[oss-security] 20160125 Out-of-bounds Read in the libxml2's htmlParseNameComplex() function

[oss-security] 20160126 Re: Out-of-bounds Read in the libxml2's htmlParseNameComplex() function

http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html

85267

1035011

USN-2994-1

GLSA-201701-37

DSA-3593

The remote host is affected by the vulnerability described in GLSA-201701-37 (libxml2: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in libxml2. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could entice a user or automated system to process a       specially crafted XML document, possibly resulting in execution of       arbitrary code with the privileges of the process or a Denial of Service       condition.
  Workaround :

    There is no known workaround at this time.

This update for libxml2 fixes the following security issues :

  - CVE-2016-2073, CVE-2015-8806, CVE-2016-1839: A     Heap-buffer overread was fixed in libxml2/dict.c     [bsc#963963, bsc#965283, bsc#981114].

  - CVE-2016-4483: Code was added to avoid an out of bound     access when serializing malformed strings [bsc#978395].

  - CVE-2016-1762: Fixed a heap-based buffer overread in     xmlNextChar [bsc#981040].

  - CVE-2016-1834: Fixed a heap-buffer-overflow in     xmlStrncat [bsc#981041].

  - CVE-2016-1833: Fixed a heap-based buffer overread in     htmlCurrentChar [bsc#981108].

  - CVE-2016-1835: Fixed a heap use-after-free in     xmlSAX2AttributeNs [bsc#981109].

  - CVE-2016-1837: Fixed a heap use-after-free in     htmlParsePubidLiteral and htmlParseSystemiteral     [bsc#981111].

  - CVE-2016-1838: Fixed a heap-based buffer overread in     xmlParserPrintFileContextInternal [bsc#981112].

  - CVE-2016-1840: Fixed a heap-buffer-overflow in     xmlFAParsePosCharGroup [bsc#981115].

  - CVE-2016-4447: Fixed a heap-based buffer-underreads due     to xmlParseName [bsc#981548].

  - CVE-2016-4448: Fixed some format string warnings with     possible format string vulnerability [bsc#981549],

  - CVE-2016-4449: Fixed inappropriate fetch of entities     content [bsc#981550].

  - CVE-2016-3705: Fixed missing increment of recursion     counter.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for libxml2 fixes the following security issues :

  - CVE-2016-2073, CVE-2015-8806, CVE-2016-1839: A     Heap-buffer overread was fixed in libxml2/dict.c     [bsc#963963, bsc#965283, bsc#981114].

  - CVE-2016-4483: Code was added to avoid an out of bound     access when serializing malformed strings [bsc#978395].

  - CVE-2016-1762: Fixed a heap-based buffer overread in     xmlNextChar [bsc#981040].

  - CVE-2016-1834: Fixed a heap-buffer-overflow in     xmlStrncat [bsc#981041].

  - CVE-2016-1833: Fixed a heap-based buffer overread in     htmlCurrentChar [bsc#981108].

  - CVE-2016-1835: Fixed a heap use-after-free in     xmlSAX2AttributeNs [bsc#981109].

  - CVE-2016-1837: Fixed a heap use-after-free in     htmlParsePubidLiteral and htmlParseSystemiteral     [bsc#981111].

  - CVE-2016-1838: Fixed a heap-based buffer overread in     xmlParserPrintFileContextInternal [bsc#981112].

  - CVE-2016-1840: Fixed a heap-buffer-overflow in     xmlFAParsePosCharGroup [bsc#981115].

  - CVE-2016-4447: Fixed a heap-based buffer-underreads due     to xmlParseName [bsc#981548].

  - CVE-2016-4448: Fixed some format string warnings with     possible format string vulnerability [bsc#981549],

  - CVE-2016-4449: Fixed inappropriate fetch of entities     content [bsc#981550].

  - CVE-2016-3705: Fixed missing increment of recursion     counter.

This update was imported from the SUSE:SLE-12:Update update project.

It was discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause libxml2 to crash, resulting in a denial of service. (CVE-2015-8806, CVE-2016-2073, CVE-2016-3627, CVE-2016-3705, CVE-2016-4447)

It was discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could cause libxml2 to crash, resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2016-1762, CVE-2016-1834)

Mateusz Jurczyk discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could cause libxml2 to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-1833, CVE-2016-1838, CVE-2016-1839)

Wei Lei and Liu Yang discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could cause libxml2 to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-1835, CVE-2016-1837)

Wei Lei and Liu Yang discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could cause libxml2 to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 15.10 and Ubuntu 16.04 LTS. (CVE-2016-1836)

Kostya Serebryany discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could cause libxml2 to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-1840)

It was discovered that libxml2 would load certain XML external entities. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly obtain access to arbitrary files or cause resource consumption. (CVE-2016-4449)

Gustavo Grieco discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause libxml2 to crash, resulting in a denial of service. (CVE-2016-4483).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML or HTML file that, when processed by an application using libxml2, would cause a denial of service against the application, or potentially the execution of arbitrary code with the privileges of the user running the application.

For Debian 7 'Wheezy', these problems have been fixed in version 2.8.0+dfsg1-7+wheezy6.

We recommend that you upgrade your libxml2 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML or HTML file that, when processed by an application using libxml2, would cause a denial-of-service against the application, or potentially the execution of arbitrary code with the privileges of the user running the application.

ID	Name	Product	Family	Severity
96541	GLSA-201701-37 : libxml2: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
93154	SUSE SLES11 Security Update : libxml2 (SUSE-SU-2016:1604-1)	Nessus	SuSE Local Security Checks	critical
91656	SUSE SLED12 / SLES12 Security Update : libxml2 (SUSE-SU-2016:1538-1)	Nessus	SuSE Local Security Checks	critical
91639	openSUSE Security Update : libxml2 (openSUSE-2016-733)	Nessus	SuSE Local Security Checks	critical
91499	Ubuntu 12.04 LTS / 14.04 LTS / 15.10 / 16.04 LTS : libxml2 vulnerabilities (USN-2994-1)	Nessus	Ubuntu Local Security Checks	high
91472	Debian DLA-503-1 : libxml2 security update	Nessus	Debian Local Security Checks	high
91447	Debian DSA-3593-1 : libxml2 - security update	Nessus	Debian Local Security Checks	high

CVE-2016-2073

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins

critical

critical

critical

critical

high

high

high