| Summary: | <dev-libs/libxml2-2.9.4: Stack exhaustion parsing xml in recover mode (CVE-2016-3627) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | gnome |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.gnome.org/show_bug.cgi?id=762100 | ||
| Whiteboard: | A2 [glsa cve] | ||
| Package list: | Runtime testing required: | --- | |
CVE from https://bugzilla.redhat.com/show_bug.cgi?id=1319829 Patched via https://github.com/GNOME/libxml2/commit/bdd66182ef53fe1f7209ab6535fda56366bd7ac9 released in v2.9.4. v2.9.4 landed in Gentoo repository via https://gitweb.gentoo.org/repo/gentoo.git/commit/dev-libs/libxml2?id=b68f9389191396b4febff3e7b61f939189364426 @ Security: Please vote! CVE-2016-3627 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3627): The xmlStringGetNodeList function in tree.c in libxml2 2.9.3 and earlier, when used in recovery mode, allows context-dependent attackers to cause a denial of service (infinite recursion, stack consumption, and application crash) via a crafted XML document. This issue was resolved and addressed in GLSA 201701-37 at https://security.gentoo.org/glsa/201701-37 by GLSA coordinator Thomas Deutschmann (whissi). This issue was resolved and addressed in GLSA 201701-37 at https://security.gentoo.org/glsa/201701-37 by GLSA coordinator Thomas Deutschmann (whissi). |
From ${URL} : We found a denegation of service parsing a specially crafted xml in libxml2 if recover mode is used. Find attached a xml that crashes during the parsing process: gdb --quiet --args xmllint --recover no-recover.xml ... Program received signal SIGSEGV, Segmentation fault. _int_malloc (av=0x7ffff7826760 <main_arena>, bytes=64) at malloc.c:3302 (gdb) bt — Trace 235974 #0 _int_malloc at malloc.c line 3302 #1 __GI___libc_malloc at malloc.c line 2891 #2 xmlBufCreateSize at ../../buf.c line 159 #3 xmlStringGetNodeList__internal_alias at ../../tree.c line 1483 #4 xmlStringGetNodeList__internal_alias at ../../tree.c line 1591 #5 xmlStringGetNodeList__internal_alias at ../../tree.c line 1591 #6 xmlStringGetNodeList__internal_alias at ../../tree.c line 1591 #7 xmlStringGetNodeList__internal_alias at ../../tree.c line 1591 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.