openSUSE has issued an advisory on June 8: https://lists.opensuse.org/opensuse-updates/2020-06/msg00026.html They reverted the upstream fix (upstream is doing the same). Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOStatus comment: (none) => Upstream change needs to be reverted
Assigning this to you, Shlomi, as its active maintainer.
Assignee: bugsquad => shlomif
Fixed in Cauldron in libxml2-2.9.10-5.mga8 by Shlomi.
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)
submitted libxml2-2.9.9-2.4.mga7 to 7/updates-testing: http://pkgsubmit.mageia.org/ .
Advisory: ======================== Updated libxml2 packages fix security vulnerability: The fix for CVE-2019-19956 introduced regressions which can cause invalid xmlns references in output and memory leaks, possibly leading to more serious security issues. The broken fix has been reverted. References: https://lists.opensuse.org/opensuse-updates/2020-06/msg00026.html https://advisories.mageia.org/MGASA-2020-0020.html ======================== Updated packages in core/updates_testing: ======================== libxml2_2-2.9.9-2.4.mga7 libxml2-utils-2.9.9-2.4.mga7 libxml2-python-2.9.9-2.4.mga7 libxml2-python3-2.9.9-2.4.mga7 libxml2-devel-2.9.9-2.4.mga7 from libxml2-2.9.9-2.4.mga7.src.rpm
Status comment: Upstream change needs to be reverted => (none)Assignee: shlomif => qa-bugsCC: (none) => shlomif
mga7, x86_64 $ rpm -q lib64xml2_2 lib64xml2_2-2.9.9-2.3.mga7 CVE-2019-19956 https://bugzilla.suse.com/show_bug.cgi?id=1172021 $ valgrind perl test.pl [...] ==19218== For lists of detected and suppressed errors, rerun with: -s ==19218== ERROR SUMMARY: 5 errors from 2 contexts (suppressed: 0 from 0) Installed Calibre to establish that it works and to build a library. Enabled updates testing. $ urpmi.update -a $ MageiaUpdate - lib64xml2-devel-2.9.9-2.4.mga7.x86_64 - lib64xml2_2-2.9.9-2.4.mga7.x86_64 - libxml2-python-2.9.9-2.4.mga7.x86_64 - libxml2-python3-2.9.9-2.4.mga7.x86_64 - libxml2-utils-2.9.9-2.4.mga7.x86_64 $ valgrind perl test.pl [...] ==30953== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) That agrees with the result at Suse. Exercized calibre. Browsed the library and added more books and tried out various menu functions. All good. $ grep libxml calibre.trace getcwd("/data/qa/libxml2", 1026) = 17 getcwd("/data/qa/libxml2", 1024) = 17 openat(AT_FDCWD, "/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 7 .... Many references of that kind. $ rpm -qil libxml-utils [...] /usr/bin/xmlcatalog /usr/bin/xmllint [...] Mageia documentation at https://wiki.mageia.org/en/QA_procedure:Libxml2 $ xmlcatalog --create <?xml version="1.0"?> <!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd"> <catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/> Looks like this tool can be used with various options to build a catalogue of ? $ xmllint --auto <?xml version="1.0"?> <info>abc</info> $ xmllint ~/data/tv/channels.xspf <?xml version="1.0" encoding="UTF-8"?> <playlist xmlns="http://xspf.org/ns/0/" xmlns:vlc="http://www.videolan.org/vlc/playlist/ns/0/" version="1"> <title>DVB Playlist</title> <creator>w_scan2-1.0.3</creator> <info>https://github.com/stefantalpalaru/w_scan2</info> <trackList> [...] <track> <title>0131. NOW 90s</title> <location>dvb-t2://frequency=754000000</location> <extension application="http://www.videolan.org/vlc/playlist/0"> <vlc:option>dvb-bandwidth=8</vlc:option> <vlc:option>dvb-ts-id=45056</vlc:option> <vlc:id>132</vlc:id> <vlc:option>program=45408</vlc:option> </extension> </track> </trackList> </playlist> which is just an echo of the file contents since there are no syntax errors. $ python testxml.py Tested OK $ python3 testxml.py Tested OK Note that python3 requires parentheses around argument lists for all function calls: print( getStatus( cases[0] ) ) This all looks fine including the PoC result.
Whiteboard: (none) => MGA7-64-OKCC: (none) => tarazed25
Thank you, Len. Looks like a thorough test to me. Validating. Advisory in Comment 4.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => mageiaKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0271.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED