Debian-LTS has issued an advisory today (December 28): https://www.debian.org/lts/security/2019/dla-2048 The issue is fixed upstream in 2.9.10. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Suggested advisory: ======================== The updated packages fix a security vulnerability: xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs. (CVE-2019-19956) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19956 https://www.debian.org/lts/security/2019/dla-2048 ======================== Updated packages in core/updates_testing: ======================== lib(64)xml2_2-2.9.9-2.1.mga7 libxml2-utils-2.9.9-2.1.mga7 libxml2-python-2.9.9-2.1.mga7 libxml2-python3-2.9.9-2.1.mga7 lib(64)xml2-devel-2.9.9-2.1.mga7 from SRPMS: libxml2-2.9.9-2.1.mga7.src.rpm
Whiteboard: MGA7TOO => (none)CVE: (none) => CVE-2019-19956Source RPM: libxml2-2.9.9-7.mga8.src.rpm => libxml2-2.9.9-2.mga7.src.rpmVersion: Cauldron => 7CC: (none) => nicolas.salgueroAssignee: bugsquad => qa-bugsStatus: NEW => ASSIGNED
Taking this on for Mageia7. There is a good tutorial at http://www.xmlsoft.org/examples/.
CC: (none) => tarazed25
There is also: https://wiki.mageia.org/en/QA_procedure:Libxml2
Keywords: (none) => has_procedure
Thanks for that David. Probably better to go with something tried and tested, especially as it covers the python angle.
Mageia7, x86_64 Mageia QA tests at https://wiki.mageia.org/en/QA_procedure:Libxml2 Updated the five packages. Ran the tests documented on the wiki above. $ xmlcatalog --create <?xml version="1.0"?> <!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd"> <catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/> $ xmllint --auto <?xml version="1.0"?> <info>abc</info> $ python testxml.py Tested OK $ python3 testxml.py File "testxml.py", line 19 print getStatus(cases[0]) ^ SyntaxError: invalid syntax Shucks! Get caught by that one every time. Added parentheses for print. print( getStatus(cases[0]) ) $ python3 testxml.py Tested OK Ran qarte and chromium-browser under strace but neither would run. Nevertheless the trace files showed that libxml2.so.2 was being accessed. Ran calibre under strace which showed openat being called a couple of times on libxml2.so.2. Green light for this one.
Whiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 1.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0020.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED