Ubuntu has issued an advisory on February 10: https://usn.ubuntu.com/4274-1/ Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Assigning globally, CC a couple of recent committers.
CC: (none) => shlomif, thierry.vignaudAssignee: bugsquad => pkg-bugs
(In reply to David Walser from comment #0) > Ubuntu has issued an advisory on February 10: > https://usn.ubuntu.com/4274-1/ > > Mageia 7 is also affected. Patch applied in mga8 in: ------------------------------------------------------------------------ r1547369 | shlomif | 2020-02-20 23:24:14 +0200 (Thu, 20 Feb 2020) | 1 line Changed paths: A /cauldron/libxml2/current/SOURCES/CVE-2020-7595.patch M /cauldron/libxml2/current/SPECS/libxml2.spec security: patch for MGA#26222; other patch was already applied Package submitted to BS.
Now submitted to mga7 core/updates_testing
Thanks Shlomi. I found another CVE. Fedora has issued an advisory on February 15: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/
Summary: libxml2 new security issue CVE-2020-7595 => libxml2 new security issues CVE-2019-20388 and CVE-2020-7595
(In reply to David Walser from comment #4) > Thanks Shlomi. I found another CVE. > > Fedora has issued an advisory on February 15: > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/ Patch applied and submitted to mga8 and mga7.
Advisory: ======================== Updated libxml2 packages fix security vulnerabilities: xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak (CVE-2019-20388). xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation (CVE-2020-7595). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20388 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7595 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/ ======================== Updated packages in core/updates_testing: ======================== libxml2_2-2.9.9-2.3.mga7 libxml2-utils-2.9.9-2.3.mga7 libxml2-python-2.9.9-2.3.mga7 libxml2-python3-2.9.9-2.3.mga7 libxml2-devel-2.9.9-2.3.mga7 from libxml2_2-2.9.9-2.3.mga7.src.rpm
Assignee: pkg-bugs => qa-bugsWhiteboard: MGA7TOO => (none)Version: Cauldron => 7
Mageia7, x86_64 No obvious PoC out there. The five packages installed cleanly. Referred to the wiki for the tests: https://wiki.mageia.org/en/QA_procedure:Libxml2 $ xmlcatalog --create <?xml version="1.0"?> <!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd"> <catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/> $ xmllint --auto <?xml version="1.0"?> <info>abc</info> Test file for the next command was already available, with an edit to cover python3 syntax. $ python testxml.py Tested OK $ python3 testxml.py Tested OK qarte 4.6.0 is not working at present - don't know if that has been reported. $ strace -o qarte.trace qarte 19:45:10: INFO - core Set workspace 19:45:10: INFO - core Load config from: /home/lcl/.Qarte/user_config 19:45:10: INFO - core Build main window 19:45:10: INFO - artetv Fetch page: https://www.arte.tv/fr/guide/20200211/ 19:45:11: WARNING - artetv Read json error: Extra data: line 1 column 130120 (char 130119) However, it does open the library: $ grep xml2 qarte.trace openat(AT_FDCWD, "/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib64/libxml2.so.2.9.9", O_RDONLY) = 18 Somewhat inconclusive as a test of real world usage. calibre works fine and appears to use libxml2. $ grep xml2 calibre.trace openat(AT_FDCWD, "/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 7 openat(AT_FDCWD, "/usr/lib64/libxml2.so.2.9.9", O_RDONLY) = 23 This is OK for 64-bits.
Whiteboard: (none) => MGA7-64-OKCC: (none) => tarazed25
Validating. Advisory in Comment 6.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0101.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED