From ${URL} : Hello, We find a vulnerability in the way libxml2's htmlParseNameComplex() function parsed certain xml file. I was successful in reproducing this issuel in the latest version of libxml2(git clone git://git.gnome.org/libxml2). HTMLparser.c line:2517 : return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); "ctxt->input->cur - len" cause Out-of-bounds Read. Bug info: ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60620000d8ff at pc 0x62f90d bp 0x7fffa1464060 sp 0x7fffa1464058 READ of size 1 at 0x60620000d8ff thread T0 #0 0x62f90c (/home/r/libxml2/testHTML+0x62f90c) #1 0x631c40 (/home/r/libxml2/testHTML+0x631c40) #2 0x4eb94c (/home/r/libxml2/testHTML+0x4eb94c) #3 0x4eb09c (/home/r/libxml2/testHTML+0x4eb09c) #4 0x4ecdb4 (/home/r/libxml2/testHTML+0x4ecdb4) #5 0x4f993b (/home/r/libxml2/testHTML+0x4f993b) #6 0x4ff225 (/home/r/libxml2/testHTML+0x4ff225) #7 0x5008d1 (/home/r/libxml2/testHTML+0x5008d1) #8 0x50ba97 (/home/r/libxml2/testHTML+0x50ba97) #9 0x50bc89 (/home/r/libxml2/testHTML+0x50bc89) #10 0x403df6 (/home/r/libxml2/testHTML+0x403df6) #11 0x4046a0 (/home/r/libxml2/testHTML+0x4046a0) #12 0x7fb1877a5ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4) #13 0x4025b8 (/home/r/libxml2/testHTML+0x4025b8) 0x60620000d8ff is located 1 bytes to the left of 4096-byte region [0x60620000d900,0x60620000e900) allocated by thread T0 here: #0 0x7fb187e6541a (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x1541a) #1 0x5aa0a2 (/home/r/libxml2/testHTML+0x5aa0a2) #2 0x67f4b0 (/home/r/libxml2/testHTML+0x67f4b0) #3 0x67f873 (/home/r/libxml2/testHTML+0x67f873) #4 0x67ed01 (/home/r/libxml2/testHTML+0x67ed01) #5 0x4e47cd (/home/r/libxml2/testHTML+0x4e47cd) #6 0x4eb704 (/home/r/libxml2/testHTML+0x4eb704) #7 0x4eb09c (/home/r/libxml2/testHTML+0x4eb09c) #8 0x4ecdb4 (/home/r/libxml2/testHTML+0x4ecdb4) #9 0x4f993b (/home/r/libxml2/testHTML+0x4f993b) #10 0x4ff225 (/home/r/libxml2/testHTML+0x4ff225) #11 0x5008d1 (/home/r/libxml2/testHTML+0x5008d1) #12 0x50ba97 (/home/r/libxml2/testHTML+0x50ba97) #13 0x50bc89 (/home/r/libxml2/testHTML+0x50bc89) #14 0x403df6 (/home/r/libxml2/testHTML+0x403df6) #15 0x4046a0 (/home/r/libxml2/testHTML+0x4046a0) #16 0x7fb1877a5ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4) Shadow bytes around the buggy address: 0x0c0cbfff9ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0cbfff9ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0cbfff9ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0cbfff9af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0cbfff9b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c0cbfff9b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa] 0x0c0cbfff9b20:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c0cbfff9b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c0cbfff9b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c0cbfff9b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c0cbfff9b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap righ redzone: fb Freed Heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==20154== ABORTING @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2016-2073 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2073): The htmlParseNameComplex function in HTMLparser.c in libxml2 allows attackers to cause a denial of service (out-of-bounds read) via a crafted XML document.
Upstream solved this as part of the fix for bug 573820 (CVE-2016-1839), see https://github.com/GNOME/libxml2/commit/a820dbeac29d330bae4be05d9ecd939ad6b4aa33.
This issue was resolved and addressed in GLSA 201701-37 at https://security.gentoo.org/glsa/201701-37 by GLSA coordinator Thomas Deutschmann (whissi).