Bug 26753 - libxml2 CVE-2019-19956 fix introduced more serious security issues
Summary: libxml2 CVE-2019-19956 fix introduced more serious security issues
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2020-06-09 19:43 CEST by David Walser
Modified: 2020-07-05 00:48 CEST (History)
5 users (show)

See Also:
Source RPM: libxml2-2.9.10-4.mga8.src.rpm
Status comment:


Description David Walser 2020-06-09 19:43:15 CEST
openSUSE has issued an advisory on June 8:

They reverted the upstream fix (upstream is doing the same).

Mageia 7 is also affected.
David Walser 2020-06-09 19:43:39 CEST

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Upstream change needs to be reverted

Comment 1 Lewis Smith 2020-06-09 20:55:43 CEST
Assigning this to you, Shlomi, as its active maintainer.

Assignee: bugsquad => shlomif

Comment 2 David Walser 2020-06-10 15:56:43 CEST
Fixed in Cauldron in libxml2-2.9.10-5.mga8 by Shlomi.

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 3 Shlomi Fish 2020-06-30 15:04:42 CEST
submitted libxml2-2.9.9-2.4.mga7 to 7/updates-testing: http://pkgsubmit.mageia.org/ .
Comment 4 David Walser 2020-06-30 15:20:41 CEST

Updated libxml2 packages fix security vulnerability:

The fix for CVE-2019-19956 introduced regressions which can cause invalid xmlns
references in output and memory leaks, possibly leading to more serious
security issues.  The broken fix has been reverted.


Updated packages in core/updates_testing:

from libxml2-2.9.9-2.4.mga7.src.rpm

Status comment: Upstream change needs to be reverted => (none)
Assignee: shlomif => qa-bugs
CC: (none) => shlomif

Comment 5 Len Lawrence 2020-07-01 02:17:25 CEST
mga7, x86_64

$ rpm -q lib64xml2_2

$ valgrind perl test.pl
==19218== For lists of detected and suppressed errors, rerun with: -s
==19218== ERROR SUMMARY: 5 errors from 2 contexts (suppressed: 0 from 0)

Installed Calibre to establish that it works and to build a library.

Enabled updates testing.
$ urpmi.update -a
$ MageiaUpdate
- lib64xml2-devel-2.9.9-2.4.mga7.x86_64
- lib64xml2_2-2.9.9-2.4.mga7.x86_64
- libxml2-python-2.9.9-2.4.mga7.x86_64
- libxml2-python3-2.9.9-2.4.mga7.x86_64
- libxml2-utils-2.9.9-2.4.mga7.x86_64

$ valgrind perl test.pl
==30953== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

That agrees with the result at Suse.

Exercized calibre.  Browsed the library and added more books and tried out various menu functions.  All good.

$ grep libxml calibre.trace
getcwd("/data/qa/libxml2", 1026)        = 17
getcwd("/data/qa/libxml2", 1024)        = 17
openat(AT_FDCWD, "/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 7

Many references of that kind.

$ rpm -qil libxml-utils

Mageia documentation at https://wiki.mageia.org/en/QA_procedure:Libxml2

$ xmlcatalog --create
<?xml version="1.0"?>
<!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd">
<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/>

Looks like this tool can be used with various options to build a catalogue of ?

$ xmllint --auto
<?xml version="1.0"?>

$ xmllint ~/data/tv/channels.xspf
<?xml version="1.0" encoding="UTF-8"?>
<playlist xmlns="http://xspf.org/ns/0/" xmlns:vlc="http://www.videolan.org/vlc/playlist/ns/0/" version="1">
        <title>DVB Playlist</title>
			<title>0131. NOW 90s</title>
			<extension application="http://www.videolan.org/vlc/playlist/0">

which is just an echo of the file contents since there are no syntax errors.

$ python testxml.py
Tested OK
$ python3 testxml.py
Tested OK

Note that python3 requires parentheses around argument lists for all function calls:
print( getStatus( cases[0] ) )

This all looks fine including the PoC result.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Comment 6 Thomas Andrews 2020-07-02 23:48:32 CEST
Thank you, Len. Looks like a thorough test to me.

Validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Nicolas Lécureuil 2020-07-04 23:54:59 CEST

CC: (none) => mageia
Keywords: (none) => advisory

Comment 7 Mageia Robot 2020-07-05 00:48:35 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.