Fedora has issued an advisory on May 24: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NYSYJVWYEQHFG2TBIQJRJ5COUR5LNFJJ/ The issue is fixed upstream in 2.9.11. Mageia 7 and Mageia 8 are also affected.
Whiteboard: (none) => MGA8TOO, MGA7TOOCC: (none) => nicolas.salgueroStatus comment: (none) => Fixed upstream in 2.9.11
Assigning to NicolasS (rather than CC); you did several CVEs for this SRPM very recently.
CC: nicolas.salguero => (none)Assignee: bugsquad => nicolas.salguero
Debian-LTS has issued an advisory for this today (May 30): https://www.debian.org/lts/security/2021/dla-2669
Suggested advisory: ======================== The updated packages fix a security vulnerability: Exponential entity expansion attack bypasses all existing protection mechanisms. (CVE-2021-3541) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3541 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NYSYJVWYEQHFG2TBIQJRJ5COUR5LNFJJ/ https://www.debian.org/lts/security/2021/dla-2669 ======================== Updated packages in 7/core/updates_testing: ======================== lib(64)xml2_2-2.9.9-2.7.mga7 libxml2-utils-2.9.9-2.7.mga7 libxml2-python-2.9.9-2.7.mga7 libxml2-python3-2.9.9-2.7.mga7 lib(64)xml2-devel-2.9.9-2.7.mga7 from SRPM: libxml2-2.9.9-2.7.mga7.src.rpm Updated packages in 8/core/updates_testing: ======================== lib(64)xml2_2-2.9.10-7.2.mga8 libxml2-utils-2.9.10-7.2.mga8 libxml2-python3-2.9.10-7.2.mga8 lib(64)xml2-devel-2.9.10-7.2.mga8 from SRPM: libxml2-2.9.10-7.2.mga8.src.rpm
Assignee: nicolas.salguero => qa-bugsStatus comment: Fixed upstream in 2.9.11 => (none)Whiteboard: MGA8TOO, MGA7TOO => MGA7TOOStatus: NEW => ASSIGNEDCVE: (none) => CVE-2021-3541Version: Cauldron => 8
Before update - this might be the PoC to run: CVE-2021-3541 https://www.debian.org/lts/security/2021/dla-2669 https://blog.hartwork.org/posts/cve-2021-3541-parameter-laughs-fixed-in-libxml2-2-9-11/ $ xmllint --recover --postvalid billionlaughs.xml <?xml version="1.0"?> <!-- "Parameter Laughs", i.e. variant of Billion Laughs Attack using delayed interpretation of parameter entities Copyright (C) Sebastian Pipping <sebastian@pipping.org> --> <!DOCTYPE r [ <!ENTITY % pe_1 "<!---->"> <!ENTITY % pe_2 "%pe_1;<!---->%pe_1;"> <!ENTITY % pe_3 "%pe_2;<!---->%pe_2;"> <!----><!----><!----><!----><!----><!----><!----><!-- not at full potential, increase towards "%pe40;" carefully -->]> <r/> billionlaughs.xml:15: element r: validity error : No declaration for element r Document billionlaughs.xml does not validate This implies that the library has already been patched against this variant of the attack. $ rpm -q lib64xml2_2 lib64xml2_2-2.9.10-7.1.mga8 Updated the four packages and followed Herman's lead in bug 28902. Same output from the PoC test. https://wiki.mageia.org/en/QA_procedure:Libxml2 $ python testxml.py Tested OK $ xmllint --auto <?xml version="1.0"?> <info>abc</info> $ xmlcatalog --create <?xml version="1.0"?> <!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd"> <catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/> $ strace -o chromium.trace chromium-browser http://www-db.deis.unibo.it/courses/TW/DOCS/w3schools/xml/xml_examples.asp.html Tried viewing several examples of XML files. All looked fine. $ grep libxml chromium.trace openat(AT_FDCWD, "/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib64/libxml2.so.2.9.10", O_RDONLY|O_CLOEXEC) = 99 Working fine for Mageia 8.
CC: (none) => tarazed25Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK
Re comment 4: Hmm. Not sure about the PoC test. $ xmllint pocfile might be better.
Mageia 7, x86_64 $ xmllint billionlaughs.xml merely echoes the contents of the file without comment. $ xmllint --recover --postvalid billionlaughs.xml says that the file does not validate. Updated the five packages: libxml2-python-2.9.9-2.7.mga7 libxml2-python3-2.9.9-2.7.mga7 libxml2-utils-2.9.9-2.7.mga7 lib64xml2_2-2.9.9-2.7.mga7 lib64xml2-devel-2.9.9-2.7.mga7 $ xmllint --recover --postvalid billionlaughs.xml <?xml version="1.0"?> <!-- [...] billionlaughs.xml:15: element r: validity error : No declaration for element r Document billionlaughs.xml does not validate As in Mageia8. $ python testxml.py Tested OK $ python3 testxml.py Tested OK $ xmllint --auto <?xml version="1.0"?> <info>abc</info> $ xmlcatalog --create <?xml version="1.0"?> <!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd"> <catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/> $ strace -o chromium.trace chromium-browser Viewed several example XML files in the browser. $ grep xml chromium.trace | grep lib .... openat(AT_FDCWD, "/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib64/libxml2.so.2.9.9", O_RDONLY|O_CLOEXEC) = 123 It works.
Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Validating. Advisory in Comment 3.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => ouaurelienKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0232.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED