RedHat has issued an advisory on February 28: https://rhn.redhat.com/errata/RHSA-2013-0581.html Patched packages uploaded for Mageia 2 and Cauldron. Patch checked into Mageia 1 SVN. Advisory: ======================== Updated libxml2 packages fix security vulnerability: A denial of service flaw was found in the way libxml2 performed string substitutions when entity values for entity references replacement was enabled. A remote attacker could provide a specially-crafted XML file that, when processed by an application linked against libxml2, would lead to excessive CPU consumption (CVE-2013-0338). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0338 https://rhn.redhat.com/errata/RHSA-2013-0581.html ======================== Updated packages in core/updates_testing: ======================== libxml2_2-2.7.8-14.20120229.5.mga2 libxml2-utils-2.7.8-14.20120229.5.mga2 libxml2-python-2.7.8-14.20120229.5.mga2 libxml2-devel-2.7.8-14.20120229.5.mga2 from libxml2-2.7.8-14.20120229.5.mga2.src.rpm Reproducible: Steps to Reproduce:
https://wiki.mageia.org/en/QA_procedure:Libxml2
Whiteboard: (none) => has_procedure
tested mga2-64 python test and xml utils testing All tested OK per the wiki procedure. No PoC found on securityfocus.
CC: (none) => wrw105Whiteboard: has_procedure => has_procedure MGA2-64-ok
tested mga2-32 Python test and xml utils testing All tested OK per the wiki procedure Validating Can someone from the sysadmin team please push from core/updates_testing to core/updates? Thanks!
Whiteboard: has_procedure MGA2-64-ok => has_procedure MGA2-64-ok MGA2-32-OK Validated-update
Whiteboard: has_procedure MGA2-64-ok MGA2-32-OK Validated-update => has_procedure MGA2-64-ok MGA2-32-OK Validated_update
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA2-64-ok MGA2-32-OK Validated_update => has_procedure MGA2-64-ok MGA2-32-OK
This has been validated (in Comment 3). Advisory and SRPM in Comment 0.
CC: (none) => sysadmin-bugs
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0085
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
FYI. This was discussed on oss-sec: http://seclists.org/oss-sec/2013/q1/391
CC: (none) => oe
Oden, do we need to take further action for CVE-2013-0339,0340,0341?
I think you should check which patches are applied to the RHEL6 package, which is quite a few. The redhat bug doesn't expose much, neither does the patches. As for Mandriva MES5 I'm considering using their version + patches, which means a bump from 2.7.1 to 2.7.6. YUCK! I think they silently fixed CVE-2013-0339 in RHEL6, maybe even dates back to july 2012(!). As for the expat patches I found no further info, yet.
====================================================== Name: CVE-2013-0338 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0338 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20121206 Category: Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=912400 Reference: CONFIRM:https://git.gnome.org/browse/libxml2/commit/?id=23f05e0c33987d6605387b300c4be5da2120a7ab Reference: MANDRIVA:MDVSA-2013:056 Reference: URL:http://www.mandriva.com/security/advisories?name=MDVSA-2013:056 Reference: SUSE:openSUSE-SU-2013:0552 Reference: URL:http://lists.opensuse.org/opensuse-updates/2013-03/msg00112.html Reference: SUSE:openSUSE-SU-2013:0555 Reference: URL:http://lists.opensuse.org/opensuse-updates/2013-03/msg00114.html Reference: UBUNTU:USN-1782-1 Reference: URL:http://www.ubuntu.com/usn/USN-1782-1 libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, aka "internal entity expansion" with linear complexity.