Arch Linux Security Advisory ASA-201512-6
========================================
Severity: Medium
Date    : 2015-12-09
CVE-ID  : CVE-2015-1819 CVE-2015-5312 CVE-2015-7941 CVE-2015-7942
          CVE-2015-7497 CVE-2015-7498 CVE-2015-7499 CVE-2015-7500
          CVE-2015-8035 CVE-2015-8242
Package : libxml2
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package libxml2 before version 2.9.3-1 is vulnerable to multiple
issues including but not limited to denial of service, information
disclosure or possibly other unspecified impact.

Resolution
=========
Upgrade to 2.9.3-1.

# pacman -Syu "libxml2>=2.9.3-1"

The problems have been fixed upstream in version 2.9.3.

Workaround
=========
None.

Description
==========
- CVE-2015-1819 (denial of service)

A denial of service flaw was found in the way the libxml2 library parsed
certain XML files. An attacker could provide a specially crafted XML
file that, when parsed by an application using libxml2, could cause that
application to use an excessive amount of memory.

- CVE-2015-5312 (denial of service)

A denial of service flaw was found that is leading to CPU exhaustion
when processing specially crafted XML input. The issue was within
detecting entities expansions in certain situations.

- CVE-2015-7941 (denial of service)

It has been discovered that libxml2 does not properly stop parsing
invalid input, which allows context-dependent attackers to cause a
denial of service (out-of-bounds read and libxml2 crash) via crafted XML
data to the (1) xmlParseEntityDecl or (2) xmlParseConditionalSections
function in parser.c, as demonstrated by non-terminated entities.

- CVE-2015-7942 (denial of service)

The xmlParseConditionalSections function in parser.c in libxml2 does not
properly skip intermediary entities when it stops parsing invalid input,
which allows context-dependent attackers to cause a denial of service
(out-of-bounds read and crash) via crafted XML data.

- CVE-2015-7497 (buffer overflow)

A heap-based buffer overflow has been discovered in
xmlDictComputeFastQKey. It was possible to hit a negative offset in the
name indexing used to randomize the dictionary key generation.

- CVE-2015-7498 (buffer overflow)

A Heap-based buffer overflow was found in xmlParseXmlDecl. When
conversion failure happens, parser continues to extract more errors
which may lead to unexpected behavior.

- CVE-2015-7499 (buffer overflow)

A heap-based buffer overflow was found in xmlGROW allowing the attacker
to read the memory out of bounds.

- CVE-2015-7500 (buffer overflow)

A Heap-based  buffer overflow has been discovered in xmlParseMisc when
not properly handling the case where the parser popped out of the
current entity while processing a start tag.

- CVE-2015-8035 (denial of service)

A denial of service vulnerability has been discovered when parsing
specially crafted XML document while XZ support is enabled. The
xz_decomp function in xzlib.c did not properly detect compression
errors, which allows context-dependent attackers to cause a denial of
service (process hang) via crafted XML data.

- CVE-2015-8242 (buffer overflow)

A stack buffer overflow has been discovered in push mode in
xmlSAX2TextNode. It is possible to have an input cause out of bounds
memory to be returned to userspace through the use of libxml2, which
could be used to cause denial of service attacks, or gain sensitive
information.

Impact
=====
A remote attacker is able to create specially crafted XML files that,
when opened or processed, is leading to denial of service, disclosure of
sensitive information or possibly have other unspecified impact.

References
=========
https://access.redhat.com/security/cve/CVE-2015-1819
https://access.redhat.com/security/cve/CVE-2015-5312
https://access.redhat.com/security/cve/CVE-2015-7941
https://access.redhat.com/security/cve/CVE-2015-7942
https://access.redhat.com/security/cve/CVE-2015-7497
https://access.redhat.com/security/cve/CVE-2015-7498
https://access.redhat.com/security/cve/CVE-2015-7499
https://access.redhat.com/security/cve/CVE-2015-7500
https://access.redhat.com/security/cve/CVE-2015-8035
https://access.redhat.com/security/cve/CVE-2015-8242
https://mail.gnome.org/archives/xml/2015-November/msg00012.html
https://bugs.archlinux.org/task/47095

ArchLinux: 201512-6: libxml2: multiple issues

December 9, 2015

Summary

- CVE-2015-1819 (denial of service) A denial of service flaw was found in the way the libxml2 library parsed certain XML files. An attacker could provide a specially crafted XML file that, when parsed by an application using libxml2, could cause that application to use an excessive amount of memory.
- CVE-2015-5312 (denial of service)
A denial of service flaw was found that is leading to CPU exhaustion when processing specially crafted XML input. The issue was within detecting entities expansions in certain situations.
- CVE-2015-7941 (denial of service)
It has been discovered that libxml2 does not properly stop parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and libxml2 crash) via crafted XML data to the (1) xmlParseEntityDecl or (2) xmlParseConditionalSections function in parser.c, as demonstrated by non-terminated entities.
- CVE-2015-7942 (denial of service)
The xmlParseConditionalSections function in parser.c in libxml2 does not properly skip intermediary entities when it stops parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted XML data.
- CVE-2015-7497 (buffer overflow)
A heap-based buffer overflow has been discovered in xmlDictComputeFastQKey. It was possible to hit a negative offset in the name indexing used to randomize the dictionary key generation.
- CVE-2015-7498 (buffer overflow)
A Heap-based buffer overflow was found in xmlParseXmlDecl. When conversion failure happens, parser continues to extract more errors which may lead to unexpected behavior.
- CVE-2015-7499 (buffer overflow)
A heap-based buffer overflow was found in xmlGROW allowing the attacker to read the memory out of bounds.
- CVE-2015-7500 (buffer overflow)
A Heap-based buffer overflow has been discovered in xmlParseMisc when not properly handling the case where the parser popped out of the current entity while processing a start tag.
- CVE-2015-8035 (denial of service)
A denial of service vulnerability has been discovered when parsing specially crafted XML document while XZ support is enabled. The xz_decomp function in xzlib.c did not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data.
- CVE-2015-8242 (buffer overflow)
A stack buffer overflow has been discovered in push mode in xmlSAX2TextNode. It is possible to have an input cause out of bounds memory to be returned to userspace through the use of libxml2, which could be used to cause denial of service attacks, or gain sensitive information.

Resolution

Upgrade to 2.9.3-1. # pacman -Syu "libxml2>=2.9.3-1"
The problems have been fixed upstream in version 2.9.3.

References

https://access.redhat.com/security/cve/CVE-2015-1819 https://access.redhat.com/security/cve/CVE-2015-5312 https://access.redhat.com/security/cve/CVE-2015-7941 https://access.redhat.com/security/cve/CVE-2015-7942 https://access.redhat.com/security/cve/CVE-2015-7497 https://access.redhat.com/security/cve/CVE-2015-7498 https://access.redhat.com/security/cve/CVE-2015-7499 https://access.redhat.com/security/cve/CVE-2015-7500 https://access.redhat.com/security/cve/CVE-2015-8035 https://access.redhat.com/security/cve/CVE-2015-8242 https://mail.gnome.org/archives/xml/2015-November/msg00012.html https://bugs.archlinux.org/task/47095

Severity
CVE-2015-7497 CVE-2015-7498 CVE-2015-7499 CVE-2015-7500
CVE-2015-8035 CVE-2015-8242
Package : libxml2
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/title/CVE

Workaround

None.

Related News