https://bugzilla.redhat.com/show_bug.cgi?id=1281930
Bug ID: 1281930 Summary: libxml2: Out-of-bounds heap read on 0xff char in xml declaration Product: Security Response Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team@redhat.com Reporter: amaris@redhat.com CC: athmanem@gmail.com, c.david86@gmail.com, erik-fedora@vanpienbroek.nl, fedora-mingw@lists.fedoraproject.org, ktietz@redhat.com, lfarkas@lfarkas.org, ohudlick@redhat.com, rjones@redhat.com, veillard@redhat.com
An out-of-bounds heap read in xmlParseXMLDecl happens when a file containing unfinished xml declaration, e.g. <?xml versionencoding="ISO88598", is followed by 0xff byte.
Upstream bug:
https://bugzilla.gnome.org/show_bug.cgi?id=751631
Upstream patch:
https://git.gnome.org/browse/libxml2/commit/?id=709a952110e98621c9b78c4f2646...
https://bugzilla.redhat.com/show_bug.cgi?id=1281930
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1281931 Depends On| |1281932 Depends On| |1281933
--- Comment #1 from Adam Mariš amaris@redhat.com ---
Created libxml2 tracking bugs for this issue:
Affects: fedora-all [bug 1281931]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1281931 [Bug 1281931] libxml2: Out-of-bounds heap read on 0xff char in xml declaration [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1281932 [Bug 1281932] mingw-libxml2: libxml2: Out-of-bounds heap read on 0xff char in xml declaration [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1281933 [Bug 1281933] mingw-libxml2: libxml2: Out-of-bounds heap read on 0xff char in xml declaration [epel-7]
https://bugzilla.redhat.com/show_bug.cgi?id=1281930
--- Comment #2 from Adam Mariš amaris@redhat.com ---
Created mingw-libxml2 tracking bugs for this issue:
Affects: fedora-all [bug 1281932] Affects: epel-7 [bug 1281933]
https://bugzilla.redhat.com/show_bug.cgi?id=1281930
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1281960
https://bugzilla.redhat.com/show_bug.cgi?id=1281930
--- Comment #3 from Adam Mariš amaris@redhat.com --- Acknowledgments:
Red Hat would like to thank GNOME project for reporting this issue. Upstream acknowledges Hanno Boeck as the original reporter.
https://bugzilla.redhat.com/show_bug.cgi?id=1281930
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|libxml2: Out-of-bounds heap |libxml2: CVE-2015-8317 |read on 0xff char in xml |Out-of-bounds heap read |declaration |when parsing file with | |unfinished xml declaration Alias| |CVE-2015-8317
--- Comment #4 from Adam Mariš amaris@redhat.com --- CVE assignment:
http://seclists.org/oss-sec/2015/q4/354
https://bugzilla.redhat.com/show_bug.cgi?id=1281930
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|libxml2: CVE-2015-8317 |CVE-2015-8317 libxml2: |Out-of-bounds heap read |Out-of-bounds heap read |when parsing file with |when parsing file with |unfinished xml declaration |unfinished xml declaration
https://bugzilla.redhat.com/show_bug.cgi?id=1281930
Huzaifa S. Sidhpurwala huzaifas@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1274223
https://bugzilla.redhat.com/show_bug.cgi?id=1281930
Huzaifa S. Sidhpurwala huzaifas@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1284794
https://bugzilla.redhat.com/show_bug.cgi?id=1281930
Huzaifa S. Sidhpurwala huzaifas@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1286495 Depends On| |1286496 Depends On| |1286497
https://bugzilla.redhat.com/show_bug.cgi?id=1281930
Martin Cermak mcermak@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |mcermak@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1281930
--- Comment #8 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Via RHSA-2015:2549 https://rhn.redhat.com/errata/RHSA-2015-2549.html
https://bugzilla.redhat.com/show_bug.cgi?id=1281930
--- Comment #9 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2015:2550 https://rhn.redhat.com/errata/RHSA-2015-2550.html
https://bugzilla.redhat.com/show_bug.cgi?id=1281930
Timothy Walsh twalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=low,public=20150629, |impact=low,public=20150629, |reported=20151113,source=re |reported=20151113,source=re |dhat,cvss2=4.3/AV:N/AC:M/Au |dhat,cvss2=4.3/AV:N/AC:M/Au |:N/C:P/I:N/A:N,cwe=CWE-125, |:N/C:P/I:N/A:N,cwe=CWE-125, |rhel-5/libxml2=affected,rhe |rhel-5/libxml2=affected,rhe |l-6/libxml2=affected,rhel-7 |l-6/libxml2=affected,rhel-7 |/libxml2=affected,jboss/lib |/libxml2=affected,jboss/lib |xml2=affected,fedora-all/li |xml2=affected,jbews-2/libxm |bxml2=affected,fedora-all/m |l2=wontfix,jbews-3/libxml2= |ingw-libxml2=affected,epel- |affected,fedora-all/libxml2 |7/mingw-libxml2=affected |=affected,fedora-all/mingw- | |libxml2=affected,epel-7/min | |gw-libxml2=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1281930
Timothy Walsh twalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1323034
https://bugzilla.redhat.com/show_bug.cgi?id=1281930
--- Doc Text *updated* by Timothy Walsh twalsh@redhat.com --- An out-of-bounds head read vulnerability was found in libxml2 in the xmlParseXMLDecl function in parser.c that allows context-dependent attackers to obtain sensitive information via an unterminated encoding value or incomplete XML declaration in XML data.
https://bugzilla.redhat.com/show_bug.cgi?id=1281930
--- Doc Text *updated* by Timothy Walsh twalsh@redhat.com --- An out-of-bounds head read flaw was found in libxml2 in the xmlParseXMLDecl function in parser.c that allows context-dependent attackers to obtain sensitive information via an unterminated encoding value or incomplete XML declaration in XML data.
https://bugzilla.redhat.com/show_bug.cgi?id=1281930
--- Doc Text *updated* by Martin Prpic mprpic@redhat.com --- A denial of service flaw was found in libxml2. A remote attacker could provide a specially crafted XML or HTML file that, when processed by an application using libxml2, would cause that application to leak potentially sensitive information.
https://bugzilla.redhat.com/show_bug.cgi?id=1281930
--- Comment #13 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Via RHSA-2016:1089 https://rhn.redhat.com/errata/RHSA-2016-1089.html