Bug 13557

Summary:	[CVE 21] libxml2 2.9.14 CVEs found
Product:	[ROSA-based products] ROSA Fresh	Reporter:	Yury <y.tumanov>
Component:	System (kernel, glibc, systemd, bash, PAM...)	Assignee:	ROSA Linux Bugs <bugs>
Status:	VERIFIED FIXED	QA Contact:	ROSA Linux Bugs <bugs>
Severity:	normal
Priority:	Normal	CC:	a.proklov, e.kosachev, i.gaptrakhmanov, pastordidi, s.matveev, v.potapov, y.tumanov
Version:	All	Flags:	v.potapov: qa_verified+ y.tumanov: secteam_verified+ a.proklov: published+
Target Milestone:	---
Hardware:	All
OS:	Linux
URL:	CVE-2023-28484, CVE-2023-29469,
Whiteboard:
Platform:	2021.1	ROSA Vulnerability identifier:
RPM Package:		ISO-related:
Bad POT generating:		Upstream:

Description Yury 2023-08-24 00:21:50 MSK

Please patch CVEs for package libxml2 version 2.9.14
  
INFO (CVEs are): libxml2 2.9.14
 cves found
CVE-2023-28484
Desc: In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-28484
Severity: MEDIUM
CVE-2023-29469
Desc: An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value).
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-29469
Severity: MEDIUM

Comment 1 ilfat 2023-10-18 14:09:47 MSK

********** QA ADVISORY **********

CVEs have been fixed with patches

https://abf.rosalinux.ru/build_lists/4758446 aarch64
https://abf.rosalinux.ru/build_lists/4758445 x86_64
https://abf.rosalinux.ru/build_lists/4758444 i686
https://abf.rosalinux.ru/build_lists/4758448 e2kv4
https://abf.rosalinux.ru/build_lists/4758447 riscv64

Comment 2 Yury 2023-10-19 16:53:31 MSK

secteam_verified

Comment 3 Dmitry Postnikov 2023-10-27 13:30:28 MSK

*****************************
Обновление отослано в Тестинг

Comment 4 Vladimir Potapov 2023-11-01 17:40:49 MSK

libxml2-2.9.14-4
https://abf.rosalinux.ru/build_lists/4758446 aarch64
https://abf.rosalinux.ru/build_lists/4758445 x86_64
https://abf.rosalinux.ru/build_lists/4758444 i686
https://abf.rosalinux.ru/build_lists/4758448 e2kv4
https://abf.rosalinux.ru/build_lists/4758447 riscv64
*************************** Advisory *****************************
All CVEs closed by patches
******************************************************************
QA Verified