Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 618604 (CVE-2017-0663, CVE-2017-9047, CVE-2017-9048, CVE-2017-9049, CVE-2017-9050) - <dev-libs/libxml2-2.9.4-r3: Multiple vulnerabilities (CVE-2017-{0663,9047,9048,9049,9050})
Summary: <dev-libs/libxml2-2.9.4-r3: Multiple vulnerabilities (CVE-2017-{0663,9047,904...
Status: RESOLVED FIXED
Alias: CVE-2017-0663, CVE-2017-9047, CVE-2017-9048, CVE-2017-9049, CVE-2017-9050
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [glsa cve]
Keywords:
: 618618 622556 (view as bug list)
Depends on: CVE-2017-7375
Blocks:
  Show dependency tree
 
Reported: 2017-05-16 02:47 UTC by Michael Boyle
Modified: 2017-11-10 03:49 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Boyle 2017-05-16 02:47:36 UTC
Multiple Vulnerabilities

Using the record of this email, we are going to request CVEs from MITRE.
Comment 1 Hans de Graaff gentoo-dev Security 2017-05-16 06:15:43 UTC
We don't use the bundled libxml2 version of this gem so this should already be fixed. libxml-2.9.0 has been in the tree for a long time so we should stable this and drop libxml-2.8.0.

Arches, please mark this new version stable.
Comment 2 Agostino Sarubbo gentoo-dev 2017-05-16 07:04:20 UTC
(In reply to Hans de Graaff from comment #1)
> We don't use the bundled libxml2 version of this gem so this should already
> be fixed. libxml-2.9.0 has been in the tree for a long time so we should
> stable this and drop libxml-2.8.0.
> 
> Arches, please mark this new version stable.

I guess Michael intended dev-libs/libxml2
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2017-05-16 07:09:30 UTC
This was my fault actually, when helping him create the bug. I pulled up the wrong libxml. Thank you ago... redirecting.

______________________________

FROM URL:

In a fuzzing session with AFLGo, a directed version of AFL/AFLFast, we found four crashers (two invalid writes and two invalid reads) in LibXML2. These were reported to the maintainers one month ago. We provided analysis and patches and sent several email-reminders, explaining our intend to disclose, but there has been no response. The bug reports are currently not public. So, in the spirit of full disclosure, we attach the bug reports with analysis and patches here. Using the record of this email, we are going to request CVEs from MITRE.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2017-05-16 07:11:55 UTC
*** Bug 618618 has been marked as a duplicate of this bug. ***
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-28 12:47:53 UTC
*** Bug 622556 has been marked as a duplicate of this bug. ***
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2017-06-28 12:54:46 UTC
CVE-2017-0663 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-0663):
  A remote code execution vulnerability in libxml2 could enable an attacker
  using a specially crafted file to execute arbitrary code within the context
  of an unprivileged process. This issue is rated as High due to the
  possibility of remote code execution in an application that uses this
  library. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0,
  7.1.1, 7.1.2. Android ID: A-37104170.

CVE-2017-9047 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9047):
  A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The
  function xmlSnprintfElementContent in valid.c is supposed to recursively
  dump the element content definition into a char buffer 'buf' of size 'size'.
  The variable len is assigned strlen(buf). If the content->type is
  XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to buf
  (if it actually fits) whereupon (ii) content->name is written to the buffer.
  However, the check for whether the content->name actually fits also uses
  'len' rather than the updated buffer length strlen(buf). This allows us to
  write about "size" many bytes beyond the allocated memory. This
  vulnerability causes programs that use libxml2, such as PHP, to crash.

CVE-2017-9048 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9048):
  libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer
  overflow. The function xmlSnprintfElementContent in valid.c is supposed to
  recursively dump the element content definition into a char buffer 'buf' of
  size 'size'. At the end of the routine, the function may strcat two more
  characters without checking whether the current strlen(buf) + 2 < size. This
  vulnerability causes programs that use libxml2, such as PHP, to crash.

CVE-2017-9049 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9049):
  libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer
  over-read in the xmlDictComputeFastKey function in dict.c. This
  vulnerability causes programs that use libxml2, such as PHP, to crash. This
  vulnerability exists because of an incomplete fix for libxml2 Bug 759398.

CVE-2017-9050 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9050):
  libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer
  over-read in the xmlDictAddString function in dict.c. This vulnerability
  causes programs that use libxml2, such as PHP, to crash. This vulnerability
  exists because of an incomplete fix for CVE-2016-1839.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2017-06-28 12:55:54 UTC
CVE-2017-0663 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-0663):
  A remote code execution vulnerability in libxml2 could enable an attacker
  using a specially crafted file to execute arbitrary code within the context
  of an unprivileged process. This issue is rated as High due to the
  possibility of remote code execution in an application that uses this
  library. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0,
  7.1.1, 7.1.2. Android ID: A-37104170.

CVE-2017-9047 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9047):
  A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The
  function xmlSnprintfElementContent in valid.c is supposed to recursively
  dump the element content definition into a char buffer 'buf' of size 'size'.
  The variable len is assigned strlen(buf). If the content->type is
  XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to buf
  (if it actually fits) whereupon (ii) content->name is written to the buffer.
  However, the check for whether the content->name actually fits also uses
  'len' rather than the updated buffer length strlen(buf). This allows us to
  write about "size" many bytes beyond the allocated memory. This
  vulnerability causes programs that use libxml2, such as PHP, to crash.

CVE-2017-9048 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9048):
  libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer
  overflow. The function xmlSnprintfElementContent in valid.c is supposed to
  recursively dump the element content definition into a char buffer 'buf' of
  size 'size'. At the end of the routine, the function may strcat two more
  characters without checking whether the current strlen(buf) + 2 < size. This
  vulnerability causes programs that use libxml2, such as PHP, to crash.

CVE-2017-9049 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9049):
  libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer
  over-read in the xmlDictComputeFastKey function in dict.c. This
  vulnerability causes programs that use libxml2, such as PHP, to crash. This
  vulnerability exists because of an incomplete fix for libxml2 Bug 759398.

CVE-2017-9050 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9050):
  libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer
  over-read in the xmlDictAddString function in dict.c. This vulnerability
  causes programs that use libxml2, such as PHP, to crash. This vulnerability
  exists because of an incomplete fix for CVE-2016-1839.
Comment 8 Gilles Dartiguelongue (RETIRED) gentoo-dev 2017-08-23 07:34:31 UTC
Patch for this issue have been pushed in libxml-2.9.4-r2.

Please note that:
* patches where cherry-picked from upstream master according to information found in this ticket, some patches were harder to find due to upstream blocking access to it.
* unittests in the ebuild are actually not being run for a long time certainly due to a problem when porting to multilib. Maybe it existed before, didn't check yet.

Anyway, as lots of other security related fixes are pending an upstream release, I pushed this as a stop gap until I get more time to do a proper snapshot and fix these unittests issues.
Comment 9 Gilles Dartiguelongue (RETIRED) gentoo-dev 2017-08-23 07:35:54 UTC
Note that CVE-2017-0663 is not included as it seemed to be a dedicated CVE for Android and separate CVE seem to have been assigned to libxml2 upstream.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2017-11-10 03:49:10 UTC
This issue was resolved and addressed in
 GLSA 201711-01 at https://security.gentoo.org/glsa/201711-01
by GLSA coordinator Christopher Diaz Riveros (chrisadr).