Hi, CVE-2023-45322 was announced here: https://www.openwall.com/lists/oss-security/2023/10/06/5. The given link provides a patch. Best regards, Nico.
CC: (none) => nicolas.salgueroWhiteboard: (none) => MGA9TOO, MGA8TOOStatus comment: (none) => Patch available from upstreamSource RPM: (none) => libxml2-2.10.4-2.mga10.src.rpm
The fix is in the git master branch, but not yet any release: https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9 Different people commit this SRPM, so assigning this bug globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. (CVE-2023-45322) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45322 https://www.openwall.com/lists/oss-security/2023/10/06/5 ======================== Updated packages in 9/core/updates_testing: ======================== lib(64)xml2_2-2.10.4-1.2.mga9 lib(64)xml2-devel-2.10.4-1.2.mga9 libxml2-python3-2.10.4-1.2.mga9 libxml2-utils-2.10.4-1.2.mga9 from SRPM: libxml2-2.10.4-1.2.mga9.src.rpm Updated packages in 8/core/updates_testing: ======================== lib(64)xml2_2-2.9.10-7.9.mga8 lib(64)xml2-devel-2.9.10-7.9.mga8 libxml2-python3-2.9.10-7.9.mga8 libxml2-utils-2.9.10-7.9.mga8 from SRPM: libxml2-2.9.10-7.9.mga8.src.rpm
Assignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDVersion: Cauldron => 9Status comment: Patch available from upstream => (none)Source RPM: libxml2-2.10.4-2.mga10.src.rpm => libxml2-2.10.4-1.1.mga9.src.rpmWhiteboard: MGA9TOO, MGA8TOO => MGA8TOO
Advisory from comment 2 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "absolete".
CC: (none) => marja11Keywords: (none) => advisory
Mageia9, x86_64 Before updating the PoC from https://gitlab.gnome.org/GNOME/libxml2/-/issues/583 fails with a segfault. The upstream behaviour is to ABORT but the test is run within an ASAN framework, which we cannot reproduce without detroying the integrity of the source (the testfiles would have to be recompiled with address sanitization built in). After the update: $ xmllint --copy --html --maxmem 315229 input.xml [...] Ran out of memory needs > 315229 bytes Ran out of memory needs > 315229 bytes input.xml:1361: parser error : out of memory error <graphic format="PNG" fileref="figures/example_screenshot" srccredit="ME"> <and it hangs> which may be an improvement. Leaving that for others to judge. Testing with xmllint as in previous tests. xmllint --auto <?xml version="1.0"?> <info>abc</info> $ xmlcatalog --create <?xml version="1.0"?> <!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd"> <catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/> Checked a 538-line XML file used by vlc as a playlist for TV channels. $ xmllint channels.xspf That found no errors. $ strace -o chromium.trace chromium-browser Tried a couple of searches. $ grep xml2 chromium.trace openat(AT_FDCWD, "/usr/lib64/chromium-browser/libxml2.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib64/libxml2.so.2.10.4", O_RDONLY|O_CLOEXEC) = 96 Giving this the OK.
Whiteboard: MGA8TOO => MGA8TOO MGA9-64-OKCC: (none) => tarazed25
CC: (none) => mageia
MGA8-64 Plasma in VirtualBox. No installation issues. Tested according to the wiki, looks OK. Giving it an OK and validating.
CC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: MGA8TOO MGA9-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OKKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0298.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED