Fedora has issued an advisory on May 23: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/ The problem is fixed in version 2.12.7 (for Cauldron). The following commit also solves the issue (for Mga9): https://gitlab.gnome.org/GNOME/libxml2/-/commit/8ddc7f13337c9fe7c6b6e616f404b0fffb8a5145
Source RPM: (none) => libxml2-2.12.6-2.mga10.src.rpmWhiteboard: (none) => MGA9TOOCVE: (none) => CVE-2024-34459Status comment: (none) => Fixed upstream in 2.12.7 and patch available from upstream
Assigning to you, David, because you have version updated this often.
Assignee: bugsquad => geiger.david68210
SUSE has issued an advisory on May 29: https://lwn.net/Articles/975720/ The problem is already fixed in Cauldron (fixed in version 2.12.5). The following commit also solves the issue (for Mga9): https://gitlab.gnome.org/GNOME/libxml2/-/commit/2b0aac140d739905c7848a42efc60bfe783a39b7
CVE: CVE-2024-34459 => CVE-2024-34459, CVE-2024-25062Summary: libxml2 new security issue CVE-2024-34459 => libxml2 new security issues CVE-2024-34459 and CVE-2024-25062
Status comment: Fixed upstream in 2.12.7 and patch available from upstream => Fixed upstream in 2.12.7 and patches available from upstream
CVE-2024-25062 was already fixed in bug 33184
Summary: libxml2 new security issues CVE-2024-34459 and CVE-2024-25062 => libxml2 new security issue CVE-2024-34459Status comment: Fixed upstream in 2.12.7 and patches available from upstream => Fixed upstream in 2.12.7 and patch available from upstreamCVE: CVE-2024-34459, CVE-2024-25062 => CVE-2024-34459
Suggested advisory: ======================== The updated packages fix a security vulnerability: An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c. (CVE-2024-34459) References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/ ======================== Updated packages in core/updates_testing: ======================== lib(64)xml2_2-2.10.4-1.4.mga9 lib(64)xml2-devel-2.10.4-1.4.mga9 libxml2-python3-2.10.4-1.4.mga9 libxml2-utils-2.10.4-1.4.mga9 from SRPM: libxml2-2.10.4-1.4.mga9.src.rpm
Source RPM: libxml2-2.12.6-2.mga10.src.rpm => libxml2-2.10.4-1.3.mga9.src.rpmWhiteboard: MGA9TOO => (none)Assignee: geiger.david68210 => qa-bugsStatus: NEW => ASSIGNEDStatus comment: Fixed upstream in 2.12.7 and patch available from upstream => (none)Version: Cauldron => 9
RH mageia 9 x86_64 Download the test file in https://gitlab.gnome.org/GNOME/libxml2/-/issues/720 xmllint --htmlout ~/Descargas/bug_trigger <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <html><head><title>xmllint output</title></head> <body bgcolor="#ffffff"><h1 align="center">xmllint output</h1> encoding error : input conversion failed due to input error, bytes 0x00 0x10 0x65 0x3E encoding error : input conversion failed due to input error, bytes 0x00 0x10 0x65 0x3E I/O error : encoder error <p>/home/katnatek/Descargas/bug_trigger:2: <b>error</b>: parsing XML declaration: '?>' expected </p> <pre> <author>John Doe< <ti ^ </pre><p>/home/katnatek/Descargas/bug_trigger:2: <b>error</b>: Start tag expected, '<' not found </p> <pre> <author>John Doe< <ti ^ </pre></body></html> LC_ALL=C urpmi --auto --auto-update medium "QA Testing (64-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date medium "Core Updates (distrib3)" is up-to-date medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date medium "Core 32bit Release (distrib31)" is up-to-date medium "Core 32bit Updates (distrib32)" is up-to-date medium "Nonfree 32bit Release (distrib36)" is up-to-date medium "Tainted 32bit Release (distrib41)" is up-to-date medium "Tainted 32bit Updates (distrib42)" is up-to-date installing lib64xml2_2-2.10.4-1.4.mga9.x86_64.rpm libxml2-utils-2.10.4-1.4.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/2: lib64xml2_2 ################################################################################################## 2/2: libxml2-utils ################################################################################################## 1/2: removing libxml2-utils-2.10.4-1.3.mga9.x86_64 ################################################################################################## 2/2: removing lib64xml2_2-2.10.4-1.3.mga9.x86_64 ################################################################################################## After the update the ouput of the command is the same look as once again the file just happen running with address sanitizer Run strace chromium-browser show the library is open openat(AT_FDCWD, "/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3 chromium-browser keep working
Keywords: (none) => advisory
MGA9-64 Plasma Wayland on HP-Pavillion No installation issues. Followed procedure shown in the wiki page: $ python testxml.py Tested OK $ xmllint --auto <?xml version="1.0"?> <info>abc</info> $ xmlcatalog --create <?xml version="1.0"?> <!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd"> <catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/> Run chromium-browser OK, so good to go
Whiteboard: (none) => MGA9-64-OKCC: (none) => herman.viaene
CC: (none) => andrewsfarm
Thank you, Gentlemen. Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0211.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED