Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 560524 (CVE-2015-8710) - <dev-libs/libxml2-2.9.2-r4: Out-of-bounds memory access when parsing unclosed HTML comment
Summary: <dev-libs/libxml2-2.9.2-r4: Out-of-bounds memory access when parsing unclosed...
Status: RESOLVED FIXED
Alias: CVE-2015-8710
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://bugzilla.gnome.org/show_bug.c...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks: CVE-2015-7942 CVE-2015-8035
  Show dependency tree
 
Reported: 2015-09-15 09:56 UTC by Agostino Sarubbo
Modified: 2016-07-19 11:58 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-09-15 09:56:32 UTC
From ${URL} :

Out-of-bounds memory access vulnerability when parsing unclosed HTMl comment was found in libxml2. By entering a unclosed html comment such as <!-- the libxml2 parser didn't stop parsing at the end of the buffer, causing random memory to be included in the parsed 
comment.

CVE request:

http://seclists.org/oss-sec/2015/q3/540

Upstream was notified, but patch is not released yet. However, a patch for nokogiri, which uses embedded libxml2, was proposed:

https://github.com/Shopify/nokogiri/compare/1b1fcad8bd64ab70256666c38d2c998e86ade8c0...master


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Gilles Dartiguelongue gentoo-dev 2015-11-09 14:25:31 UTC
Following links, I found the upstream bug report.
Comment 2 Gilles Dartiguelongue gentoo-dev 2015-11-09 20:37:49 UTC
Upstream patch applied in 2.9.2-r2.
Comment 3 Agostino Sarubbo gentoo-dev 2015-11-11 08:37:20 UTC
Arches, please test and mark stable:
=dev-libs/libxml2-2.9.2-r4
Target keywords : "alpha amd64 arm arm64 hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 4 Agostino Sarubbo gentoo-dev 2015-11-11 15:00:35 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2015-11-11 15:01:27 UTC
x86 stable
Comment 6 Jeroen Roovers gentoo-dev 2015-11-12 08:13:34 UTC
Stable for PPC64.
Comment 7 Jeroen Roovers gentoo-dev 2015-11-12 08:31:02 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2015-11-12 10:26:22 UTC
ppc stable
Comment 9 Notis 2015-11-12 13:02:17 UTC
!!! Digest verification failed:
!!! /usr/portage/dev-libs/libxml2/ChangeLog
!!! Reason: Filesize does not match recorded size
!!! Got: 5038
!!! Expected: 4685
Comment 10 Matt Turner gentoo-dev 2015-11-15 18:27:44 UTC
alpha stable
Comment 11 Markus Meier gentoo-dev 2015-11-15 20:58:52 UTC
arm stable
Comment 12 Sergey Popov gentoo-dev 2015-11-18 08:19:22 UTC
s390 stable
Comment 13 Agostino Sarubbo gentoo-dev 2015-11-18 11:00:14 UTC
ia64 stable
Comment 14 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-12-25 19:52:54 UTC
sparc stable
Comment 15 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-07-19 11:58:40 UTC
The htmlParseComment function in HTMLparser.c in libxml2 allows attackers to obtain sensitive information, cause a denial of service (out-of-bounds heap memory access and application crash), or possibly have unspecified other impact via an unclosed HTML comment.

Re-designating as this is not default or common software in the tree (do we really have any statistics on that anyway?) nor was the original vulnerability reported accurately.

GLSA Vote: No.