Bug 23410 - libxml2 new security issues CVE-2018-9251, CVE-2018-14404, CVE-2018-14567
Summary: libxml2 new security issues CVE-2018-9251, CVE-2018-14404, CVE-2018-14567
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-08-08 15:14 CEST by David Walser
Modified: 2020-09-22 19:38 CEST (History)
5 users (show)

See Also:
Source RPM: libxml2-2.9.8-2.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-08-08 15:14:53 CEST
Fedora has issued an advisory on August 7:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/G5AFZARX7BUSU24J2MJ4AHX5OE47UXQA/

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-08-08 15:14:59 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-08-08 19:30:02 CEST
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => shlomif

Comment 2 David Walser 2018-08-14 23:27:29 CEST
Ubuntu has issued an advisory today (August 14):
https://usn.ubuntu.com/3739-1/

It fixes one new issue CVE-2018-14567:
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14567.html

Summary: libxml2 new security issues CVE-2018-9251 and CVE-2018-14404 => libxml2 new security issues CVE-2018-9251, CVE-2018-14404, CVE-2018-14567

Comment 3 David Walser 2018-10-13 00:31:34 CEST
openSUSE has issued an advisory for this today (October 12):
https://lists.opensuse.org/opensuse-updates/2018-10/msg00054.html
Comment 4 David Walser 2018-10-13 00:32:38 CEST
The openSUSE 15 version of the advisory of the above advisory:
https://lists.opensuse.org/opensuse-updates/2018-10/msg00057.html
Comment 5 David Walser 2019-01-21 03:31:55 CET
CVE-2018-9251 and CVE-2018-14567 were fixed in the same commit.  All of these fixes are in 2.9.9 (in Cauldron).

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 6 David Walser 2019-01-21 03:52:21 CET
Advisory:
========================

Updated libxml2 packages fix security vulnerabilities:

A flaw was found in libxml2 2.9.8. The xz_decomp function in xzlib.c, if
--with-lzma is used, allows remote attackers to cause a denial of service
(infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as
demonstrated by xmllint (CVE-2018-9251, CVE-2018-14567).

A null pointer dereference vulnerability exists in the
xpath.c:xmlXPathCompOpEval() function of libxml2 when parsing invalid XPath
expression. Applications processing untrusted XSL format inputs with the use of
libxml2 library may be vulnerable to denial of service attack due to crash of
the application (CVE-2018-14404).

The libxml2 package has been updated to version 2.9.9 to fix these issues and
other bugs.

The perl-XML-LibXML package has been rebuilt against the updated libxml2.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9251
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14404
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14567
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/G5AFZARX7BUSU24J2MJ4AHX5OE47UXQA/
https://usn.ubuntu.com/3739-1/
========================

Updated packages in core/updates_testing:
========================
libxml2_2-2.9.9-1.mga6
libxml2-utils-2.9.9-1.mga6
libxml2-python-2.9.9-1.mga6
libxml2-python3-2.9.9-1.mga6
libxml2-devel-2.9.9-1.mga6
libxml2-debuginfo-2.9.9-1.mga6
perl-XML-LibXML-2.13.200-1.1.mga6

from SRPMS:
libxml2-2.9.9-1.mga6.src.rpm
perl-XML-LibXML-2.13.200-1.1.mga6.src.rpm

Assignee: shlomif => qa-bugs

Comment 7 PC LX 2019-01-21 13:59:27 CET
Installed and tested without issue.

Since these are packages that touch lots of stuff I will not mark it as OK and wait for more testers.

Tested using:
- php-xml, php-xsl, php-xmlreader, php-xmlwriter, php-dom using CLI (php-cli) and  HTTP (apache plus mod_php);
- xsltproc;
- MySQL Workbench;
- twinkle;
- tellico;
- inkspace;
- chromium-browser-stable;
- amarok;
- normal desktop usage since lots of packages use lib64xml2.

Packages updated:
- lib64xml2-devel-2.9.9-1.mga6.x86_64
- lib64xml2_2-2.9.9-1.mga6.x86_64
- libxml2-python-2.9.9-1.mga6.x86_64
- libxml2-utils-2.9.9-1.mga6.x86_64
- perl-XML-LibXML-2.13.200-1.1.mga6.x86_64

System: Mageia 6, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver.

$ uname -a
Linux marte 4.14.89-desktop-1.mga6 #1 SMP Mon Dec 17 13:14:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

CC: (none) => mageia

Comment 8 Herman Viaene 2019-01-22 10:47:47 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Installed and used chromium-browser-stable with strace and browsed to my usual newspaper site.
at CLI:
$ strace -o libxml2.txt chromium-browser 
Gtk-Message: Failed to load module "canberra-gtk-module"
[11631:11631:0122/103511.616038:ERROR:context_group.cc(372)] ContextResult::kFatalFailure: too few texture image units supported (0, should be 8).
[11581:11581:0122/103511.832595:ERROR:gpu_process_transport_factory.cc(1016)] Lost UI shared context.
libpng warning: iCCP: known incorrect sRGB profile
[11581:11596:0122/103523.012009:ERROR:service_manager_context.cc(250)] Attempting to run unsupported native service: /usr/lib/chromium-browser/content_utility.service
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile

and in the trace I get 
open("/usr/lib/libxml2.so.2.9.9", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 129

Seems OK to me. No problems in normal desktop usage.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Comment 9 Lewis Smith 2019-01-22 18:44:29 CET
M6/x64
(In reply to PC LX from comment #7)
> Since these are packages that touch lots of stuff I will not mark it as OK
> and wait for more testers.
> Tested using:
> etc etc etc
You are too modest!

After pre-update tests, I UPDATED to:
- lib64xml2-devel-2.9.9-1.mga6.x86_64
- lib64xml2_2-2.9.9-1.mga6.x86_64
- libxml2-python-2.9.9-1.mga6.x86_64
- libxml2-utils-2.9.9-1.mga6.x86_64
- perl-XML-LibXML-2.13.200-1.1.mga6.x86_64

I found a few PoCs.

1) CVE-2018-9251, from https://bugzilla.gnome.org/show_bug.cgi?id=794914
"in libxml2 if liblzma-dev package is enabled" [?] + compiling details.
 https://bugzilla.gnome.org/attachment.cgi?id=370463
 $ xmllint poc -o /tmp/null
BEFORE update, without any messing about, this command looped, hogging all of one processor.
AFTER update:
 $ xmllint poc -o /tmp/null
 poc:1: parser error : Document is empty
 ^
GOOD.

2) CVE-2018-14404, from
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817 ->
 https://bugs.debian.org/cgi-bin/bugreport.cgi?att=2;bug=901817;filename=reproducers.zip;msg=5
 has:
chrome-safari/
├── libxml2-xmlXPathCompOpEval-and.html
└── libxml2-xmlXPathCompOpEval-or.html
"For browser reproduction open the html reproducers with your target browser
(chrome/safari)." Or chromium-browser as per Herman c8.
BEFORE update, with Chromium-browser,
 file:///home/lewis/tmp/chrome-safari/libxml2-xmlXPathCompOpEval-and.html
yielded "Aw Snap, something went wrong while displaying this web page".
The console showed basically a crash.
Same for
 file:///home/lewis/tmp/chrome-safari/libxml2-xmlXPathCompOpEval-or.html
AFTER update:
 file:///home/lewis/tmp/chrome-safari/libxml2-xmlXPathCompOpEval-and.html
Popped up "This page says [object XMLDocument]". Clicking OK led to a blank page. No crash at the console.
GOOD
  file:///home/lewis/tmp/chrome-safari/libxml2-xmlXPathCompOpEval-or.html
Same result. GOOD.

php5.6/
├── and.xsl
├── or.xsl
├── xpath_and.php
├── xpath_or.php
├── xpath_xmlXPathCompOpExal_XPATH_OP_AND_output.txt
└── xpath_xmlXPathCompOpExal_XPATH_OP_OR_output.txt
"For php reproduction run the following (php needs the xml module for DOM)"
[?] I could find nothing that combined php+xml+dom, but what I had were:
 php-xml-5.6.40-1.mga6, php-xmlreader-5.6.40-1.mga6, php-dom-5.6.40-1.mga6;
to which I added php-xsl-5.6.40-1.mga6
"make sure the php files and .xsl files reside in same directory and run the
following commands:"
 $ php -f xpath_or.php
 $ php -f xpath_and.php

BEFORE update:
 $ php -f xpath_or.php
 ...
 Segmentation fault (core dumped)
 $ php -f xpath_and.php
 ...
 Segmentation fault (core dumped)

AFTER update:
 $ php -f xpath_or.php
Lots of errors, but NO crash. GOOD.
 $ php -f xpath_and.php
Same result. GOOD.

All this reinforces the other tests done.

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 10 Mageia Robot 2019-01-23 16:51:45 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0047.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 11 David Walser 2020-09-22 19:38:02 CEST
CVE-2017-8872 also fixed in this update:
https://www.debian.org/lts/security/2020/dla-2369

Note You need to log in before you can comment on or make changes to this bug.