Bug 41674 - libxml2: Denial of service (3.3)
libxml2: Denial of service (3.3)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 3.3
Other Linux
: P3 normal (vote)
: UCS 3.3-1-errata
Assigned To: Janek Walkenhorst
Philipp Hahn
:
Depends on: 41673 42892
Blocks:
  Show dependency treegraph
 
Reported: 2016-06-27 18:30 CEST by Arvid Requate
Modified: 2017-07-20 15:01 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:
requate: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2016-06-27 18:30:22 CEST
+++ This bug was initially created as a clone of Bug #41673 +++

Upstream Debian package version 2.8.0+dfsg1-7+wheezy6 fixes a number of issues:

 CVE-2015-8806 CVE-2016-1762 CVE-2016-1833 CVE-2016-1834 CVE-2016-1835 CVE-2016-1837 CVE-2016-1838 CVE-2016-1839 CVE-2016-1840 CVE-2016-2073 CVE-2016-3627 CVE-2016-3705 CVE-2016-4447 CVE-2016-4449 CVE-2016-4483

Quoting the DLA:

Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML or HTML file that, when processed by an application using libxml2, would cause a denial-of-service against the application, or potentially the execution of arbitrary code with the privileges of the user running the application.

Details:

* dict.c in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via an unexpected character immediately after the "<!DOCTYPE html" substring in a crafted HTML document. (CVE-2015-8806)

* libxml2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document. (CVE-2016-1762)

* libxml2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1834, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840. (CVE-2016-1833)

* libxml2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840. (CVE-2016-1834)

* libxml2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document. (CVE-2016-1835)

* libxml2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1837, CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840. (CVE-2016-1836)

* libxml2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836, CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840. (CVE-2016-1837)

* libxml2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836, CVE-2016-1837, CVE-2016-1839, and CVE-2016-1840. (CVE-2016-1838)

* libxml2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, and CVE-2016-1840. (CVE-2016-1839)

* libxml2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, and CVE-2016-1839. (CVE-2016-1840)

* The htmlParseNameComplex function in HTMLparser.c in libxml2 allows attackers to cause a denial of service (out-of-bounds read) via a crafted XML document. (CVE-2016-2073)

* The xmlStringGetNodeList function in tree.c in libxml2 2.9.3 and earlier, when used in recovery mode, allows context-dependent attackers to cause a denial of service (infinite recursion, stack consumption, and application crash) via a crafted XML document. (CVE-2016-3627)

* The (1) xmlParserEntityCheck and (2) xmlParseAttValueComplex functions in parser.c in libxml2 2.9.3 do not properly keep track of the recursion depth, which allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via a crafted XML document containing a large number of nested entity references. (CVE-2016-3705)

* The xmlParseElementDecl function in parser.c in libxml2 before 2.9.4 allows context-dependent attackers to cause a denial of service (heap-based buffer underread and application crash) via a crafted file, involving xmlParseName. (CVE-2016-4447)

* XML external entity (XXE) vulnerability in the xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.4, when not in validating mode, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors. (CVE-2016-4449)

* Bug 1332820 – CVE-2016-4483 libxml2: out-of-bounds read (CVE-2016-4483)
Comment 1 Arvid Requate univentionstaff 2016-11-08 19:18:36 CET
Upstream Debian package version 2.8.0+dfsg1-7+wheezy7 fixes this issue:

* libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document. (CVE-2016-4658)
Comment 2 Arvid Requate univentionstaff 2016-11-08 19:21:53 CET
Also:

* legacy xmlXPtrRangeToFunction could be abused to trigger use-after-free error with the potential for remote code execution (CVE-2016-5131)
Comment 3 Janek Walkenhorst univentionstaff 2016-11-09 14:58:23 CET
> * […] (CVE-2016-1836)
[wheezy] - libxml2 <not-affected> (Vulnerable code not present)
Comment 4 Janek Walkenhorst univentionstaff 2016-11-09 15:10:15 CET
Advisory: libxml2.yaml
Tests (i386): OK
Comment 5 Philipp Hahn univentionstaff 2017-06-01 16:53:11 CEST
FAIL: Please move everything to errata3.3-1:
 $ grep . ucs-maintenance/3.3-?.yaml 
 ucs-maintenance/3.3-0.yaml:maintained: false
 ucs-maintenance/3.3-0.yaml:released: 2016-05-30
 ucs-maintenance/3.3-1.yaml:maintained: extended
 ucs-maintenance/3.3-1.yaml:released: 2016-12-21
Comment 6 Janek Walkenhorst univentionstaff 2017-07-13 19:39:48 CEST
Moved to 3.3-1
Comment 7 Philipp Hahn univentionstaff 2017-07-18 13:06:53 CEST
OK: errata-announce -V --only libxml2.yaml  --ignore-validate=version.scope
FIXED: libxml2.yaml → r81214
OK: aptitude install '?source-package(libxml2)~i'
OK: zless /usr/share/doc/libxml2/changelog.Debian.gz
OK: aptitude install '?source-package(libxml2)'
OK: /usr/bin/xmllint --noout /usr/share/doc/python-libxml2/examples/tst.xml
OK: cd /usr/share/doc/python-libxml2/examples && python tst.py
Comment 8 Janek Walkenhorst univentionstaff 2017-07-20 15:01:03 CEST
<http://errata.software-univention.de/ucs/3.3/40.html>