Fedora has issued an advisory on March 25:
The issues are fixed upstream in 3.0.
Mageia 6 is also affected.
Fixed upstream in 3.0
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Also CC'ing two committers.
geiger.david68210, marja11, mrambo
Fixed both mga6 and cauldron!
Updated mxml packages fix security vulnerabilities:
An issue has been found in Mini-XML (aka mxml) 2.12. It is a stack-based
buffer overflow in mxml_write_node in mxml-file.c via vectors involving a
double-precision floating point number and the '<order type="real">'
substring, as demonstrated by testmxml (CVE-2018-20004).
An issue has been found in Mini-XML (aka mxml) 2.12. It is a use-after-free in
mxmlWalkNext in mxml-search.c, as demonstrated by mxmldoc (CVE-2018-20005).
In Mini-XML (aka mxml) v2.12, there is a use-after-free in the mxmlAdd
function of the mxml-node.c file. Remote attackers could leverage this
vulnerability to cause a denial-of-service via a crafted xml file, as
demonstrated by mxmldoc (CVE-2018-20592).
In Mini-XML (aka mxml) v2.12, there is stack-based buffer overflow in the
scan_file function in mxmldoc.c (CVE-2018-20593).
Updated packages in core/updates_testing:
Fixed upstream in 3.0 =>
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
# urpmq --whatrequires libmxml1
Decided to try yoshimi, so
$ strace -o libmxml.txt yoshimi
Yoshimi 1.5.2 is starting
ConfigFile /home/tester6/.config/yoshimi/yoshimi.config not found, will use default settings
Cannot connect to server socket err = No such file or directory
and loads of these
but it opens and I can play on the virtual keyboard, and the trace shows
open("/lib/i686/libmxml.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/lib/sse2/libmxml.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/lib/libmxml.so.1", O_RDONLY|O_CLOEXEC) = 3
The last one is provided by the libmxml1 package.
OK for me.
Thanks, Herman. Validating. Advisory in Comment 3.
An update for this issue has been pushed to the Mageia Updates repository.