[arch-security] [ASA-201606-22] xerces-c: arbitrary code execution

Remi Gacogne rgacogne at archlinux.org
Sat Jun 25 16:47:48 UTC 2016


Arch Linux Security Advisory ASA-201606-22
==========================================

Severity: Critical
Date    : 2016-06-25
CVE-ID  : CVE-2016-2099
Package : xerces-c
Type    : arbitrary code execution
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package xerces-c before version 3.1.3-2 is vulnerable to arbitrary
code execution.

Resolution
==========

Upgrade to 3.1.3-2.

# pacman -Syu "xerces-c>=3.1.3-2"

The problem has been fixed upstream in version 3.1.3.

Workaround
==========

None.

Description
===========

The DTDScanner fails to account for the fact that peeking characters in
the XMLReader class can raise an exception if an invalid character is
encountered, and the exception crosses stack frames in an unsafe way
that causes a higher level exception handler to access an already-freed
object.

Impact
======

A remote attacker might be able to cause a denial of service or execute
arbitrary code on the affected host by submitting a crafted DTD file.

References
==========

https://bugs.archlinux.org/task/49353
https://issues.apache.org/jira/browse/XERCESC-2066
http://www.openwall.com/lists/oss-security/2016/05/09/7
https://access.redhat.com/security/cve/CVE-2016-2099

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20160625/757be78d/attachment.asc>


More information about the arch-security mailing list