Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 560524 (CVE-2015-8710)

Summary: <dev-libs/libxml2-2.9.2-r4: Out-of-bounds memory access when parsing unclosed HTML comment
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: gnome
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.gnome.org/show_bug.cgi?id=746048
See Also: https://bugzilla.redhat.com/show_bug.cgi?id=1262849
https://bugs.gentoo.org/show_bug.cgi?id=565574
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 564240, 564776    

Description Agostino Sarubbo gentoo-dev 2015-09-15 09:56:32 UTC 
From ${URL} :

Out-of-bounds memory access vulnerability when parsing unclosed HTMl comment was found in libxml2. By entering a unclosed html comment such as <!-- the libxml2 parser didn't stop parsing at the end of the buffer, causing random memory to be included in the parsed 
comment.

CVE request:

http://seclists.org/oss-sec/2015/q3/540

Upstream was notified, but patch is not released yet. However, a patch for nokogiri, which uses embedded libxml2, was proposed:

https://github.com/Shopify/nokogiri/compare/1b1fcad8bd64ab70256666c38d2c998e86ade8c0...master


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Gilles Dartiguelongue (RETIRED) gentoo-dev 2015-11-09 14:25:31 UTC 
Following links, I found the upstream bug report.
Comment 2 Gilles Dartiguelongue (RETIRED) gentoo-dev 2015-11-09 20:37:49 UTC 
Upstream patch applied in 2.9.2-r2.
Comment 3 Agostino Sarubbo gentoo-dev 2015-11-11 08:37:20 UTC 
Arches, please test and mark stable:
=dev-libs/libxml2-2.9.2-r4
Target keywords : "alpha amd64 arm arm64 hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 4 Agostino Sarubbo gentoo-dev 2015-11-11 15:00:35 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2015-11-11 15:01:27 UTC 
x86 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2015-11-12 08:13:34 UTC 
Stable for PPC64.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2015-11-12 08:31:02 UTC 
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2015-11-12 10:26:22 UTC 
ppc stable
Comment 9 Notis 2015-11-12 13:02:17 UTC 
!!! Digest verification failed:
!!! /usr/portage/dev-libs/libxml2/ChangeLog
!!! Reason: Filesize does not match recorded size
!!! Got: 5038
!!! Expected: 4685
Comment 10 Matt Turner gentoo-dev 2015-11-15 18:27:44 UTC 
alpha stable
Comment 11 Markus Meier gentoo-dev 2015-11-15 20:58:52 UTC 
arm stable
Comment 12 Sergey Popov (RETIRED) gentoo-dev 2015-11-18 08:19:22 UTC 
s390 stable
Comment 13 Agostino Sarubbo gentoo-dev 2015-11-18 11:00:14 UTC 
ia64 stable
Comment 14 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-12-25 19:52:54 UTC 
sparc stable
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2016-07-19 11:58:40 UTC 
The htmlParseComment function in HTMLparser.c in libxml2 allows attackers to obtain sensitive information, cause a denial of service (out-of-bounds heap memory access and application crash), or possibly have unspecified other impact via an unclosed HTML comment.

Re-designating as this is not default or common software in the tree (do we really have any statistics on that anyway?) nor was the original vulnerability reported accurately.

GLSA Vote: No.