[arch-security] [ASA-201512-6] libxml2: multiple issues
Levente Polyak
anthraxx at archlinux.org
Wed Dec 9 17:12:07 UTC 2015
Arch Linux Security Advisory ASA-201512-6
=========================================
Severity: Medium
Date : 2015-12-09
CVE-ID : CVE-2015-1819 CVE-2015-5312 CVE-2015-7941 CVE-2015-7942
CVE-2015-7497 CVE-2015-7498 CVE-2015-7499 CVE-2015-7500
CVE-2015-8035 CVE-2015-8242
Package : libxml2
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The package libxml2 before version 2.9.3-1 is vulnerable to multiple
issues including but not limited to denial of service, information
disclosure or possibly other unspecified impact.
Resolution
==========
Upgrade to 2.9.3-1.
# pacman -Syu "libxml2>=2.9.3-1"
The problems have been fixed upstream in version 2.9.3.
Workaround
==========
None.
Description
===========
- CVE-2015-1819 (denial of service)
A denial of service flaw was found in the way the libxml2 library parsed
certain XML files. An attacker could provide a specially crafted XML
file that, when parsed by an application using libxml2, could cause that
application to use an excessive amount of memory.
- CVE-2015-5312 (denial of service)
A denial of service flaw was found that is leading to CPU exhaustion
when processing specially crafted XML input. The issue was within
detecting entities expansions in certain situations.
- CVE-2015-7941 (denial of service)
It has been discovered that libxml2 does not properly stop parsing
invalid input, which allows context-dependent attackers to cause a
denial of service (out-of-bounds read and libxml2 crash) via crafted XML
data to the (1) xmlParseEntityDecl or (2) xmlParseConditionalSections
function in parser.c, as demonstrated by non-terminated entities.
- CVE-2015-7942 (denial of service)
The xmlParseConditionalSections function in parser.c in libxml2 does not
properly skip intermediary entities when it stops parsing invalid input,
which allows context-dependent attackers to cause a denial of service
(out-of-bounds read and crash) via crafted XML data.
- CVE-2015-7497 (buffer overflow)
A heap-based buffer overflow has been discovered in
xmlDictComputeFastQKey. It was possible to hit a negative offset in the
name indexing used to randomize the dictionary key generation.
- CVE-2015-7498 (buffer overflow)
A Heap-based buffer overflow was found in xmlParseXmlDecl. When
conversion failure happens, parser continues to extract more errors
which may lead to unexpected behavior.
- CVE-2015-7499 (buffer overflow)
A heap-based buffer overflow was found in xmlGROW allowing the attacker
to read the memory out of bounds.
- CVE-2015-7500 (buffer overflow)
A Heap-based buffer overflow has been discovered in xmlParseMisc when
not properly handling the case where the parser popped out of the
current entity while processing a start tag.
- CVE-2015-8035 (denial of service)
A denial of service vulnerability has been discovered when parsing
specially crafted XML document while XZ support is enabled. The
xz_decomp function in xzlib.c did not properly detect compression
errors, which allows context-dependent attackers to cause a denial of
service (process hang) via crafted XML data.
- CVE-2015-8242 (buffer overflow)
A stack buffer overflow has been discovered in push mode in
xmlSAX2TextNode. It is possible to have an input cause out of bounds
memory to be returned to userspace through the use of libxml2, which
could be used to cause denial of service attacks, or gain sensitive
information.
Impact
======
A remote attacker is able to create specially crafted XML files that,
when opened or processed, is leading to denial of service, disclosure of
sensitive information or possibly have other unspecified impact.
References
==========
https://access.redhat.com/security/cve/CVE-2015-1819
https://access.redhat.com/security/cve/CVE-2015-5312
https://access.redhat.com/security/cve/CVE-2015-7941
https://access.redhat.com/security/cve/CVE-2015-7942
https://access.redhat.com/security/cve/CVE-2015-7497
https://access.redhat.com/security/cve/CVE-2015-7498
https://access.redhat.com/security/cve/CVE-2015-7499
https://access.redhat.com/security/cve/CVE-2015-7500
https://access.redhat.com/security/cve/CVE-2015-8035
https://access.redhat.com/security/cve/CVE-2015-8242
https://mail.gnome.org/archives/xml/2015-November/msg00012.html
https://bugs.archlinux.org/task/47095
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20151209/4bd0fd73/attachment.asc>
More information about the arch-security
mailing list