https://bugzilla.redhat.com/show_bug.cgi?id=1213957
Bug ID: 1213957 Summary: libxml2: out-of-bounds memory access when parsing an unclosed HTML comment Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: vkaigoro@redhat.com CC: athmanem@gmail.com, c.david86@gmail.com, drizt@land.ru, erik-fedora@vanpienbroek.nl, fedora-mingw@lists.fedoraproject.org, ktietz@redhat.com, lfarkas@lfarkas.org, ohudlick@redhat.com, rjones@redhat.com, veillard@redhat.com
Following issue was reported in libxml2 (http://seclists.org/oss-sec/2015/q2/214):
""" This is an out-of-bounds memory access in libxml2. By entering a unclosed html comment such as <!-- the libxml2 parser didn't stop parsing at the end of the buffer, causing random memory to be included in the parsed comment that was returned to ruby. In Shopify, this caused ruby objects from previous http requests to be disclosed in the rendered page.
Link to the issue in libxml2's bugtracker: https://bugzilla.gnome.org/show_bug.cgi?id=746048
A patched version of nokogiri (which uses a embedded libxml2) is available here: https://github.com/Shopify/nokogiri/compare/1b1fcad8bd64ab70256666c38d2c998e...
This bug is still not patched upstream, but both libxml2 and nokogiri developers are aware of the issue. """
No upstream patches exist at the time of creating this Bugzilla.
https://bugzilla.redhat.com/show_bug.cgi?id=1213957
Vasyl Kaigorodov vkaigoro@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1213958 Depends On| |1213959 Depends On| |1213960
--- Comment #1 from Vasyl Kaigorodov vkaigoro@redhat.com ---
Created libxml2 tracking bugs for this issue:
Affects: fedora-all [bug 1213958]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1213958 [Bug 1213958] libxml2: out-of-bounds memory access when parsing an unclosed HTML comment [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1213959 [Bug 1213959] mingw-libxml2: libxml2: out-of-bounds memory access when parsing an unclosed HTML comment [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1213960 [Bug 1213960] mingw-libxml2: libxml2: out-of-bounds memory access when parsing an unclosed HTML comment [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1213957
--- Comment #2 from Vasyl Kaigorodov vkaigoro@redhat.com ---
Created mingw-libxml2 tracking bugs for this issue:
Affects: fedora-all [bug 1213959] Affects: epel-all [bug 1213960]
https://bugzilla.redhat.com/show_bug.cgi?id=1213957
Vasyl Kaigorodov vkaigoro@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1214246
https://bugzilla.redhat.com/show_bug.cgi?id=1213957
MinGW Maintenance Account fedora-mingw@lists.fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- CC|fedora-mingw@lists.fedorapr | |oject.org |
https://bugzilla.redhat.com/show_bug.cgi?id=1213957
Stefan Cornelius scorneli@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |fedora-mingw@lists.fedorapr | |oject.org
https://bugzilla.redhat.com/show_bug.cgi?id=1213957
Stefan Cornelius scorneli@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo+ | |needinfo?(veillard@redhat.c | |om)
https://bugzilla.redhat.com/show_bug.cgi?id=1213957
--- Doc Text *updated* by Stefan Cornelius scorneli@redhat.com --- It was discovered that libxml2 could access out-of-bounds memory when parsing unclosed HTML comments. When processing specially crafted XML content, this could lead to e.g. the disclosure of heap memory contents.
https://bugzilla.redhat.com/show_bug.cgi?id=1213957
--- Doc Text *updated* by Martin Prpic mprpic@redhat.com --- It was discovered that libxml2 could access out-of-bounds memory when parsing unclosed HTML comments. A remote attacker could provide a specially crafted XML file that, when processed by an application linked against libxml2, could cause the application to disclose heap memory contents.
https://bugzilla.redhat.com/show_bug.cgi?id=1213957
Vincent Danen vdanen@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo+ |
https://bugzilla.redhat.com/show_bug.cgi?id=1213957
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |amaris@redhat.com
--- Comment #5 from Adam Mariš amaris@redhat.com --- Upstream patch:
https://git.gnome.org/browse/libxml2/commit/?id=e724879d964d774df9b7969fc846...
https://bugzilla.redhat.com/show_bug.cgi?id=1213957
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1262850, 1276694
--- Comment #6 from Adam Mariš amaris@redhat.com --- *** Bug 1262849 has been marked as a duplicate of this bug. ***
https://bugzilla.redhat.com/show_bug.cgi?id=1213957
Huzaifa S. Sidhpurwala huzaifas@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1274223
https://bugzilla.redhat.com/show_bug.cgi?id=1213957
Huzaifa S. Sidhpurwala huzaifas@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1284794
https://bugzilla.redhat.com/show_bug.cgi?id=1213957
Huzaifa S. Sidhpurwala huzaifas@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1286495 Depends On| |1286496 Depends On| |1286497
https://bugzilla.redhat.com/show_bug.cgi?id=1213957
Daniel Veillard veillard@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |POST Flags|needinfo?(veillard@redhat.c | |om) |
--- Comment #10 from Daniel Veillard veillard@redhat.com --- The upstream patch for this is
https://git.gnome.org/browse/libxml2/commit/?id=e724879d964d774df9b7969fc846...
Daniel
https://bugzilla.redhat.com/show_bug.cgi?id=1213957
Martin Cermak mcermak@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |mcermak@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1213957 Bug 1213957 depends on bug 1213958, which changed state.
Bug 1213958 Summary: libxml2: out-of-bounds memory access when parsing an unclosed HTML comment [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1213958
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
https://bugzilla.redhat.com/show_bug.cgi?id=1213957 Bug 1213957 depends on bug 1213959, which changed state.
Bug 1213959 Summary: mingw-libxml2: libxml2: out-of-bounds memory access when parsing an unclosed HTML comment [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1213959
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
https://bugzilla.redhat.com/show_bug.cgi?id=1213957
--- Comment #11 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Via RHSA-2015:2549 https://rhn.redhat.com/errata/RHSA-2015-2549.html
https://bugzilla.redhat.com/show_bug.cgi?id=1213957
--- Comment #12 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2015:2550 https://rhn.redhat.com/errata/RHSA-2015-2550.html
https://bugzilla.redhat.com/show_bug.cgi?id=1213957
Huzaifa S. Sidhpurwala huzaifas@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|POST |CLOSED Resolution|--- |ERRATA Whiteboard|impact=moderate,public=2015 |impact=moderate,public=2015 |0419,reported=20150421,sour |0419,reported=20150421,sour |ce=oss-security,cvss2=5.8/A |ce=oss-security,cvss2=5.8/A |V:N/AC:M/Au:N/C:P/I:N/A:P,f |V:N/AC:M/Au:N/C:P/I:N/A:P,f |edora-all/libxml2=affected, |edora-all/libxml2=affected, |fedora-all/mingw-libxml2=af |fedora-all/mingw-libxml2=af |fected,epel-all/mingw-libxm |fected,epel-all/mingw-libxm |l2=affected,rhel-5/libxml2= |l2=affected,rhel-5/libxml2= |affected,rhel-6/libxml2=aff |wontfix,rhel-6/libxml2=affe |ected,rhel-7/libxml2=affect |cted,rhel-7/libxml2=affecte |ed |d Last Closed| |2015-12-08 01:19:21
https://bugzilla.redhat.com/show_bug.cgi?id=1213957
Ján Rusnačko jrusnack@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jrusnack@redhat.com Whiteboard|impact=moderate,public=2015 |impact=moderate,public=2015 |0419,reported=20150421,sour |0419,reported=20150421,sour |ce=oss-security,cvss2=5.8/A |ce=oss-security,cvss2=5.8/A |V:N/AC:M/Au:N/C:P/I:N/A:P,f |V:N/AC:M/Au:N/C:P/I:N/A:P,f |edora-all/libxml2=affected, |edora-all/libxml2=affected, |fedora-all/mingw-libxml2=af |fedora-all/mingw-libxml2=af |fected,epel-all/mingw-libxm |fected,epel-all/mingw-libxm |l2=affected,rhel-5/libxml2= |l2=affected,rhel-5/libxml2= |wontfix,rhel-6/libxml2=affe |wontfix,rhel-6/libxml2=affe |cted,rhel-7/libxml2=affecte |cted,rhel-7/libxml2=affecte |d |d,cwe=CWE-119
https://bugzilla.redhat.com/show_bug.cgi?id=1213957
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|libxml2: out-of-bounds |CVE-2015-8710 libxml2: |memory access when parsing |out-of-bounds memory access |an unclosed HTML comment |when parsing an unclosed | |HTML comment Alias| |CVE-2015-8710
--- Comment #13 from Adam Mariš amaris@redhat.com --- CVE assignment:
http://seclists.org/oss-sec/2015/q4/616
https://bugzilla.redhat.com/show_bug.cgi?id=1213957 Bug 1213957 depends on bug 1213960, which changed state.
Bug 1213960 Summary: mingw-libxml2: libxml2: out-of-bounds memory access when parsing an unclosed HTML comment [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1213960
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1213957
Timothy Walsh twalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2015 |impact=moderate,public=2015 |0419,reported=20150421,sour |0419,reported=20150421,sour |ce=oss-security,cvss2=5.8/A |ce=oss-security,cvss2=5.8/A |V:N/AC:M/Au:N/C:P/I:N/A:P,f |V:N/AC:M/Au:N/C:P/I:N/A:P,c |edora-all/libxml2=affected, |we=CWE-119,fedora-all/libxm |fedora-all/mingw-libxml2=af |l2=affected,fedora-all/ming |fected,epel-all/mingw-libxm |w-libxml2=affected,epel-all |l2=affected,rhel-5/libxml2= |/mingw-libxml2=affected,rhe |wontfix,rhel-6/libxml2=affe |l-5/libxml2=wontfix,rhel-6/ |cted,rhel-7/libxml2=affecte |libxml2=affected,rhel-7/lib |d,cwe=CWE-119 |xml2=affected,jbews-2/libxm | |l2=wontfix,jbews-3/libxml2= | |affected
https://bugzilla.redhat.com/show_bug.cgi?id=1213957
Timothy Walsh twalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1323038
https://bugzilla.redhat.com/show_bug.cgi?id=1213957
--- Comment #17 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Via RHSA-2016:1089 https://rhn.redhat.com/errata/RHSA-2016-1089.html