Those issues were announced here: https://openwall.com/lists/oss-security/2025/04/17/3
CVE: (none) => CVE-2025-32414, CVE-2025-32415Status comment: (none) => Fixed upstream in 2.13.8Whiteboard: (none) => MGA9TOOSource RPM: (none) => libxml2-2.13.6-1.mga10.src.rpm, libxml2-2.10.4-1.6.mga9.src.rpm
Luckily just a version update. Assigning globally.
Assignee: bugsquad => pkg-bugs
Assignee: pkg-bugs => j.alberto.vc
Nicolas for mageia 9 should I add other patch or go to 2.13.8 ? It builds without issue but want to ask first
(In reply to katnatek from comment #2) > Nicolas for mageia 9 should I add other patch or go to 2.13.8 ? > It builds without issue but want to ask first Hi, For Mageia 9, you should add a patch. Even if it builds without issue, it might cause problems with other packages that depend on it at run time. Best regards, Nico.
(In reply to Nicolas Salguero from comment #3) > (In reply to katnatek from comment #2) > > Nicolas for mageia 9 should I add other patch or go to 2.13.8 ? > > It builds without issue but want to ask first > > Hi, > > For Mageia 9, you should add a patch. Even if it builds without issue, it > might cause problems with other packages that depend on it at run time. > > Best regards, > > Nico. I will test if works, I can't find a clear patch for CVE-2025-32415 For CVE-2025-32414, I think can use https://gitlab.gnome.org/-/project/1665/uploads/47cc2f2673c3df5e714a38400b56ff16/bug-889-v2.10.4-and-below.patch
(In reply to katnatek from comment #4) > (In reply to Nicolas Salguero from comment #3) > > (In reply to katnatek from comment #2) > > > Nicolas for mageia 9 should I add other patch or go to 2.13.8 ? > > > It builds without issue but want to ask first > > > > Hi, > > > > For Mageia 9, you should add a patch. Even if it builds without issue, it > > might cause problems with other packages that depend on it at run time. > > > > Best regards, > > > > Nico. > > I will test if works, I can't find a clear patch for CVE-2025-32415 > For CVE-2025-32414, I think can use > https://gitlab.gnome.org/-/project/1665/uploads/ > 47cc2f2673c3df5e714a38400b56ff16/bug-889-v2.10.4-and-below.patch Well chromium-browser and vlc works , I find now the diff for CVE-2025-32415, But why keep a version not supported upstream?
Have to check with care the CVE-2025-32415 patch, not works out of the box Later, have things to do
Packages: lib(64)xml2-devel-2.10.4-1.7.mga9 lib(64)xml2_2-2.10.4-1.7.mga9 libxml2-python3-2.10.4-1.7.mga9 libxml2-utils-2.10.4-1.7.mga9 SRPM libxml2-2.10.4-1.7.mga9
Whiteboard: MGA9TOO => (none)Source RPM: libxml2-2.13.6-1.mga10.src.rpm, libxml2-2.10.4-1.6.mga9.src.rpm => libxml2-2.10.4-1.6.mga9Assignee: j.alberto.vc => qa-bugs
Version: Cauldron => 9
RH x86_64 run the POC for CVE-2025-32414 xmlPythonFileRead: result is not a String Traceback (most recent call last): File "/home/katnatek/qatest/CVE-2025-32414-libxml2.py", line 20, in <module> xml.sax.parseString(text, handler=ContentHandler()) File "/usr/lib64/python3.10/xml/sax/__init__.py", line 48, in parseString parser.parse(inpsrc) File "/usr/lib/python3.10/site-packages/drv_libxml2.py", line 181, in parse self._reportErrors(1) File "/usr/lib/python3.10/site-packages/drv_libxml2.py", line 136, in _reportErrors self._err_handler.fatalError(exception) File "/usr/lib64/python3.10/xml/sax/handler.py", line 38, in fatalError raise exception xml.sax._exceptions.SAXParseException: <unknown>:1:-1: Extra content at the end of the document Not sure how to test CVE-2025-32415 schema command not exits Update installing lib64xml2_2-2.10.4-1.7.mga9.x86_64.rpm libxml2-utils-2.10.4-1.7.mga9.x86_64.rpm libxml2-python3-2.10.4-1.7.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/3: lib64xml2_2 ################################################################################################## 2/3: libxml2-utils ################################################################################################## 3/3: libxml2-python3 ################################################################################################## 1/3: removing libxml2-python3-2.10.4-1.6.mga9.x86_64 ################################################################################################## 2/3: removing libxml2-utils-2.10.4-1.6.mga9.x86_64 ################################################################################################## 3/3: removing lib64xml2_2-2.10.4-1.6.mga9.x86_64 ################################################################################################## Not see diference for CVE-2025-32414 xmlPythonFileRead: result is not a String Traceback (most recent call last): File "/home/katnatek/qatest/CVE-2025-32414-libxml2.py", line 20, in <module> xml.sax.parseString(text, handler=ContentHandler()) File "/usr/lib64/python3.10/xml/sax/__init__.py", line 48, in parseString parser.parse(inpsrc) File "/usr/lib/python3.10/site-packages/drv_libxml2.py", line 181, in parse self._reportErrors(1) File "/usr/lib/python3.10/site-packages/drv_libxml2.py", line 136, in _reportErrors self._err_handler.fatalError(exception) File "/usr/lib64/python3.10/xml/sax/handler.py", line 38, in fatalError raise exception xml.sax._exceptions.SAXParseException: <unknown>:1:-1: Extra content at the end of the document Perhaps is necessary to use valgrind as in the upstream report
RH x86_64 Reference bug#33975 comment#3 python testxml.py Tested OK xmllint --auto <?xml version="1.0"?> <info>abc</info> xmlcatalog --create <?xml version="1.0"?> <!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd"> <catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/> strace chromium-browser shows openat(AT_FDCWD, "/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3 And I can open an xml file Looks good
Keywords: (none) => advisory
MGA9-64 Plasma Wayland on Compaq H000SB No installation issues. Ref bug 33975 $ python testxml.py Tested OK $ xmllint --auto <?xml version="1.0"?> <info>abc</info> $ xmlcatalog --create <?xml version="1.0"?> <!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd"> <catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"/> Chromium works OK on newspaper site and youtube. Let's go.
Whiteboard: (none) => MGA9-64-OKCC: (none) => herman.viaene
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0139.html
Status: NEW => RESOLVEDResolution: (none) => FIXED