[CentOS-devel] Case study: libxml2 CVE fixes in the Red Hat ecosystem

Fri Jul 2 01:26:44 UTC 2021
Carl George <carl at redhat.com>

Since the announcement of the CentOS Linux 8 EOL date in December,
I've noticed there has been confusion about how CVE fixes work in
CentOS Stream 8.  Recently there have been some CVE fixes for the
libxml2 package, and I took the opportunity to examine how these fixes
flowed through the Red Hat ecosystem.  Here are the relevant CVE
identifiers and their CVSS v3 scores.

CVE-2021-3516 - 7.8 [0]
CVE-2021-3517 - 8.6 [1]
CVE-2021-3518 - 8.6 [2]
CVE-2021-3537 - 7.5 [3]
CVE-2021-3541 - 6.5 [4]

Here is a timeline of notable events.

* libxml2-2.9.10-12.fc34 [5] was submitted for Fedora 34, which
included fixes for the first four CVEs.

* libxml2-2.9.10-12.fc34 [5] was released for Fedora 34, fixing the
first four CVEs.

* All five CVE fixes were released upstream as part of version 2.9.11 [6].
* libxml2-2.9.12-1.fc34 [7] was submitted for Fedora 34, which
included the fix for the fifth CVE.

* libxml2-2.9.12-2.fc34 [7] was submitted for Fedora 34, which fixed
an unrelated upstream regression [8], but also reset the pending
* libxml2-2.9.7-11.el8 [9] was released for CentOS Stream 8, fixing
all five CVEs.  This was a backport update that was unaffected by the
upstream regression in 2.9.12.

* libxml2-2.9.12-2.fc34 [7] was released for Fedora 34, fixing the fifth CVE.

* libxml2-2.9.7-9.el8_4.2 [10] was released for RHEL 8, fixing all
five CVEs.  Later that day it was rebuilt [11] and released for CentOS
Linux 8.  This was a backport update that was unaffected by the
upstream regression in 2.9.12.

It's important to note that these CVE fixes were not part of a
security embargo [12].  That is why CentOS Stream 8 was able to
provide them before RHEL 8.  If these fixes had been part of an
embargo, they would have been released for RHEL 8 first (once the
embargo was lifted), then CentOS Stream 8 and CentOS Linux 8
immediately after.

Another thing I want to point out is that libxml2-2.9.7-11.el8 and
libxml2-2.9.7-9.el8_4.2 are effectively identical.  They contain the
exact same backported CVE fixes.  The only difference is the release
field.  This can be verified in the exported SRPM commits [13][14].
No additional changes were made to the package source between being
released for CentOS Stream 8 and being released for RHEL 8.

I hope you enjoyed this deep dive into the lifecycle of these CVE
fixes.  The key takeaway is that CentOS Stream 8 does get security
fixes, and usually gets them much sooner than CentOS Linux 8.

[0] https://access.redhat.com/security/cve/CVE-2021-3516
[1] https://access.redhat.com/security/cve/CVE-2021-3517
[2] https://access.redhat.com/security/cve/CVE-2021-3518
[3] https://access.redhat.com/security/cve/CVE-2021-3537
[4] https://access.redhat.com/security/cve/CVE-2021-3541
[5] https://bodhi.fedoraproject.org/updates/FEDORA-2021-e3ed1ba38b
[6] https://mail.gnome.org/archives/xml/2021-May/msg00000.html
[7] https://bodhi.fedoraproject.org/updates/FEDORA-2021-e8b7e177a4
[8] https://gitlab.gnome.org/GNOME/libxml2/-/issues/255
[9] https://koji.mbox.centos.org/koji/buildinfo?buildID=17568
[10] https://access.redhat.com/errata/RHSA-2021:2569
[11] https://koji.mbox.centos.org/koji/buildinfo?buildID=18244
[12] https://www.redhat.com/en/blog/security-embargoes-red-hat
[13] https://git.centos.org/rpms/libxml2/c/6ce3da4b1430e975a40a538aa250775e101e500b?branch=c8s
[14] https://git.centos.org/rpms/libxml2/c/bc5a009a460cda9e2392f75fff8bf6edae43ec3d?branch=c8

Carl George