Bug 9228 - libxml2 new security issue CVE-2013-0338
: libxml2 new security issue CVE-2013-0338
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/540757/
: has_procedure MGA2-64-ok MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-03-01 17:21 CET by David Walser
Modified: 2013-04-26 08:20 CEST (History)
4 users (show)

See Also:
Source RPM: libxml2-2.7.8-14.20120229.4.mga2.src.rpm
CVE:


Attachments

Description David Walser 2013-03-01 17:21:06 CET
RedHat has issued an advisory on February 28:
https://rhn.redhat.com/errata/RHSA-2013-0581.html

Patched packages uploaded for Mageia 2 and Cauldron.

Patch checked into Mageia 1 SVN.

Advisory:
========================

Updated libxml2 packages fix security vulnerability:

A denial of service flaw was found in the way libxml2 performed string
substitutions when entity values for entity references replacement was
enabled. A remote attacker could provide a specially-crafted XML file that,
when processed by an application linked against libxml2, would lead to
excessive CPU consumption (CVE-2013-0338).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0338
https://rhn.redhat.com/errata/RHSA-2013-0581.html
========================

Updated packages in core/updates_testing:
========================
libxml2_2-2.7.8-14.20120229.5.mga2
libxml2-utils-2.7.8-14.20120229.5.mga2
libxml2-python-2.7.8-14.20120229.5.mga2
libxml2-devel-2.7.8-14.20120229.5.mga2

from libxml2-2.7.8-14.20120229.5.mga2.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 claire robinson 2013-03-01 17:23:45 CET
https://wiki.mageia.org/en/QA_procedure:Libxml2
Comment 2 Bill Wilkinson 2013-03-02 17:09:54 CET
tested mga2-64
python test and xml utils testing  All tested OK per the wiki procedure.

No PoC found on securityfocus.
Comment 3 Bill Wilkinson 2013-03-02 18:17:30 CET
tested mga2-32
Python test and xml utils testing All tested OK per the wiki procedure

Validating

Can someone from the sysadmin team please push from core/updates_testing to core/updates?

Thanks!
Comment 4 David Walser 2013-03-02 18:23:46 CET
This has been validated (in Comment 3).  Advisory and SRPM in Comment 0.
Comment 5 Thomas Backlund 2013-03-03 01:13:08 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0085
Comment 6 Oden Eriksson 2013-03-04 15:04:44 CET
FYI. This was discussed on oss-sec:

http://seclists.org/oss-sec/2013/q1/391
Comment 7 David Walser 2013-03-04 22:09:32 CET
Oden, do we need to take further action for CVE-2013-0339,0340,0341?
Comment 8 Oden Eriksson 2013-03-05 12:10:47 CET
I think you should check which patches are applied to the RHEL6 package, which is quite a few. The redhat bug doesn't expose much, neither does the patches.

As for Mandriva MES5 I'm considering using their version + patches, which means a bump from 2.7.1 to 2.7.6. YUCK!

I think they silently fixed CVE-2013-0339 in RHEL6, maybe even dates back to july 2012(!).

As for the expat patches I found no further info, yet.
Comment 9 Oden Eriksson 2013-04-26 08:20:30 CEST
======================================================
Name: CVE-2013-0338
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0338
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20121206
Category: 
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=912400
Reference: CONFIRM:https://git.gnome.org/browse/libxml2/commit/?id=23f05e0c33987d6605387b300c4be5da2120a7ab
Reference: MANDRIVA:MDVSA-2013:056
Reference: URL:http://www.mandriva.com/security/advisories?name=MDVSA-2013:056
Reference: SUSE:openSUSE-SU-2013:0552
Reference: URL:http://lists.opensuse.org/opensuse-updates/2013-03/msg00112.html
Reference: SUSE:openSUSE-SU-2013:0555
Reference: URL:http://lists.opensuse.org/opensuse-updates/2013-03/msg00114.html
Reference: UBUNTU:USN-1782-1
Reference: URL:http://www.ubuntu.com/usn/USN-1782-1

libxml2 2.9.0 and earlier allows context-dependent attackers to cause
a denial of service (CPU and memory consumption) via an XML file
containing an entity declaration with long replacement text and many
references to this entity, aka "internal entity expansion" with linear
complexity.

Note You need to log in before you can comment on or make changes to this bug.