Bug 32304 - libxml2 new security issue CVE-2023-39615
Summary: libxml2 new security issue CVE-2023-39615
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8TOO MGA8-64-OK MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-09-19 14:38 CEST by Nicolas Salguero
Modified: 2023-09-30 21:18 CEST (History)
6 users (show)

See Also:
Source RPM: libxml2-2.10.4-1.mga9.src.rpm
CVE:
Status comment:


Attachments

Nicolas Salguero 2023-09-19 14:39:01 CEST

Source RPM: (none) => libxml2-2.10.4-1.mga9.src.rpm
Whiteboard: (none) => MGA9TOO, MGA8TOO
CC: (none) => nicolas.salguero

Nicolas Salguero 2023-09-19 14:39:14 CEST

Status comment: (none) => Patch available from upstream

Comment 1 Nicolas Salguero 2023-09-19 15:20:15 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. (CVE-2023-39615)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39615
https://lists.suse.com/pipermail/sle-security-updates/2023-September/016186.html
========================

Updated packages in 9/core/updates_testing:
========================
lib(64)xml2_2-2.10.4-1.1.mga9
lib(64)xml2-devel-2.10.4-1.1.mga9
libxml2-python3-2.10.4-1.1.mga9
libxml2-utils-2.10.4-1.1.mga9

from SRPM:
libxml2-2.10.4-1.1.mga9.src.rpm

Updated packages in 8/core/updates_testing:
========================
lib(64)xml2_2-2.9.10-7.8.mga8
lib(64)xml2-devel-2.9.10-7.8.mga8
libxml2-python3-2.9.10-7.8.mga8
libxml2-utils-2.9.10-7.8.mga8

from SRPM:
libxml2-2.9.10-7.8.mga8.src.rpm

Status comment: Patch available from upstream => (none)
Version: Cauldron => 9
Status: NEW => ASSIGNED
Whiteboard: MGA9TOO, MGA8TOO => MGA8TOO
Assignee: bugsquad => qa-bugs

Comment 2 Herman Viaene 2023-09-25 14:22:29 CEST
MGA8-64 Xfce on Acer Aspire 5253
No installation issues
Ref QA Wiki and bug 31020
Updated the wiki (last line of the py command file) to reflect a change n syntax as stated in bug 31020.
$ xmllint --auto
<?xml version="1.0"?>
<info>abc</info>

$ xmlcatalog --create
<?xml version="1.0"?>
<!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd">
<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/>

$ python testxml.py
Tested OK

Run chromium-browser and confirm it can read an xml file.
OK for me.

CC: (none) => herman.viaene
Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK

Comment 3 Len Lawrence 2023-09-25 18:01:06 CEST
Mid-air collision! 

Mageia9, x86_64
Tried out the PoC for CVE-2023-39615 at
https://gitlab.gnome.org/GNOME/libxml2/-/issues/535

$ xmllint --recover --sax1 --sax poc2_min
SAX.setDocumentLocator()
SAX.error: parsing XML declaration: '?>' expected
SAX.characters(
, 1)
SAX.endDocument()

This result is different from the one published upstream in that there is no SIGSEGV termination.  Could be good.
Updated the packages.
Ran the PoC with the same result, which would suggest that the repair was already in place.

$ xmllint --auto
<?xml version="1.0"?>
<info>abc</info>
$ xmlcatalog --create
<?xml version="1.0"?>
<!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd">
<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/>

Tried xmllint against a channels.xspf XML file for vlc.  All lines parsed correctly.
Deleted a </ field which terminates a clause and that was spotted immediately.
$ xmllint test.xspf
test.xspf:25: parser error : Opening and ending tag mismatch: extension line 20 and track
		</track>
		        ^
test.xspf:536: parser error : Opening and ending tag mismatch: track line 17 and trackList
	</trackList>
	            ^

Installed chromium-browser and ran it under trace.
$ grep xml2 chromium.trace
openat(AT_FDCWD, "/usr/lib64/chromium-browser/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/libxml2.so.2.10.4", O_RDONLY|O_CLOEXEC) = 94

Giving this an OK for 64-bit.

CC: (none) => tarazed25

Comment 4 Herman Viaene 2023-09-26 10:28:59 CEST
Believing Len above, set the OK for M9.

Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK

Comment 5 Thomas Andrews 2023-09-27 13:55:08 CEST
Thank you, Gentlemen! 

Validating. Advisory in comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Marja Van Waes 2023-09-30 16:33:21 CEST

Keywords: (none) => advisory
CC: (none) => marja11

Comment 6 Mageia Robot 2023-09-30 21:18:44 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0279.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.