Bugzilla – Bug 876652
VUL-1: CVE-2014-0191: libxml2: external parameter entity loaded when entity substitution is disabled
Last modified: 2018-08-03 14:37:09 UTC
OSS:2014/Q2/252 References: http://seclists.org/oss-sec/2014/q2/252
Also: https://bugzilla.redhat.com/show_bug.cgi?id=1090976
This is an autogenerated message for OBS integration: This bug (876652) was mentioned in https://build.opensuse.org/request/show/232921 13.1+12.3 / python-libxml2+libxml2
The SWAMPID for this issue is 57245. This issue was rated as moderate. Please submit fixed packages until 2014-05-21. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
bugbot adjusting priority
openSUSE-SU-2014:0645-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 876652 CVE References: CVE-2014-0191 Sources used: openSUSE 13.1 (src): libxml2-2.9.1-2.4.1, python-libxml2-2.9.1-2.4.1 openSUSE 12.3 (src): libxml2-2.9.0-2.21.1, python-libxml2-2.9.0-2.21.1
This update does not include libxml2-2-32bit and therefore breaks programs which need that library. $ zypper lu Loading repository data... Reading installed packages... S | Repository | Name | Current Version | Available Version | Arch --+--------------------------+---------------------+-----------------+-------------------+------- v | openSUSE-13.1 Update-Oss | libxml2-2 | 2.9.1-2.1.2 | 2.9.1-2.4.1 | x86_64 v | openSUSE-13.1 Update-Oss | libxml2-devel | 2.9.1-2.1.2 | 2.9.1-2.4.1 | x86_64 v | openSUSE-13.1 Update-Oss | libxml2-devel-32bit | 2.9.1-2.1.2 | 2.9.1-2.4.1 | x86_64 v | openSUSE-13.1 Update-Oss | libxml2-tools | 2.9.1-2.1.2 | 2.9.1-2.4.1 | x86_64 v | openSUSE-13.1 Update-Oss | python-libxml2 | 2.9.1-2.1.2 | 2.9.1-2.4.1 | x86_64 $ zypper se -i libxml2 Loading repository data... Reading installed packages... S | Name | Summary | Type --+---------------------+-------------------------------------------------------+-------- i | libxml2-2 | A Library to Manipulate XML Files | package i | libxml2-2-32bit | A Library to Manipulate XML Files | package i | libxml2-devel | Include Files and Libraries mandatory for Development | package i | libxml2-devel-32bit | Include Files and Libraries mandatory for Development | package i | libxml2-tools | Tools using libxml | package i | python-libxml2 | Python Bindings for libxml2 | package
ad comment 7: the submitrq go to your own project, so I never saw these: # iosc rq show 37582 Request: #37582 submit: home:vitezslav_cizek:branches:SUSE:SLE-9-SP3:Update:Teradata:Test/libxml2-python@3 -> home:vitezslav_cizek:branches:SUSE:SLE-9-SP3:Update:Teradata:Test/libxml2 [...] for the last question why is the update missing "libxml2-2-32bit" ? which update are you talking about ? sles9 and sles9 libxml2 do not have a baselibs.conf and sles11 libxml2 does not have a libxml2-2 subpackage and since your source package is "libxml2-python" the buildservice only builds that specfile, it only builds "libxml2.spec" if the package (the container) is called libxml2
reassigning back to maintainer
can you please submit libxml2 against SUSE:SLE-9-SP3:Update:Teradata:Test and also check the others please
Update OpenSUSE-2014-363 causes wholesale breakage of validation of DocBook XML documents, and does so across several major Linux distros including OpenSUSE, Gentoo and Ubuntu. In addition, entity definitions that were known to be good prior to this update also no longer work. The breakage occurs using xmllint with XML documents, XML catalogues, and entity definitions that were previously known to be good prior to applying the update. A colleague using Gentoo Linux informs me that Gentoo's dev-libs/libxml2-2.9.1-r3 for the same security issue also broke validation and that Gentoo have already corrected the issue on 2014-05-17 with a new revision of their libxml2 ebuild, dev-libs/libxml2-2.9.1-r4, which restores correct validation. So perhaps the correct fix already exists upstream? In the meantime, those of us on the MySQL Docs Team using OpenSUSE 13.1 have had to revert to version 2.9.1-2.1.2 of all libxml2(-*) packages in order to be able to validate and process DocBook and other XML documents. The current fix for CVE-2014-0191 also breaks validation on OpenSUSE 12.3. Thanks.
some other generators/converters also fail in the buildsystem sle10-sp3: kdebase3, kdegraphics3, kdenetwork3, pango, release-notes-sles sle11-sp1: system-config-printer sle11-sp2: hal-doc, rabbitmq-server, systemtap-dopcs, sle11-sp3: perf, susecloud-manuals-en
Created attachment 591779 [details] Possible patch to prevent validation failures Source: https://bugzilla.gnome.org/show_bug.cgi?id=730290
I've started a new openSUSE update to resolve the breakage.
This is an autogenerated message for OBS integration: This bug (876652) was mentioned in https://build.opensuse.org/request/show/235237 Factory / libxml2
This is an autogenerated message for OBS integration: This bug (876652) was mentioned in https://build.opensuse.org/request/show/235275 Factory / libxml2
There seems to be build error for 13.1 on ARM. Can this be excluded?
(In reply to comment #34) > There seems to be build error for 13.1 on ARM. Can this be excluded? Could you trigger a rebuild? From the buildlog it's a build host problem.
seems solved
openSUSE-SU-2014:0716-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 876652 CVE References: CVE-2014-0191 Sources used: openSUSE 13.1 (src): libxml2-2.9.1-2.8.1, python-libxml2-2.9.1-2.8.1 openSUSE 12.3 (src): libxml2-2.9.0-2.25.1, python-libxml2-2.9.0-2.25.1
libxml2-2.9.1-2.8.1 on openSUSE 13.1 still does not solve the problem. I have to revert to 2.9.1-2.1.2 to generate, without error messages, docbook files. https://bugs.kde.org/show_bug.cgi?id=335001 claims to have solved the problem but has not been closed because it has not been tested with KF5.
Seems like they patched meinproc to adjust to the changes done in libxml2. I don't think that there's much we can do in libxml other than restoring the original behavior which isn't an option.
openSUSE-SU-2014:0741-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 876652 CVE References: CVE-2014-0191 Sources used: openSUSE 11.4 (src): libxml2-2.7.8-53.1
We'll issue another update without the fix for the CVE since this causes existing applications to break.
openSUSE-SU-2014:0753-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 876652 CVE References: CVE-2014-0191 Sources used: openSUSE 13.1 (src): libxml2-2.9.1-2.12.1, python-libxml2-2.9.1-2.12.1 openSUSE 12.3 (src): libxml2-2.9.0-2.29.1, python-libxml2-2.9.0-2.29.1
I'm changing this to VUL-1 until there's a way to handle this without breaking existing applications.
Just installed libxml2-2.9.1-2.12.1 on openSUSE 13.1 and now I can build the docbook files for KDE again without error messages.
Tried to generate KF5 docs using meinproc5 on a factory system using the repository factory-tested produced undefined entities, same as in 13.1 with the older libxml2-2.
(In reply to comment #45) > Tried to generate KF5 docs using meinproc5 on a factory system using the > repository factory-tested produced undefined entities, same as in 13.1 with the > older libxml2-2. A package with the problematic patch reverted is already submitted to Factory. It's in a staging project at the moment, should hit Factory soon.
this issue seems half way fixed ...
SUSE-SU-2017:1366-1: An update that solves three vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1010675,1013930,1014873,1017497,876652 CVE References: CVE-2014-0191,CVE-2016-9318,CVE-2016-9597 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): libxml2-2.9.1-26.12.1 SUSE Linux Enterprise Server 12-SP1 (src): libxml2-2.9.1-26.12.1, python-libxml2-2.9.1-26.12.1 SUSE Linux Enterprise Desktop 12-SP1 (src): libxml2-2.9.1-26.12.1, python-libxml2-2.9.1-26.12.1
done