Debian, Fedora and openSUSE have issued an advisory on May 9 and 10. References: https://www.debian.org/lts/security/2021/dla-2653 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/HLCJPB5W3FKJ7HO6DH6UVA3GP6IVZ37L/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/
Whiteboard: (none) => MGA8TOO, MGA7TOOSource RPM: (none) => libxml2-2.9.10-8.mga9.src.rpm
Another SRPM with no obvious maintainer, so having to assign this globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Use-after-free in xmlEncodeEntitiesInternal() in entities.c. (CVE-2021-3516) Heap-based buffer overflow in xmlEncodeEntitiesInternal() in entities.c. (CVE-2021-3517) Use-after-free in xmlXIncludeDoProcess() in xinclude.c. (CVE-2021-3518) NULL pointer dereference in valid.c in xmlValidBuildAContentModel. (CVE-2021-3537) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3516 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3517 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3518 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3537 https://www.debian.org/lts/security/2021/dla-2653 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/HLCJPB5W3FKJ7HO6DH6UVA3GP6IVZ37L/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/ ======================== Updated packages in 7/core/updates_testing: ======================== lib(64)xml2_2-2.9.9-2.6.mga7 libxml2-utils-2.9.9-2.6.mga7 libxml2-python-2.9.9-2.6.mga7 libxml2-python3-2.9.9-2.6.mga7 lib(64)xml2-devel-2.9.9-2.6.mga7 from SRPM: libxml2-2.9.9-2.6.mga7.src.rpm Updated packages in 8/core/updates_testing: ======================== lib(64)xml2_2-2.9.10-7.1.mga8 libxml2-utils-2.9.10-7.1.mga8 libxml2-python3-2.9.10-7.1.mga8 lib(64)xml2-devel-2.9.10-7.1.mga8 from SRPM: libxml2-2.9.10-7.1.mga8.src.rpm
Assignee: pkg-bugs => qa-bugsSource RPM: libxml2-2.9.10-8.mga9.src.rpm => libxml2-2.9.10-7.mga8.src.rpmWhiteboard: MGA8TOO, MGA7TOO => MGA7TOOStatus: NEW => ASSIGNEDVersion: Cauldron => 8
MGA7-64 Plasma on Lenovo B50 No isntallation issues Followed wiki for testing with success $ python testxml.py Tested OK $ xmllint --auto <?xml version="1.0"?> <info>abc</info> $ xmlcatalog --create <?xml version="1.0"?> <!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd"> <catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/> $ strace -o xmlchromiumtest.txt chromium-browser [9680:9680:0512/175358.270516:ERROR:allowlist.cc(66)] Component extension with manifest resource id 11690 not in allowlist and is not being loaded as a result. [9680:9680:0512/175358.275691:ERROR:allowlist.cc(66)] Component extension with manifest resource id 11691 not in allowlist and is not being loaded as a result. [9710:9710:0512/175358.835798:ERROR:sandbox_linux.cc(374)] InitializeSandbox() called with multiple threads in process gpu-process. $ grep xml xmlchromiumtest.txt openat(AT_FDCWD, "/usr/lib64/chromium-browser/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "tls/haswell/x86_64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "tls/haswell/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "tls/x86_64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "tls/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "haswell/x86_64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "haswell/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "x86_64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3 pread64(5, "xmlCopyEntity:: malloc failed\0--"..., 64, 139692712329216) = 64 openat(AT_FDCWD, "/usr/lib64/libxml2.so.2.9.9", O_RDONLY|O_CLOEXEC) = 135 read(189, "<?xml version=\"1.0\"?>\n<!DOCTYPE "..., 8192) = 2721 read(190, "<?xml version=\"1.0\"?>\n<!DOCTYPE "..., 8192) = 221 and a lot moreof this last line. OK for me.
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OKCC: (none) => herman.viaene
mga8, x64 Only one of the CVEs led to a useful reproducer. CVE-2021-3537 Null pointer dereference in library in xmlSnprintfElementContent__internal_alias https://gitlab.gnome.org/GNOME/libxml2/-/issues/245 $ xmllint --recover --postvalid poc poc:1: parser error : xmlParseDocTypeDecl : no DOCTYPE name ! <!DOCTYP[<!ELEMENT ^ poc:1: parser error : DOCTYPE improperly terminated <!DOCTYP[<!ELEMENT [...] )))>)))))))))))))--exc-c14W!DOCT</:></:> validity error : Found NULL content in content model of : Segmentation fault (core dumped) Updated the four packages. $ xmllint --recover --postvalid poc .... <?xml version="1.0"?> <!DOCTYPE > validity error : no root element Document poc does not validate Good result for CVE-2021-3537. $ xmlcatalog --create <?xml version="1.0"?> <!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd"> <catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/> Installed chromium browser. $ strace -o chromium.trace chromium-browser $ strace -o chromium.trace chromium-browser [674628:674628:0517/214043.249203:ERROR:allowlist.cc(66)] Component extension with manifest resource id 11690 not in allowlist and is not being loaded as a resu... $ grep xml chromium.trace stat("/home/lcl/qa/libxml2", {st_mode=S_IFDIR|0755, st_size=498, ...}) = 0 stat("/home/lcl/qa/libxml2", {st_mode=S_IFDIR|0755, st_size=498, ...}) = 0 openat(AT_FDCWD, "/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib64/libxml2.so.2.9.10", O_RDONLY|O_CLOEXEC) = 99 read(179, "<?xml version=\"1.0\"?>\n<!DOCTYPE "..., 8192) = 2851 read(180, "<?xml version=\"1.0\"?>\n<!DOCTYPE "..., 8192) = 240 read(180, "<?xml version=\"1.0\"?>\n<!DOCTYPE "..., 8192) = 536 .... Seems to be working OK for Mageia8.
CC: (none) => tarazed25Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0213.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED