Univention Bugzilla – Bug 41674
libxml2: Denial of service (3.3)
Last modified: 2017-07-20 15:01:03 CEST
+++ This bug was initially created as a clone of Bug #41673 +++ Upstream Debian package version 2.8.0+dfsg1-7+wheezy6 fixes a number of issues: CVE-2015-8806 CVE-2016-1762 CVE-2016-1833 CVE-2016-1834 CVE-2016-1835 CVE-2016-1837 CVE-2016-1838 CVE-2016-1839 CVE-2016-1840 CVE-2016-2073 CVE-2016-3627 CVE-2016-3705 CVE-2016-4447 CVE-2016-4449 CVE-2016-4483 Quoting the DLA: Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML or HTML file that, when processed by an application using libxml2, would cause a denial-of-service against the application, or potentially the execution of arbitrary code with the privileges of the user running the application. Details: * dict.c in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via an unexpected character immediately after the "<!DOCTYPE html" substring in a crafted HTML document. (CVE-2015-8806) * libxml2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document. (CVE-2016-1762) * libxml2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1834, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840. (CVE-2016-1833) * libxml2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840. (CVE-2016-1834) * libxml2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document. (CVE-2016-1835) * libxml2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1837, CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840. (CVE-2016-1836) * libxml2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836, CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840. (CVE-2016-1837) * libxml2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836, CVE-2016-1837, CVE-2016-1839, and CVE-2016-1840. (CVE-2016-1838) * libxml2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, and CVE-2016-1840. (CVE-2016-1839) * libxml2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, and CVE-2016-1839. (CVE-2016-1840) * The htmlParseNameComplex function in HTMLparser.c in libxml2 allows attackers to cause a denial of service (out-of-bounds read) via a crafted XML document. (CVE-2016-2073) * The xmlStringGetNodeList function in tree.c in libxml2 2.9.3 and earlier, when used in recovery mode, allows context-dependent attackers to cause a denial of service (infinite recursion, stack consumption, and application crash) via a crafted XML document. (CVE-2016-3627) * The (1) xmlParserEntityCheck and (2) xmlParseAttValueComplex functions in parser.c in libxml2 2.9.3 do not properly keep track of the recursion depth, which allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via a crafted XML document containing a large number of nested entity references. (CVE-2016-3705) * The xmlParseElementDecl function in parser.c in libxml2 before 2.9.4 allows context-dependent attackers to cause a denial of service (heap-based buffer underread and application crash) via a crafted file, involving xmlParseName. (CVE-2016-4447) * XML external entity (XXE) vulnerability in the xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.4, when not in validating mode, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors. (CVE-2016-4449) * Bug 1332820 – CVE-2016-4483 libxml2: out-of-bounds read (CVE-2016-4483)
Upstream Debian package version 2.8.0+dfsg1-7+wheezy7 fixes this issue: * libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document. (CVE-2016-4658)
Also: * legacy xmlXPtrRangeToFunction could be abused to trigger use-after-free error with the potential for remote code execution (CVE-2016-5131)
> * […] (CVE-2016-1836) [wheezy] - libxml2 <not-affected> (Vulnerable code not present)
Advisory: libxml2.yaml Tests (i386): OK
FAIL: Please move everything to errata3.3-1: $ grep . ucs-maintenance/3.3-?.yaml ucs-maintenance/3.3-0.yaml:maintained: false ucs-maintenance/3.3-0.yaml:released: 2016-05-30 ucs-maintenance/3.3-1.yaml:maintained: extended ucs-maintenance/3.3-1.yaml:released: 2016-12-21
Moved to 3.3-1
OK: errata-announce -V --only libxml2.yaml --ignore-validate=version.scope FIXED: libxml2.yaml → r81214 OK: aptitude install '?source-package(libxml2)~i' OK: zless /usr/share/doc/libxml2/changelog.Debian.gz OK: aptitude install '?source-package(libxml2)' OK: /usr/bin/xmllint --noout /usr/share/doc/python-libxml2/examples/tst.xml OK: cd /usr/share/doc/python-libxml2/examples && python tst.py
<http://errata.software-univention.de/ucs/3.3/40.html>