Bug 33975 - libxml2 new security issue CVE-2022-49043
Summary: libxml2 new security issue CVE-2022-49043
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-01-31 14:58 CET by Nicolas Salguero
Modified: 2025-02-04 00:14 CET (History)
3 users (show)

See Also:
Source RPM: libxml2-2.10.4-1.4.mga9.src.rpm
CVE: CVE-2022-49043
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-01-31 14:58:04 CET 
SUSE has issued an advisory on January 30:
https://lists.suse.com/pipermail/sle-security-updates/2025-January/020243.html
Nicolas Salguero 2025-01-31 14:58:31 CET

CVE: (none) => CVE-2022-49043
Source RPM: (none) => libxml2-2.10.4-1.4.mga9.src.rpm

Comment 1 Nicolas Salguero 2025-01-31 15:20:16 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free. (CVE-2022-49043)

References:
https://lists.suse.com/pipermail/sle-security-updates/2025-January/020243.html
========================

Updated packages in core/updates_testing:
========================
lib(64)xml2_2-2.10.4-1.5.mga9
lib(64)xml2-devel-2.10.4-1.5.mga9
libxml2-python3-2.10.4-1.5.mga9
libxml2-utils-2.10.4-1.5.mga9

from SRPM:
libxml2-2.10.4-1.5.mga9.src.rpm

Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED

katnatek 2025-01-31 17:17:49 CET

Keywords: (none) => advisory

Comment 2 katnatek 2025-02-02 19:39:09 CET 
RH x86_64

installing libxml2-utils-2.10.4-1.5.mga9.x86_64.rpm lib64xml2_2-2.10.4-1.5.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: lib64xml2_2           ##################################################################################################
      2/2: libxml2-utils         ##################################################################################################
      1/2: removing libxml2-utils-2.10.4-1.4.mga9.x86_64
                                 ##################################################################################################
      2/2: removing lib64xml2_2-2.10.4-1.4.mga9.x86_64
                                 ##################################################################################################

Run strace chromium-browser show the library is open
openat(AT_FDCWD, "/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3
Comment 3 Herman Viaene 2025-02-03 16:00:21 CET 
MGA9-64 Plasma Wayland on Compaq H000SB.
No installation issues.
Followed procedure shown in the wiki page https://wiki.mageia.org/en/QA_procedure:Libxml2:
$ python testxml.py
Tested OK
[tester9@mach3 libxml]$ xmllint --auto
<?xml version="1.0"?>
<info>abc</info>
[tester9@mach3 libxml]$ xmlcatalog --create
<?xml version="1.0"?>
<!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd">
<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/>

Chromium runs OK, so ref bug 33238, good to go.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2025-02-03 22:43:22 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Mageia Robot 2025-02-04 00:14:26 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0034.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.