Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 790002 (CVE-2021-3516, CVE-2021-3517, CVE-2021-3518, CVE-2021-3537, CVE-2021-3541)

Summary: <dev-libs/libxml2-2.9.11: multiple vulnerabilities (CVE-2021-{3516,3517,3518,3537,3541})
Product: Gentoo Security Reporter: Sebastian Pipping <sping>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: base-system, sam
Priority: Normal Flags: nattka: sanity-check-
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://blog.hartwork.org/posts/cve-2021-3541-parameter-laughs-fixed-in-libxml2-2-9-11/
Whiteboard: A3 [glsa+ cve cleanup]
Package list:
dev-libs/libxml2-2.9.12
Runtime testing required: ---
Bug Depends on: 790218, 790737, 794733    
Bug Blocks:    

Description Sebastian Pipping gentoo-dev 2021-05-13 17:17:48 UTC
Please see the link for more details.

libxml2 2.9.11 with a fix has been released today.
Comment 1 Sam James archtester gentoo-dev Security 2021-05-13 17:21:57 UTC
Thanks!
Comment 2 Sam James archtester gentoo-dev Security 2021-05-13 17:24:27 UTC
sping, do we need to backport the fixes for libexpat too? (https://github.com/libexpat/libexpat/commit/309cd4aa4b470a3e496a5d72014148dd8a583529)
Comment 3 Sebastian Pipping gentoo-dev 2021-05-13 17:34:56 UTC
(In reply to Sam James from comment #2)
> sping, do we need to backport the fixes for libexpat too?
> (https://github.com/libexpat/libexpat/commit/
> 309cd4aa4b470a3e496a5d72014148dd8a583529)

It's only a matter of days until the regular release of libexpat 2.4.0 with those fixes and (unlike libxml2) libexpat has been known vulnerable to attacks like that for years; I'm aiming for packaging libexpat 2.4.0 after regular release and getting that stabilized after, personally.  I consider re-opening/re-using bug #458742 for that.
Comment 4 Sam James archtester gentoo-dev Security 2021-05-13 17:36:04 UTC
(In reply to Sebastian Pipping from comment #3)
> (In reply to Sam James from comment #2)
> > sping, do we need to backport the fixes for libexpat too?
> > (https://github.com/libexpat/libexpat/commit/
> > 309cd4aa4b470a3e496a5d72014148dd8a583529)
> 
> It's only a matter of days until the regular release of libexpat 2.4.0 with
> those fixes and (unlike libxml2) libexpat has been known vulnerable to
> attacks like that for years; I'm aiming for packaging libexpat 2.4.0 after
> regular release and getting that stabilized after, personally.  I consider
> re-opening/re-using bug #458742 for that.

Fine with me. We'll use a new bug and See Also it to avoid confusion with the security workflow, if that's alright. Thanks for the quick reply!
Comment 5 Sebastian Pipping gentoo-dev 2021-05-13 17:38:55 UTC
(In reply to Sam James from comment #4)
> We'll use a new bug and See Also it to avoid confusion with
> the security workflow, if that's alright.

Okay!
Comment 6 Larry the Git Cow gentoo-dev 2021-05-13 17:50:45 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6aa57ec7fe0a20bf67be358b0badfd149df2c3ec

commit 6aa57ec7fe0a20bf67be358b0badfd149df2c3ec
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-05-13 17:49:51 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-05-13 17:50:36 +0000

    dev-libs/libxml2: add 2.9.11
    
    Without tests for now because:
    - fuzz test files aren't included in the distfile (bug is upstream)
    - Python tests seem to fail now but rest pass
    
    Bug: https://bugs.gentoo.org/790002
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libxml2/Manifest                          |   1 +
 .../files/libxml2-2.9.11-disable-fuzz-tests.patch  |  33 +++
 dev-libs/libxml2/libxml2-2.9.11.ebuild             | 234 +++++++++++++++++++++
 3 files changed, 268 insertions(+)
Comment 7 Larry the Git Cow gentoo-dev 2021-05-13 20:33:26 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=61eb2f0b40434ee78bb33b1f0222854c5bb953f3

commit 61eb2f0b40434ee78bb33b1f0222854c5bb953f3
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-05-13 20:30:55 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-05-13 20:33:10 +0000

    dev-libs/libxml2: add 2.9.12
    
    Now with most tests! (Except fuzzing, which we lacked before anyway.)
    
    Closes: https://bugs.gentoo.org/790002
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libxml2/Manifest              |   2 +
 dev-libs/libxml2/libxml2-2.9.12.ebuild | 232 +++++++++++++++++++++++++++++++++
 2 files changed, 234 insertions(+)
Comment 8 Sam James archtester gentoo-dev Security 2021-05-13 20:41:54 UTC
I'm far happier with stabilising quickly now that tests are back, but we'll give it a few hours. I'll CC arches either early in the morning or once I wake up.
Comment 9 Sam James archtester gentoo-dev Security 2021-05-14 08:55:30 UTC
x86 done
Comment 10 Sam James archtester gentoo-dev Security 2021-05-14 08:55:35 UTC
amd64 done
Comment 11 Agostino Sarubbo gentoo-dev 2021-05-14 09:31:57 UTC
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2021-05-14 09:32:48 UTC
ppc64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2021-05-14 09:35:40 UTC
sparc stable
Comment 14 Sam James archtester gentoo-dev Security 2021-05-14 17:21:45 UTC
arm64 done
Comment 15 Sam James archtester gentoo-dev Security 2021-05-14 17:21:48 UTC
arm done
Comment 16 Rolf Eike Beer archtester 2021-05-15 20:03:32 UTC
hppa done
Comment 17 Sam James archtester gentoo-dev Security 2021-05-18 16:01:50 UTC
* CVE-2021-3518

"There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability."

https://gitlab.gnome.org/GNOME/libxml2/-/issues/237
Comment 18 Sam James archtester gentoo-dev Security 2021-05-19 23:43:28 UTC
* CVE-2021-3517

Description:
"There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application."
Comment 19 Thomas Deutschmann gentoo-dev Security 2021-05-24 00:15:08 UTC
New GLSA request filed.
Comment 20 Sam James archtester gentoo-dev Security 2021-06-01 17:03:07 UTC
* CVE-2021-3516

Description:
"There's a flaw in libxml2's xmllint in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by xmllint could trigger a use-after-free. The greatest impact of this flaw is to confidentiality, integrity, and availability."
Comment 21 John Helmert III gentoo-dev Security 2021-06-23 03:33:51 UTC
CVE-2021-3537:

A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2021-07-06 03:29:42 UTC
This issue was resolved and addressed in
 GLSA 202107-05 at https://security.gentoo.org/glsa/202107-05
by GLSA coordinator John Helmert III (ajak).
Comment 23 John Helmert III gentoo-dev Security 2021-07-06 03:35:46 UTC
Reopening for cleanup
Comment 24 NATTkA bot gentoo-dev 2021-10-29 13:48:45 UTC
Unable to check for sanity:

> no match for package: dev-libs/libxml2-2.9.12