Univention Bugzilla – Bug 44971
libxml2: Multiple issues (4.1)
Last modified: 2017-12-14 13:24:28 CET
Upstream Debian package version 2.8.0+dfsg1-7+wheezy8 fixes this issue: * Missing validation for external entities in xmlParsePEReference (CVE-2017-7375) * A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content->type is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to buf (if it actually fits) whereupon (ii) content->name is written to the buffer. However, the check for whether the content->name actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about "size" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash. (CVE-2017-9047) * libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 < size. This vulnerability causes programs that use libxml2, such as PHP, to crash. (CVE-2017-9048) * libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398. (CVE-2017-9049) * libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839. (CVE-2017-9050)
2.8.0+dfsg1-7+wheezy9 fixes: * A remote code execution vulnerability in libxml2 could enable an attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses this library. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37104170. (CVE-2017-0663) * Incorrect limit used for port values (CVE-2017-7376)
Upstream Debian package version 2.8.0+dfsg1-7+wheezy10 fixes this issue: * heap overflow in memory debug code (CVE-2017-5130)
Upstream Debian package version 2.8.0+dfsg1-7+wheez11 fixes these issues: * parser.c mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a '%' character in a DTD name (CVE-2017-16931) * parser.c does not prevent infinite recursion in parameter entities (CVE-2017-16932)
Imported and built. Advisory: https://git.knut.univention.de/univention/ucs/blob/4.1-5/doc/errata/staging/libxml2.yaml
YAML fail (maintenance)? http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-5/job/ErrataValidation/32/testReport/libxml2/
Yes, the check_errata_for_release script bails out due to the extended maintenance UCS 4.1-5. I've added an ignore-tag for this to the advisory.
Installation: OK YAML: OK Verified
<http://errata.software-univention.de/ucs/4.1/488.html>