU24J2MJ4AHX5OE47UXQA/ https://usn.ubuntu.com/3739-1/ ======================== Updated packages in core/updates_testing: ======================== libxml2_2-2.9.9-1.mga6 libxml2-utils-2.9.9-1.mga6 libxml2-python-2.9.9-1.mga6 libxml2-python3-2.9.9-1.mga6 libxml2-devel-2.9.9-1.mga6 libxml2-debuginfo-2.9.9-1.mga6 perl-XML-LibXML-2.13.200-1.1.mga6 from SRPMS: libxml2-2.9.9-1.mga6.src.rpm perl-XML-LibXML-2.13.200-1.1.mga6.src.rpm
Assignee: shlomif => qa-bugs
Installed and tested without issue. Since these are packages that touch lots of stuff I will not mark it as OK and wait for more testers. Tested using: - php-xml, php-xsl, php-xmlreader, php-xmlwriter, php-dom using CLI (php-cli) and HTTP (apache plus mod_php); - xsltproc; - MySQL Workbench; - twinkle; - tellico; - inkspace; - chromium-browser-stable; - amarok; - normal desktop usage since lots of packages use lib64xml2. Packages updated: - lib64xml2-devel-2.9.9-1.mga6.x86_64 - lib64xml2_2-2.9.9-1.mga6.x86_64 - libxml2-python-2.9.9-1.mga6.x86_64 - libxml2-utils-2.9.9-1.mga6.x86_64 - perl-XML-LibXML-2.13.200-1.1.mga6.x86_64 System: Mageia 6, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver. $ uname -a Linux marte 4.14.89-desktop-1.mga6 #1 SMP Mon Dec 17 13:14:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
CC: (none) => mageia
MGA6-32 MATE on IBM Thinkpad R50e No installation issues Installed and used chromium-browser-stable with strace and browsed to my usual newspaper site. at CLI: $ strace -o libxml2.txt chromium-browser Gtk-Message: Failed to load module "canberra-gtk-module" [11631:11631:0122/103511.616038:ERROR:context_group.cc(372)] ContextResult::kFatalFailure: too few texture image units supported (0, should be 8). [11581:11581:0122/103511.832595:ERROR:gpu_process_transport_factory.cc(1016)] Lost UI shared context. libpng warning: iCCP: known incorrect sRGB profile [11581:11596:0122/103523.012009:ERROR:service_manager_context.cc(250)] Attempting to run unsupported native service: /usr/lib/chromium-browser/content_utility.service libpng warning: iCCP: known incorrect sRGB profile libpng warning: iCCP: known incorrect sRGB profile libpng warning: iCCP: known incorrect sRGB profile and in the trace I get open("/usr/lib/libxml2.so.2.9.9", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 129 Seems OK to me. No problems in normal desktop usage.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA6-32-OK
M6/x64 (In reply to PC LX from comment #7) > Since these are packages that touch lots of stuff I will not mark it as OK > and wait for more testers. > Tested using: > etc etc etc You are too modest! After pre-update tests, I UPDATED to: - lib64xml2-devel-2.9.9-1.mga6.x86_64 - lib64xml2_2-2.9.9-1.mga6.x86_64 - libxml2-python-2.9.9-1.mga6.x86_64 - libxml2-utils-2.9.9-1.mga6.x86_64 - perl-XML-LibXML-2.13.200-1.1.mga6.x86_64 I found a few PoCs. 1) CVE-2018-9251, from https://bugzilla.gnome.org/show_bug.cgi?id=794914 "in libxml2 if liblzma-dev package is enabled" [?] + compiling details. https://bugzilla.gnome.org/attachment.cgi?id=370463 $ xmllint poc -o /tmp/null BEFORE update, without any messing about, this command looped, hogging all of one processor. AFTER update: $ xmllint poc -o /tmp/null poc:1: parser error : Document is empty ^ GOOD. 2) CVE-2018-14404, from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817 -> https://bugs.debian.org/cgi-bin/bugreport.cgi?att=2;bug=901817;filename=reproducers.zip;msg=5 has: chrome-safari/ ├── libxml2-xmlXPathCompOpEval-and.html └── libxml2-xmlXPathCompOpEval-or.html "For browser reproduction open the html reproducers with your target browser (chrome/safari)." Or chromium-browser as per Herman c8. BEFORE update, with Chromium-browser, file:///home/lewis/tmp/chrome-safari/libxml2-xmlXPathCompOpEval-and.html yielded "Aw Snap, something went wrong while displaying this web page". The console showed basically a crash. Same for file:///home/lewis/tmp/chrome-safari/libxml2-xmlXPathCompOpEval-or.html AFTER update: file:///home/lewis/tmp/chrome-safari/libxml2-xmlXPathCompOpEval-and.html Popped up "This page says [object XMLDocument]". Clicking OK led to a blank page. No crash at the console. GOOD file:///home/lewis/tmp/chrome-safari/libxml2-xmlXPathCompOpEval-or.html Same result. GOOD. php5.6/ ├── and.xsl ├── or.xsl ├── xpath_and.php ├── xpath_or.php ├── xpath_xmlXPathCompOpExal_XPATH_OP_AND_output.txt └── xpath_xmlXPathCompOpExal_XPATH_OP_OR_output.txt "For php reproduction run the following (php needs the xml module for DOM)" [?] I could find nothing that combined php+xml+dom, but what I had were: php-xml-5.6.40-1.mga6, php-xmlreader-5.6.40-1.mga6, php-dom-5.6.40-1.mga6; to which I added php-xsl-5.6.40-1.mga6 "make sure the php files and .xsl files reside in same directory and run the following commands:" $ php -f xpath_or.php $ php -f xpath_and.php BEFORE update: $ php -f xpath_or.php ... Segmentation fault (core dumped) $ php -f xpath_and.php ... Segmentation fault (core dumped) AFTER update: $ php -f xpath_or.php Lots of errors, but NO crash. GOOD. $ php -f xpath_and.php Same result. GOOD. All this reinforces the other tests done.
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OKKeywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0047.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
CVE-2017-8872 also fixed in this update: https://www.debian.org/lts/security/2020/dla-2369