Please see the link for more details. libxml2 2.9.11 with a fix has been released today.
Thanks!
sping, do we need to backport the fixes for libexpat too? (https://github.com/libexpat/libexpat/commit/309cd4aa4b470a3e496a5d72014148dd8a583529)
(In reply to Sam James from comment #2) > sping, do we need to backport the fixes for libexpat too? > (https://github.com/libexpat/libexpat/commit/ > 309cd4aa4b470a3e496a5d72014148dd8a583529) It's only a matter of days until the regular release of libexpat 2.4.0 with those fixes and (unlike libxml2) libexpat has been known vulnerable to attacks like that for years; I'm aiming for packaging libexpat 2.4.0 after regular release and getting that stabilized after, personally. I consider re-opening/re-using bug #458742 for that.
(In reply to Sebastian Pipping from comment #3) > (In reply to Sam James from comment #2) > > sping, do we need to backport the fixes for libexpat too? > > (https://github.com/libexpat/libexpat/commit/ > > 309cd4aa4b470a3e496a5d72014148dd8a583529) > > It's only a matter of days until the regular release of libexpat 2.4.0 with > those fixes and (unlike libxml2) libexpat has been known vulnerable to > attacks like that for years; I'm aiming for packaging libexpat 2.4.0 after > regular release and getting that stabilized after, personally. I consider > re-opening/re-using bug #458742 for that. Fine with me. We'll use a new bug and See Also it to avoid confusion with the security workflow, if that's alright. Thanks for the quick reply!
(In reply to Sam James from comment #4) > We'll use a new bug and See Also it to avoid confusion with > the security workflow, if that's alright. Okay!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6aa57ec7fe0a20bf67be358b0badfd149df2c3ec commit 6aa57ec7fe0a20bf67be358b0badfd149df2c3ec Author: Sam James <sam@gentoo.org> AuthorDate: 2021-05-13 17:49:51 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-05-13 17:50:36 +0000 dev-libs/libxml2: add 2.9.11 Without tests for now because: - fuzz test files aren't included in the distfile (bug is upstream) - Python tests seem to fail now but rest pass Bug: https://bugs.gentoo.org/790002 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/libxml2/Manifest | 1 + .../files/libxml2-2.9.11-disable-fuzz-tests.patch | 33 +++ dev-libs/libxml2/libxml2-2.9.11.ebuild | 234 +++++++++++++++++++++ 3 files changed, 268 insertions(+)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=61eb2f0b40434ee78bb33b1f0222854c5bb953f3 commit 61eb2f0b40434ee78bb33b1f0222854c5bb953f3 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-05-13 20:30:55 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-05-13 20:33:10 +0000 dev-libs/libxml2: add 2.9.12 Now with most tests! (Except fuzzing, which we lacked before anyway.) Closes: https://bugs.gentoo.org/790002 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/libxml2/Manifest | 2 + dev-libs/libxml2/libxml2-2.9.12.ebuild | 232 +++++++++++++++++++++++++++++++++ 2 files changed, 234 insertions(+)
I'm far happier with stabilising quickly now that tests are back, but we'll give it a few hours. I'll CC arches either early in the morning or once I wake up.
x86 done
amd64 done
ppc stable
ppc64 stable
sparc stable
arm64 done
arm done
hppa done
* CVE-2021-3518 "There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability." https://gitlab.gnome.org/GNOME/libxml2/-/issues/237
* CVE-2021-3517 Description: "There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application."
New GLSA request filed.
* CVE-2021-3516 Description: "There's a flaw in libxml2's xmllint in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by xmllint could trigger a use-after-free. The greatest impact of this flaw is to confidentiality, integrity, and availability."
CVE-2021-3537: A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.
This issue was resolved and addressed in GLSA 202107-05 at https://security.gentoo.org/glsa/202107-05 by GLSA coordinator John Helmert III (ajak).
Reopening for cleanup
Unable to check for sanity: > no match for package: dev-libs/libxml2-2.9.12
Cleanup done, all done!