Fedora has issued an advisory on February 24: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MVLDYFVW63Y6ZSHIC6VGRIM6UJ6XLSR4/ The issue is fixed upstream in 2.9.13. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 2.9.13Whiteboard: (none) => MGA8TOO
No particular packager evident for this, so assigning it globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes. (CVE-2022-23308) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23308 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MVLDYFVW63Y6ZSHIC6VGRIM6UJ6XLSR4/ ======================== Updated packages in core/updates_testing: ======================== libxml2-python3-2.9.10-7.3.mga8 libxml2-utils-2.9.10-7.3.mga8 lib(64)xml2_2-2.9.10-7.3.mga8 lib(64)xml2-devel-2.9.10-7.3.mga8 from SRPM: libxml2-2.9.10-7.3.mga8.src.rpm
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8Status comment: Fixed upstream in 2.9.13 => (none)Status: NEW => ASSIGNEDCC: (none) => nicolas.salgueroAssignee: pkg-bugs => qa-bugsCVE: (none) => CVE-2022-23308
mga8, x64 The four packages updated cleanly. Following bug 29039 for testing. Checked an old PoC. $ xmllint billionlaughs.xml <?xml version="1.0"?> <!-- "Parameter Laughs", i.e. variant of Billion Laughs Attack using delayed interpretation of parameter entities Copyright (C) Sebastian Pipping <sebastian@pipping.org> --> <!DOCTYPE r [ ..... $ cat testxml.py import libxml2 def getStatus(case): prop = case.properties props={} props['name']="" props['classname']="" props['status']="" while prop: props[prop.name]=prop.content prop=prop.next if props['name'] == 'VHDL_BUILD_Passthrough' and props['classname'] == 'TestOne': return props['status'] return None x = libxml2.parseFile("testdata.xml") allcases=[c for c in x.children if c.name == 'testcase'] cases = [c for c in allcases if getStatus(c) != None] print( getStatus(cases[0]) ) $ python testxml.py Tested OK $ xmllint --auto <?xml version="1.0"?> <info>abc</info> $ xmlcatalog --create <?xml version="1.0"?> <!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd"> <catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/> Installed chromium-browser. Ran chromium-browser under strace. Invoking the browser brought up an XML tutorial site. Viewed several simple XML files on that site. $ grep lib chromium.trace | grep xml [...] openat(AT_FDCWD, "/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib64/libxml2.so.2.9.10", O_RDONLY|O_CLOEXEC) = 94 Reckon that is good enough.
CC: (none) => tarazed25Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0084.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED