[arch-security] [ASA-201605-23] lib32-expat: arbitrary code execution

Levente Polyak anthraxx at archlinux.org
Wed May 18 14:17:16 UTC 2016


Arch Linux Security Advisory ASA-201605-23
==========================================

Severity: Critical
Date    : 2016-05-18
CVE-ID  : CVE-2015-1283 CVE-2016-0718
Package : lib32-expat
Type    : arbitrary code execution
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package lib32-expat before version 2.1.1-2 is vulnerable to
arbitrary code execution.

Resolution
==========

Upgrade to 2.1.1-2.

# pacman -Syu "lib32-expat>=2.1.1-2"

The problems have been fixed upstream but no release is available yet.

Workaround
==========

None.

Description
===========

- CVE-2015-1283 (arbitrary code execution)

Multiple integer overflows in the XML_GetBuffer function allow remote
attackers to cause a denial of service (heap-based buffer overflow) or
possibly arbitrary code execution via crafted XML data.
This problem has already been fixed in version 2.1.0-1 but this update
refreshes the fix to avoid relying on undefined behavior.

- CVE-2016-0718 (arbitrary code execution)

The Expat XML parser mishandles certain kinds of malformed input
documents, resulting in buffer overflows during processing and error
reporting. The overflows can manifest as a segmentation fault or as
memory corruption during a parse operation. The bugs allow for a denial
of service attack in many applications by an unauthenticated attacker,
and could conceivably result in remote code execution.

Impact
======

A remote attacker is able to use a specially crafted XML file that,
when processed, is leading to arbitrary code execution.

References
==========

https://access.redhat.com/security/cve/CVE-2015-1283
https://access.redhat.com/security/cve/CVE-2016-0718
http://seclists.org/oss-sec/2016/q2/360

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20160518/4750a691/attachment.asc>


More information about the arch-security mailing list