SUSE has issued an advisory on September 18: https://lists.suse.com/pipermail/sle-security-updates/2023-September/016186.html The issue is fixed upstream by these commits: https://gitlab.gnome.org/GNOME/libxml2/-/commit/d0c3f01e110d54415611c5fa0040cdf4a56053f9 https://gitlab.gnome.org/GNOME/libxml2/-/commit/235b15a590eecf97b09e87bdb7e4f8333e9de129 Mageia 8 and 9 are also affected.
Source RPM: (none) => libxml2-2.10.4-1.mga9.src.rpmWhiteboard: (none) => MGA9TOO, MGA8TOOCC: (none) => nicolas.salguero
Status comment: (none) => Patch available from upstream
Suggested advisory: ======================== The updated packages fix a security vulnerability: Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. (CVE-2023-39615) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39615 https://lists.suse.com/pipermail/sle-security-updates/2023-September/016186.html ======================== Updated packages in 9/core/updates_testing: ======================== lib(64)xml2_2-2.10.4-1.1.mga9 lib(64)xml2-devel-2.10.4-1.1.mga9 libxml2-python3-2.10.4-1.1.mga9 libxml2-utils-2.10.4-1.1.mga9 from SRPM: libxml2-2.10.4-1.1.mga9.src.rpm Updated packages in 8/core/updates_testing: ======================== lib(64)xml2_2-2.9.10-7.8.mga8 lib(64)xml2-devel-2.9.10-7.8.mga8 libxml2-python3-2.9.10-7.8.mga8 libxml2-utils-2.9.10-7.8.mga8 from SRPM: libxml2-2.9.10-7.8.mga8.src.rpm
Status comment: Patch available from upstream => (none)Version: Cauldron => 9Status: NEW => ASSIGNEDWhiteboard: MGA9TOO, MGA8TOO => MGA8TOOAssignee: bugsquad => qa-bugs
MGA8-64 Xfce on Acer Aspire 5253 No installation issues Ref QA Wiki and bug 31020 Updated the wiki (last line of the py command file) to reflect a change n syntax as stated in bug 31020. $ xmllint --auto <?xml version="1.0"?> <info>abc</info> $ xmlcatalog --create <?xml version="1.0"?> <!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd"> <catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/> $ python testxml.py Tested OK Run chromium-browser and confirm it can read an xml file. OK for me.
CC: (none) => herman.viaeneWhiteboard: MGA8TOO => MGA8TOO MGA8-64-OK
Mid-air collision! Mageia9, x86_64 Tried out the PoC for CVE-2023-39615 at https://gitlab.gnome.org/GNOME/libxml2/-/issues/535 $ xmllint --recover --sax1 --sax poc2_min SAX.setDocumentLocator() SAX.error: parsing XML declaration: '?>' expected SAX.characters( , 1) SAX.endDocument() This result is different from the one published upstream in that there is no SIGSEGV termination. Could be good. Updated the packages. Ran the PoC with the same result, which would suggest that the repair was already in place. $ xmllint --auto <?xml version="1.0"?> <info>abc</info> $ xmlcatalog --create <?xml version="1.0"?> <!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd"> <catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/> Tried xmllint against a channels.xspf XML file for vlc. All lines parsed correctly. Deleted a </ field which terminates a clause and that was spotted immediately. $ xmllint test.xspf test.xspf:25: parser error : Opening and ending tag mismatch: extension line 20 and track </track> ^ test.xspf:536: parser error : Opening and ending tag mismatch: track line 17 and trackList </trackList> ^ Installed chromium-browser and ran it under trace. $ grep xml2 chromium.trace openat(AT_FDCWD, "/usr/lib64/chromium-browser/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib64/libxml2.so.2.10.4", O_RDONLY|O_CLOEXEC) = 94 Giving this an OK for 64-bit.
CC: (none) => tarazed25
Believing Len above, set the OK for M9.
Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK
Thank you, Gentlemen! Validating. Advisory in comment 1.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => marja11
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0279.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED