Arch Linux Security Advisory ASA-201512-6 ========================================= Severity: Medium Date : 2015-12-09 CVE-ID : CVE-2015-1819 CVE-2015-5312 CVE-2015-7941 CVE-2015-7942 CVE-2015-7497 CVE-2015-7498 CVE-2015-7499 CVE-2015-7500 CVE-2015-8035 CVE-2015-8242 Package : libxml2 Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package libxml2 before version 2.9.3-1 is vulnerable to multiple issues including but not limited to denial of service, information disclosure or possibly other unspecified impact. Resolution ========== Upgrade to 2.9.3-1. # pacman -Syu "libxml2>=2.9.3-1" The problems have been fixed upstream in version 2.9.3. Workaround ========== None. Description =========== - CVE-2015-1819 (denial of service) A denial of service flaw was found in the way the libxml2 library parsed certain XML files. An attacker could provide a specially crafted XML file that, when parsed by an application using libxml2, could cause that application to use an excessive amount of memory. - CVE-2015-5312 (denial of service) A denial of service flaw was found that is leading to CPU exhaustion when processing specially crafted XML input. The issue was within detecting entities expansions in certain situations. - CVE-2015-7941 (denial of service) It has been discovered that libxml2 does not properly stop parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and libxml2 crash) via crafted XML data to the (1) xmlParseEntityDecl or (2) xmlParseConditionalSections function in parser.c, as demonstrated by non-terminated entities. - CVE-2015-7942 (denial of service) The xmlParseConditionalSections function in parser.c in libxml2 does not properly skip intermediary entities when it stops parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted XML data. - CVE-2015-7497 (buffer overflow) A heap-based buffer overflow has been discovered in xmlDictComputeFastQKey. It was possible to hit a negative offset in the name indexing used to randomize the dictionary key generation. - CVE-2015-7498 (buffer overflow) A Heap-based buffer overflow was found in xmlParseXmlDecl. When conversion failure happens, parser continues to extract more errors which may lead to unexpected behavior. - CVE-2015-7499 (buffer overflow) A heap-based buffer overflow was found in xmlGROW allowing the attacker to read the memory out of bounds. - CVE-2015-7500 (buffer overflow) A Heap-based buffer overflow has been discovered in xmlParseMisc when not properly handling the case where the parser popped out of the current entity while processing a start tag. - CVE-2015-8035 (denial of service) A denial of service vulnerability has been discovered when parsing specially crafted XML document while XZ support is enabled. The xz_decomp function in xzlib.c did not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data. - CVE-2015-8242 (buffer overflow) A stack buffer overflow has been discovered in push mode in xmlSAX2TextNode. It is possible to have an input cause out of bounds memory to be returned to userspace through the use of libxml2, which could be used to cause denial of service attacks, or gain sensitive information. Impact ====== A remote attacker is able to create specially crafted XML files that, when opened or processed, is leading to denial of service, disclosure of sensitive information or possibly have other unspecified impact. References ========== https://access.redhat.com/security/cve/CVE-2015-1819 https://access.redhat.com/security/cve/CVE-2015-5312 https://access.redhat.com/security/cve/CVE-2015-7941 https://access.redhat.com/security/cve/CVE-2015-7942 https://access.redhat.com/security/cve/CVE-2015-7497 https://access.redhat.com/security/cve/CVE-2015-7498 https://access.redhat.com/security/cve/CVE-2015-7499 https://access.redhat.com/security/cve/CVE-2015-7500 https://access.redhat.com/security/cve/CVE-2015-8035 https://access.redhat.com/security/cve/CVE-2015-8242 https://mail.gnome.org/archives/xml/2015-November/msg00012.html https://bugs.archlinux.org/task/47095