Bug 32364 - libxml2 new security issue CVE-2023-45322
Summary: libxml2 new security issue CVE-2023-45322
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8TOO MGA8-64-OK MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-10-09 16:31 CEST by Nicolas Salguero
Modified: 2023-10-22 23:06 CEST (History)
6 users (show)

See Also:
Source RPM: libxml2-2.10.4-1.1.mga9.src.rpm
CVE:
Status comment:


Attachments

Description Nicolas Salguero 2023-10-09 16:31:56 CEST
Hi,

CVE-2023-45322 was announced here:
https://www.openwall.com/lists/oss-security/2023/10/06/5.

The given link provides a patch.

Best regards,

Nico.
Nicolas Salguero 2023-10-09 16:32:34 CEST

CC: (none) => nicolas.salguero
Whiteboard: (none) => MGA9TOO, MGA8TOO
Status comment: (none) => Patch available from upstream
Source RPM: (none) => libxml2-2.10.4-2.mga10.src.rpm

Comment 1 Lewis Smith 2023-10-09 20:41:34 CEST
The fix is in the git master branch, but not yet any release:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9

Different people commit this SRPM, so assigning this bug globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2023-10-11 13:23:15 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. (CVE-2023-45322)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45322
https://www.openwall.com/lists/oss-security/2023/10/06/5
========================

Updated packages in 9/core/updates_testing:
========================
lib(64)xml2_2-2.10.4-1.2.mga9
lib(64)xml2-devel-2.10.4-1.2.mga9
libxml2-python3-2.10.4-1.2.mga9
libxml2-utils-2.10.4-1.2.mga9

from SRPM:
libxml2-2.10.4-1.2.mga9.src.rpm

Updated packages in 8/core/updates_testing:
========================
lib(64)xml2_2-2.9.10-7.9.mga8
lib(64)xml2-devel-2.9.10-7.9.mga8
libxml2-python3-2.9.10-7.9.mga8
libxml2-utils-2.9.10-7.9.mga8

from SRPM:
libxml2-2.9.10-7.9.mga8.src.rpm

Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
Version: Cauldron => 9
Status comment: Patch available from upstream => (none)
Source RPM: libxml2-2.10.4-2.mga10.src.rpm => libxml2-2.10.4-1.1.mga9.src.rpm
Whiteboard: MGA9TOO, MGA8TOO => MGA8TOO

Comment 3 Marja Van Waes 2023-10-12 11:53:47 CEST
Advisory from comment 2 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "absolete".

CC: (none) => marja11
Keywords: (none) => advisory

Comment 4 Len Lawrence 2023-10-14 17:10:40 CEST
Mageia9, x86_64

Before updating the PoC from https://gitlab.gnome.org/GNOME/libxml2/-/issues/583 fails with a segfault.  The upstream behaviour is to ABORT but the test is run within an ASAN framework, which we cannot reproduce without detroying the integrity of the source (the testfiles would have to be recompiled with address sanitization built in).

After the update:
$ xmllint --copy --html --maxmem 315229 input.xml
[...]
Ran out of memory needs > 315229 bytes
Ran out of memory needs > 315229 bytes
input.xml:1361: parser error : out of memory error
  <graphic format="PNG"  fileref="figures/example_screenshot" srccredit="ME">

<and it hangs>
which may be an improvement.  Leaving that for others to judge.

Testing with xmllint as in previous tests.
 xmllint --auto
<?xml version="1.0"?>
<info>abc</info>
$ xmlcatalog --create
<?xml version="1.0"?>
<!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd">
<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/>

Checked a 538-line XML file used by vlc as a playlist for TV channels.
$ xmllint channels.xspf
That found no errors.

$ strace -o chromium.trace chromium-browser
Tried a couple of searches.
$ grep xml2 chromium.trace
openat(AT_FDCWD, "/usr/lib64/chromium-browser/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/libxml2.so.2.10.4", O_RDONLY|O_CLOEXEC) = 96

Giving this the OK.

Whiteboard: MGA8TOO => MGA8TOO MGA9-64-OK
CC: (none) => tarazed25

PC LX 2023-10-16 12:32:21 CEST

CC: (none) => mageia

Comment 5 Thomas Andrews 2023-10-22 01:25:02 CEST
MGA8-64 Plasma in VirtualBox. No installation issues.

Tested according to the wiki, looks OK. Giving it an OK and validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: MGA8TOO MGA9-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK
Keywords: (none) => validated_update

Comment 6 Mageia Robot 2023-10-22 23:06:47 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0298.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.