[security-announce] libxml2: Security Update

Sona Sarmadi sona.sarmadi at enea.com
Fri Nov 20 19:53:43 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

	Enea Linux Security Advisory

=========================================================
Product/package: libxml2
Severity: Moderate
CVE Names: CVE-2015-8035
Layer: poky
=========================================================

This security update fixes a DoS when parsing specially crafted XML
document if XZ support is enabled .


Description
===========
The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly
detect compression errors, which allows context-dependent attackers to
cause a denial of service (process hang) via crafted XML data.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8035
https://bugzilla.gnome.org/show_bug.cgi?id=757466
http://seclists.org/oss-sec/2015/q4/206
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8035

Upstream patch:
https://git.gnome.org/browse/libxml2/commit/?id=f0709e3ca8f8947f2d91ed34
e92e38a4c23eae63

Correction for Enea Linux 5.0:
http://git.enea.com/cgit/linux/poky.git/commit/?h=dizzy&id=388f3a4a2ffb1
0979d77b119fe0a3bf3acd534bc


How to get the latest patches
=============================
- - If you have already cloned meta-enea, update it to get new
security patches.

cd Enea-Linux-5.0/poky
git pull

- - If you have not yet cloned needed repositories, do it as described
below. (All patches are fetched implicitly when cloning the repos).

mkdir Enea-Linux-5.0
git -C Enea-Linux-5.0 clone -b dizzy git://git.enea.com/linux/poky.git
POKY=Enea-Linux-5.0/poky git -C $POKY clone -b dizzy
git://git.enea.com/linux/meta-enea.git;
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-
hierofalcon.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-linaro.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-
openembedded.git
git -C $POKY clone -b dizzy
git://git.enea.com/linux/meta-virtualization.git
git -C $POKY/meta-enea clone -b dizzy git://git.enea.com/linux/meta-
vt.git


If you have any questions regarding the security patches and security
updates please contact security at enea.com.


Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWT2w3AAoJEHc+9u9ocWoUdggP/3EQ02NQJ044z6NX5jijVji9
VrAvCAMuIljQGzvkspw675LxhXIe6DVlZ2BdwEkqDz1rEgbdslWjrFY2QqL0qp2U
Tf/0/AdseFJIx/vewfkMn5fLhTDHsARvCeqReOeLSRPXdhJ5HIYePmyNkR0LHbpd
1ncTLv/fT0i+2lKuk0QmRQhBJgKYG+TaqBwk9mrpXekClm4uI4kHYH/+9tnHbYnN
v8+yFKhVIPN9O/yYd3zmo6M1i7EM0jtoHDZw6bfEx3tO5EZODsPAdpfeEI8gcrbK
2fKA65txZcVu/kf0uNr5E4lz3705IVeHcLquAEV+RKSiZSlsFzY5Ym8fd0Jdfp+Q
4DPvulkcXrSdTjOHnn/IQsW2DUSg41/Shhl5NtL8688JRkSVqVOCU3VviIBj2DOW
6FO3uJn+CH3vkVlMwLAnoVN/A+ElCDv0Bgq6/uO0OzxUa/WNDVmXn3YWc39a4/iq
5k8j7/EsgnQj+W7X5Nnsz3KfnEUV20FPMrig9LUCZxfDPLEx2GY/ihpn/5xVeyyX
ZgU4g0SQ2NzRYG+agR1h//GDOWUGz9OcMuj9ikkTpSfr6SCQKLC6ZYPzfK6op7La
Pz8yAXHvshcm/1rC/VpST//DIBqea99OnP7nRo345omR4+OeYGBk5ja7kA3ONoAI
DcK+DYkqYb2gf7FsSSdJ
=72X1
-----END PGP SIGNATURE-----



More information about the security-announce mailing list