Bug 29642 - tinyxml new security issue CVE-2021-42260
Summary: tinyxml new security issue CVE-2021-42260
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-11-10 15:33 CET by David Walser
Modified: 2021-11-18 22:52 CET (History)
5 users (show)

See Also:
Source RPM: tinyxml-2.6.2-12.mga8.src.rpm
CVE: CVE-2021-42260
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-11-10 15:33:22 CET 
openSUSE has issued an advisory on November 9:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2MO2YQSAKB3PM3TWSYUR2JCZND3ENJVZ/

Mageia 8 is also affected.
David Walser 2021-11-10 15:33:39 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patch available from openSUSE

Comment 1 Nicolas Salguero 2021-11-12 09:21:04 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

TinyXML through 2.6.2 has an infinite loop in TiXmlParsingData::Stamp in tinyxmlparser.cpp via the TIXML_UTF_LEAD_0 case. It can be triggered by a crafted XML message and leads to a denial of service. (CVE-2021-42260)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42260
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2MO2YQSAKB3PM3TWSYUR2JCZND3ENJVZ/
========================

Updated packages in core/updates_testing:
========================
lib(64)tinyxml0-2.6.2-12.1.mga8
lib(64)tinyxml-devel-2.6.2-12.1.mga8

from SRPM:
tinyxml-2.6.2-12.1.mga8.src.rpm

CC: (none) => nicolas.salguero
Whiteboard: MGA8TOO => (none)
CVE: (none) => CVE-2021-42260
Version: Cauldron => 8
Status comment: Patch available from openSUSE => (none)
Status: NEW => ASSIGNED
Assignee: bugsquad => qa-bugs

Comment 2 Herman Viaene 2021-11-12 16:32:50 CET 
MGA8-64 Plasma on Lenovo B50
No installation issues.
No wiki, no previous updates, so run:
# urpmq --whatrequires lib64tinyxml0
and got some 35 answers, picked one I thought I might understand and run:
$ strace -o libtinyxml.txt pokerth 
I must admit I don't get it at all, but I run it as one user, pushed some buttons to which the application reacted, and in the trace I see one call to 
/lib64/libtinyxml.so.0
Good enough for me, unless someone else has better ideas.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 3 Thomas Andrews 2021-11-13 16:41:55 CET 
Looks good enough to me, Herman. Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-11-18 19:20:22 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Mageia Robot 2021-11-18 22:52:30 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0514.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.