Fedora has issued an advisory today: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4QCR5PIOBGDIDS6SYRESTMDJSEDFSCOE/ Mageia 9 is also affected.
CVE: (none) => CVE-2023-34194Source RPM: (none) => tinyxml-2.6.2-14.mga9.src.rpmWhiteboard: (none) => MGA9TOOStatus comment: (none) => Patch available from Fedora
tinyxml is very seldom updated, and by different people; so assigning this globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: StringEqual in TiXmlDeclaration::Parse in tinyxmlparser.cpp in TinyXML through 2.6.2 has a reachable assertion (and application exit) via a crafted XML document with a '\0' located after whitespace. (CVE-2023-34194) References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4QCR5PIOBGDIDS6SYRESTMDJSEDFSCOE/ ======================== Updated packages in core/updates_testing: ======================== lib(64)tinyxml0-2.6.2-14.1.mga9 lib(64)tinyxml-devel-2.6.2-14.1.mga9 from SRPM: tinyxml-2.6.2-14.1.mga9.src.rpm
Status comment: Patch available from Fedora => (none)Assignee: pkg-bugs => qa-bugsVersion: Cauldron => 9Status: NEW => ASSIGNEDWhiteboard: MGA9TOO => (none)
CC: (none) => marja11Source RPM: tinyxml-2.6.2-14.mga9.src.rpm => tinyxml-2.6.2-14.mga9
Advisory from comment 2 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"
Keywords: (none) => advisory
Tested in VirtualBox, MGA9-64 Plasma. Looking for previous updates, I found bug 29642. Taking Herman's lead but choosing a different application, I installed blobby, AKA Blobby Volley," an old-school volleyball game that reminds me of the Pong arcade game I first played in a tavern 50 years ago. After updating lib64tinyxml0 (no installation issues), I ran "strace -o blob.txt blobby" on the command line. The gui came up, and I visited a few screens, changed a few options, and played the game a bit against myself. I used the mouse for the right player, and the keyboard for the left. An interesting experience, showing I needed practice with both to become proficient. I stopped the game before completion, exercised the option to save for replay, and closed it. Examining the resulting blob.txt file, I found one reference to "/lib64/libtinyxml.so.0" near the beginning. Giving this an OK, and validating.
Whiteboard: (none) => MGA9-64-OKCC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0014.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED