Bug 24583 - mxml new security issues CVE-2018-2000[45] and CVE-2018-2059[23]
Summary: mxml new security issues CVE-2018-2000[45] and CVE-2018-2059[23]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-03-28 21:19 CET by David Walser
Modified: 2019-05-12 11:37 CEST (History)
7 users (show)

See Also:
Source RPM: mxml-2.12-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-03-28 21:19:08 CET
Fedora has issued an advisory on March 25:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/N53IJHDYR5HVQLKH4J6B27OEQLGKSGY5/

The issues are fixed upstream in 3.0.

Mageia 6 is also affected.
David Walser 2019-03-28 21:19:13 CET

Whiteboard: (none) => MGA6TOO

David Walser 2019-03-28 21:23:03 CET

Status comment: (none) => Fixed upstream in 3.0

Comment 1 Marja Van Waes 2019-03-29 08:00:51 CET
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Also CC'ing two committers.

Assignee: bugsquad => pkg-bugs
CC: (none) => geiger.david68210, marja11, mrambo

Comment 2 David GEIGER 2019-03-29 18:21:44 CET
Fixed both mga6 and cauldron!
Comment 3 David Walser 2019-03-30 16:59:45 CET
Advisory:
========================

Updated mxml packages fix security vulnerabilities:

An issue has been found in Mini-XML (aka mxml) 2.12. It is a stack-based
buffer overflow in mxml_write_node in mxml-file.c via vectors involving a
double-precision floating point number and the '<order type="real">'
substring, as demonstrated by testmxml (CVE-2018-20004).

An issue has been found in Mini-XML (aka mxml) 2.12. It is a use-after-free in
mxmlWalkNext in mxml-search.c, as demonstrated by mxmldoc (CVE-2018-20005).

In Mini-XML (aka mxml) v2.12, there is a use-after-free in the mxmlAdd
function of the mxml-node.c file. Remote attackers could leverage this
vulnerability to cause a denial-of-service via a crafted xml file, as
demonstrated by mxmldoc (CVE-2018-20592).

In Mini-XML (aka mxml) v2.12, there is stack-based buffer overflow in the
scan_file function in mxmldoc.c (CVE-2018-20593).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20004
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20005
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20592
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20593
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/N53IJHDYR5HVQLKH4J6B27OEQLGKSGY5/
========================

Updated packages in core/updates_testing:
========================
libmxml1-3.0-1.mga6
libmxml-devel-3.0-1.mga6

from mxml-3.0-1.mga6.src.rpm

Version: Cauldron => 6
Status comment: Fixed upstream in 3.0 => (none)
Whiteboard: MGA6TOO => (none)
Assignee: pkg-bugs => qa-bugs

Comment 4 Herman Viaene 2019-04-16 14:49:00 CEST
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
# urpmq --whatrequires libmxml1
carla
carla-vst
dreamchess
libmxml-devel
libmxml1
ufoai
yoshimi
zynaddsubfx

Decided to try yoshimi, so
$ strace -o libmxml.txt yoshimi 
Yoshimi 1.5.2 is starting
ConfigFile /home/tester6/.config/yoshimi/yoshimi.config not found, will use default settings
/usr/share/yoshimi/presets
/home/tester6/.config/yoshimi/presets
Cannot connect to server socket err = No such file or directory
and loads of these
but it opens and I can play on the virtual keyboard, and the trace shows
open("/lib/i686/libmxml.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/lib/sse2/libmxml.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/lib/libmxml.so.1", O_RDONLY|O_CLOEXEC) = 3
The last one is provided by the libmxml1 package.
OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Comment 5 Thomas Andrews 2019-04-28 04:16:40 CEST
Thanks, Herman. Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-05-12 09:16:48 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 6 Mageia Robot 2019-05-12 11:37:02 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0159.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.