105198

https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74

[debian-lts-announce] 20180927 [SECURITY] [DLA 1524-1] libxml2 security update

[debian-lts-announce] 20200909 [SECURITY] [DLA 2369-1] libxml2 security update

USN-3739-1

Several security vulnerabilities were corrected in libxml2, the GNOME XML library.

CVE-2017-8872

Global buffer-overflow in the htmlParseTryOrFinish function.

CVE-2017-18258

The xz_head function in libxml2 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.

CVE-2018-14404

A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case.
Applications processing untrusted XSL format inputs may be vulnerable to a denial of service attack.

CVE-2018-14567

If the option --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file.

CVE-2019-19956

The xmlParseBalancedChunkMemoryRecover function has a memory leak related to newDoc->oldNs.

CVE-2019-20388

A memory leak was found in the xmlSchemaValidateStream function of libxml2. Applications that use this library may be vulnerable to memory not being freed leading to a denial of service.

CVE-2020-7595

Infinite loop in xmlStringLenDecodeEntities can cause a denial of service.

CVE-2020-24977

Out-of-bounds read restricted to xmllint --htmlout.

For Debian 9 stretch, these problems have been fixed in version 2.9.4+dfsg1-2.2+deb9u3.

We recommend that you upgrade your libxml2 packages.

For the detailed security status of libxml2 please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/libxml2

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application. A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 when parsing invalid XPath expression. Applications processing untrusted XSL format inputs with the use of libxml2 library may be vulnerable to denial of service attack due to crash of the application. (CVE-2018-14404)

Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. A use-after-free flaw was found in the libxml2 library. An attacker could use this flaw to cause an application linked against libxml2 to crash when parsing a specially crafted XML file. (CVE-2017-15412)

The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data. A denial of service flaw was found in libxml2. A remote attacker could provide a specially crafted XML or HTML file that, when processed by an application using libxml2, would cause that application to crash.
(CVE-2015-8035)

libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251 . (CVE-2018-14567)

The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.
(CVE-2017-18258)

Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. (CVE-2016-5131)

A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application. (CVE-2018-14404)

Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
(CVE-2017-15412)

A denial of service flaw was found in libxml2. A remote attacker could provide a specially crafted XML or HTML file that, when processed by an application using libxml2, would cause that application to crash.
(CVE-2015-8035)

libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251 . (CVE-2018-14567)

The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.
(CVE-2017-18258)

Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. (CVE-2016-5131)

* libxml2: Use after free triggered by XPointer paths beginning with range-to * libxml2: Use after free in xmlXPathCompOpEvalPositionalPredicate() function in xpath.c * libxml2:
DoS caused by incorrect error detection during XZ decompression * libxml2: NULL pointer dereference in xmlXPathCompOpEval() function in xpath.c * libxml2: Unrestricted memory usage in xz_head() function in xzlib.c * libxml2: Infinite loop caused by incorrect error detection during LZMA decompression

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1190 advisory.

  - libxml2: DoS caused by incorrect error detection during     XZ decompression (CVE-2015-8035)

  - libxml2: Use after free triggered by XPointer paths     beginning with range-to (CVE-2016-5131)

  - libxml2: Use after free in     xmlXPathCompOpEvalPositionalPredicate() function in     xpath.c (CVE-2017-15412)

  - libxml2: Unrestricted memory usage in xz_head() function     in xzlib.c (CVE-2017-18258)

  - libxml2: NULL pointer dereference in     xmlXPathCompOpEval() function in xpath.c     (CVE-2018-14404)

  - libxml2: Infinite loop caused by incorrect error     detection during LZMA decompression (CVE-2018-14567)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the libxml2 packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a     heap-based buffer over-read in the xmlDictAddString     function in dict.c. This vulnerability causes programs     that use libxml2, such as PHP, to crash. This     vulnerability exists because of an incomplete fix for     CVE-2016-1839.(CVE-2017-9050)

  - libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a     heap-based buffer over-read in the     xmlDictComputeFastKey function in dict.c. This     vulnerability causes programs that use libxml2, such as     PHP, to crash. This vulnerability exists because of an     incomplete fix for libxml2 Bug 759398.(CVE-2017-9049)

  - libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a     stack-based buffer overflow. The function     xmlSnprintfElementContent in valid.c is supposed to     recursively dump the element content definition into a     char buffer 'buf' of size 'size'. At the end of the     routine, the function may strcat two more characters     without checking whether the current strlen(buf) + 2 <     size. This vulnerability causes programs that use     libxml2, such as PHP, to crash.(CVE-2017-9048)

  - The htmlParseTryOrFinish function in HTMLparser.c in     libxml2 2.9.4 allows attackers to cause a denial of     service (buffer over-read) or information     disclosure.(CVE-2017-8872)

  - The xz_decomp function in xzlib.c in libxml2 2.9.8, if
    --with-lzma is used, allows remote attackers to cause a     denial of service (infinite loop) via a crafted XML     file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated     by xmllint, a different vulnerability than     CVE-2015-8035.(CVE-2018-9251)

  - libxml2 2.9.8, if --with-lzma is used, allows remote     attackers to cause a denial of service (infinite loop)     via a crafted XML file that triggers     LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a     different vulnerability than CVE-2015-8035 and     CVE-2018-9251.(CVE-2018-14567)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libxml2 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - This library allows to manipulate XML files. It     includes support to read, modify and write XML and HTML     files. There is DTDs support this includes parsing and     validation even with complex DtDs, either at parse time     or later once the document has been modified. The     output can be a simple SAX stream or and in-memory DOM     like representations. In this case one can use the     built-in XPath and XPointer implementation to select     sub nodes or ranges. A flexible Input/Output mechanism     is available, with existing HTTP and FTP modules and     combined to an URI library.Security Fix(es):** DISPUTED
    ** libxml2 2.9.4, when used in recover mode, allows     remote attackers to cause a denial of service (NULL     pointer dereference) via a crafted XML document. NOTE:
    The maintainer states 'I would disagree of a CVE with     the Recover parsing option which should only be used     for manual recovery at least for XML     parser.'(CVE-2017-5969)A NULL pointer dereference     vulnerability exists in the     xpath.c:xmlXPathCompOpEval() function of libxml2     through 2.9.8 when parsing an invalid XPath expression     in the XPATH_OP_AND or XPATH_OP_OR case. Applications     processing untrusted XSL format inputs with the use of     the libxml2 library may be vulnerable to a denial of     service attack due to a crash of the     application.(CVE-2018-14404)libxml2 2.9.8, if
    --with-lzma is used, allows remote attackers to cause a     denial of service (infinite loop) via a crafted XML     file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated     by xmllint, a different vulnerability than     CVE-2015-8035 and CVE-2018-9251.(CVE-2018-14567)libxml2     20904-GITv2.9.4-16-g0741801 is vulnerable to a     heap-based buffer over-read in the     xmlDictComputeFastKey function in dict.c. This     vulnerability causes programs that use libxml2, such as     PHP, to crash. This vulnerability exists because of an     incomplete fix for libxml2 Bug     759398.(CVE-2017-9049)libxml2     20904-GITv2.9.4-16-g0741801 is vulnerable to a     stack-based buffer overflow. The function     xmlSnprintfElementContent in valid.c is supposed to     recursively dump the element content definition into a     char buffer 'buf' of size 'size'. At the end of the     routine, the function may strcat two more characters     without checking whether the current strlen(buf) + 2 <     size. This vulnerability causes programs that use     libxml2, such as PHP, to crash.(CVE-2017-9048)The     htmlParseTryOrFinish function in HTMLparser.c in     libxml2 2.9.4 allows attackers to cause a denial of     service (buffer over-read) or information     disclosure.(CVE-2017-8872)The xz_decomp function in     xzlib.c in libxml2 2.9.1 does not properly detect     compression errors, which allows context-dependent     attackers to cause a denial of service (process hang)     via crafted XML data.(CVE-2015-8035)The xz_head     function in xzlib.c in libxml2 before 2.9.6 allows     remote attackers to cause a denial of service (memory     consumption) via a crafted LZMA file, because the     decoder functionality does not restrict memory usage to     what is required for a legitimate file.(CVE-2017-18258)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libxml2 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A remote code execution vulnerability in libxml2 could     enable an attacker using a specially crafted file to     execute arbitrary code within the context of an     unprivileged process. This issue is rated as High due     to the possibility of remote code execution in an     application that uses this library. Product: Android.
    Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1,     7.1.2. Android ID: A-37104170.(CVE-2017-0663)

  - libxml2 2.9.8, if --with-lzma is used, allows remote     attackers to cause a denial of service (infinite loop)     via a crafted XML file that triggers     LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a     different vulnerability than CVE-2015-8035 and     CVE-2018-9251.(CVE-2018-14567)

  - The htmlParseTryOrFinish function in HTMLparser.c in     libxml2 2.9.4 allows attackers to cause a denial of     service (buffer over-read) or information     disclosure.(CVE-2017-8872)

  - libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a     stack-based buffer overflow. The function     xmlSnprintfElementContent in valid.c is supposed to     recursively dump the element content definition into a     char buffer 'buf' of size 'size'. At the end of the     routine, the function may strcat two more characters     without checking whether the current strlen(buf) + 2 <     size. This vulnerability causes programs that use     libxml2, such as PHP, to crash.(CVE-2017-9048)

  - The xz_decomp function in xzlib.c in libxml2 2.9.1 does     not properly detect compression errors, which allows     context-dependent attackers to cause a denial of     service (process hang) via crafted XML     data.(CVE-2015-8035)

  - The xz_head function in xzlib.c in libxml2 before 2.9.6     allows remote attackers to cause a denial of service     (memory consumption) via a crafted LZMA file, because     the decoder functionality does not restrict memory     usage to what is required for a legitimate     file.(CVE-2017-18258)

  - ** DISPUTED ** libxml2 2.9.4, when used in recover     mode, allows remote attackers to cause a denial of     service (NULL pointer dereference) via a crafted XML     document. NOTE: The maintainer states 'I would disagree     of a CVE with the Recover parsing option which should     only be used for manual recovery at least for XML     parser.'(CVE-2017-5969)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libxml2 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - dict.c in libxml2 allows remote attackers to cause a     denial of service (heap-based buffer over-read and     application crash) via an unexpected character     immediately after the '<!DOCTYPE html' substring in a     crafted HTML document.(CVE-2015-8806)

  - libxml2 2.9.4, when used in recover mode, allows remote     attackers to cause a denial of service (NULL pointer     dereference) via a crafted XML document. NOTE: The     maintainer states 'I would disagree of a CVE with the     Recover parsing option which should only be used for     manual recovery at least for XML     parser.'(CVE-2017-5969)

  - The htmlParseTryOrFinish function in HTMLparser.c in     libxml2 2.9.4 allows attackers to cause a denial of     service (buffer over-read) or information     disclosure.(CVE-2017-8872)

  - libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a     stack-based buffer overflow. The function     xmlSnprintfElementContent in valid.c is supposed to     recursively dump the element content definition into a     char buffer 'buf' of size 'size'. At the end of the     routine, the function may strcat two more characters     without checking whether the current strlen(buf) + 2 <     size. This vulnerability causes programs that use     libxml2, such as PHP, to crash.(CVE-2017-9048)

  - libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a     heap-based buffer over-read in the     xmlDictComputeFastKey function in dict.c. This     vulnerability causes programs that use libxml2, such as     PHP, to crash. This vulnerability exists because of an     incomplete fix for libxml2 Bug 759398.(CVE-2017-9049)

  - libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a     heap-based buffer over-read in the xmlDictAddString     function in dict.c. This vulnerability causes programs     that use libxml2, such as PHP, to crash. This     vulnerability exists because of an incomplete fix for     CVE-2016-1839.(CVE-2017-9050)

  - The xz_decomp function in xzlib.c in libxml2 2.9.8, if
    --with-lzma is used, allows remote attackers to cause a     denial of service (infinite loop) via a crafted XML     file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated     by xmllint, a different vulnerability than     CVE-2015-8035.(CVE-2018-9251)

  - libxml2 2.9.8, if --with-lzma is used, allows remote     attackers to cause a denial of service (infinite loop)     via a crafted XML file that triggers     LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a     different vulnerability than CVE-2015-8035 and     CVE-2018-9251.(CVE-2018-14567)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for libxml2 fixes the following security issues :

  - CVE-2018-9251: The xz_decomp function allowed remote     attackers to cause a denial of service (infinite loop)     via a crafted XML file that triggers     LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint     (bsc#1088279)

  - CVE-2018-14567: Prevent denial of service (infinite     loop) via a crafted XML file that triggers     LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint     (bsc#1105166)

  - CVE-2018-14404: Prevent NULL pointer dereference in the     xmlXPathCompOpEval() function when parsing an invalid     XPath expression in the XPATH_OP_AND or XPATH_OP_OR case     leading to a denial of service attack (bsc#1102046)

This update was imported from the SUSE:SLE-15:Update update project.

This update for libxml2 fixes the following security issues :

CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279)

CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166)

CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for libxml2 fixes the following security issues :

  - CVE-2018-9251: The xz_decomp function allowed remote     attackers to cause a denial of service (infinite loop)     via a crafted XML file that triggers     LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint     (bsc#1088279).

  - CVE-2018-14567: Prevent denial of service (infinite     loop) via a crafted XML file that triggers     LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint     (bsc#1105166).

  - CVE-2018-14404: Prevent NULL pointer dereference in the     xmlXPathCompOpEval() function when parsing an invalid     XPath expression in the XPATH_OP_AND or XPATH_OP_OR case     leading to a denial of service attack (bsc#1102046).

  - CVE-2017-18258: The xz_head function allowed remote     attackers to cause a denial of service (memory     consumption) via a crafted LZMA file, because the     decoder functionality did not restrict memory usage to     what is required for a legitimate file (bsc#1088601).

This update was imported from the SUSE:SLE-12-SP2:Update update project.

This update for libxml2 fixes the following security issues :

CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279).

CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166).

CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046).

CVE-2017-18258: The xz_head function allowed remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality did not restrict memory usage to what is required for a legitimate file (bsc#1088601).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

CVE-2018-14404 Fix of a NULL pointer dereference which might result in a crash and thus in a denial of service.

CVE-2018-14567 and CVE-2018-9251 Approvement in LZMA error handling which prevents an infinite loop.

CVE-2017-18258 Limit available memory to 100MB to avoid exhaustive memory consumption by malicious files.

For Debian 8 'Jessie', these problems have been fixed in version 2.9.1+dfsg1-5+deb8u7.

We recommend that you upgrade your libxml2 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
140469	Debian DLA-2369-1 : libxml2 security update	Nessus	Debian Local Security Checks	medium
139549	Amazon Linux AMI : libxml2 (ALAS-2020-1415)	Nessus	Amazon Linux Local Security Checks	medium
138855	Amazon Linux 2 : libxml2 (ALAS-2020-1466)	Nessus	Amazon Linux Local Security Checks	medium
135819	Scientific Linux Security Update : libxml2 on SL7.x x86_64 (20200407)	Nessus	Scientific Linux Local Security Checks	medium
135358	CentOS 7 : libxml2 (CESA-2020:1190)	Nessus	CentOS Local Security Checks	medium
135071	RHEL 7 : libxml2 (RHSA-2020:1190)	Nessus	Red Hat Local Security Checks	medium
134734	EulerOS Virtualization 3.0.2.2 : libxml2 (EulerOS-SA-2020-1268)	Nessus	Huawei Local Security Checks	medium
132161	EulerOS 2.0 SP3 : libxml2 (EulerOS-SA-2019-2626)	Nessus	Huawei Local Security Checks	medium
131644	EulerOS 2.0 SP2 : libxml2 (EulerOS-SA-2019-2491)	Nessus	Huawei Local Security Checks	medium
130673	EulerOS 2.0 SP5 : libxml2 (EulerOS-SA-2019-2211)	Nessus	Huawei Local Security Checks	medium
123336	openSUSE Security Update : libxml2 (openSUSE-2019-785)	Nessus	SuSE Local Security Checks	medium
120125	SUSE SLED15 / SLES15 Security Update : libxml2 (SUSE-SU-2018:3080-1)	Nessus	SuSE Local Security Checks	medium
118116	openSUSE Security Update : libxml2 (openSUSE-2018-1150)	Nessus	SuSE Local Security Checks	medium
118115	openSUSE Security Update : libxml2 (openSUSE-2018-1149)	Nessus	SuSE Local Security Checks	medium
118032	SUSE SLED12 / SLES12 Security Update : libxml2 (SUSE-SU-2018:3081-1)	Nessus	SuSE Local Security Checks	medium
117811	Debian DLA-1524-1 : libxml2 security update	Nessus	Debian Local Security Checks	medium

CVE-2018-14567

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins