Fedora has issued an advisory on March 25: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/N53IJHDYR5HVQLKH4J6B27OEQLGKSGY5/ The issues are fixed upstream in 3.0. Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Status comment: (none) => Fixed upstream in 3.0
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing two committers.
Assignee: bugsquad => pkg-bugsCC: (none) => geiger.david68210, marja11, mrambo
Fixed both mga6 and cauldron!
Advisory: ======================== Updated mxml packages fix security vulnerabilities: An issue has been found in Mini-XML (aka mxml) 2.12. It is a stack-based buffer overflow in mxml_write_node in mxml-file.c via vectors involving a double-precision floating point number and the '<order type="real">' substring, as demonstrated by testmxml (CVE-2018-20004). An issue has been found in Mini-XML (aka mxml) 2.12. It is a use-after-free in mxmlWalkNext in mxml-search.c, as demonstrated by mxmldoc (CVE-2018-20005). In Mini-XML (aka mxml) v2.12, there is a use-after-free in the mxmlAdd function of the mxml-node.c file. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted xml file, as demonstrated by mxmldoc (CVE-2018-20592). In Mini-XML (aka mxml) v2.12, there is stack-based buffer overflow in the scan_file function in mxmldoc.c (CVE-2018-20593). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20004 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20005 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20592 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20593 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/N53IJHDYR5HVQLKH4J6B27OEQLGKSGY5/ ======================== Updated packages in core/updates_testing: ======================== libmxml1-3.0-1.mga6 libmxml-devel-3.0-1.mga6 from mxml-3.0-1.mga6.src.rpm
Version: Cauldron => 6Status comment: Fixed upstream in 3.0 => (none)Whiteboard: MGA6TOO => (none)Assignee: pkg-bugs => qa-bugs
MGA6-32 MATE on IBM Thinkpad R50e No installation issues. # urpmq --whatrequires libmxml1 carla carla-vst dreamchess libmxml-devel libmxml1 ufoai yoshimi zynaddsubfx Decided to try yoshimi, so $ strace -o libmxml.txt yoshimi Yoshimi 1.5.2 is starting ConfigFile /home/tester6/.config/yoshimi/yoshimi.config not found, will use default settings /usr/share/yoshimi/presets /home/tester6/.config/yoshimi/presets Cannot connect to server socket err = No such file or directory and loads of these but it opens and I can play on the virtual keyboard, and the trace shows open("/lib/i686/libmxml.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/lib/sse2/libmxml.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/lib/libmxml.so.1", O_RDONLY|O_CLOEXEC) = 3 The last one is provided by the libmxml1 package. OK for me.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA6-32-OK
Thanks, Herman. Validating. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0159.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED