[security-announce] libxml2: Security Update

Sona Sarmadi sona.sarmadi at enea.com
Tue Nov 24 08:05:16 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

	Enea Linux Security Advisory

=========================================================
Product/package: libxml2, (2.9.1)
Severity: Low
CVE Names:  CVE-2015-8241
Layer: poky
=========================================================

This security update fixes a buffer overead with XML parser in
xmlNextChar, causing segmentation fault when compiled with ASAN.


Description
===========
There is potential to get input that could cause out of bounds
memory to be returned to userspace through the use of libxml2,
which could be used to cause denial of service attacks, or gain
sensitive information.

References:
http://openwall.com/lists/oss-security/2015/11/18/23

Upstream bug (contains reproducer):
https://bugzilla.gnome.org/show_bug.cgi?id=756263

Upstream patch: https://git.gnome.org/browse/libxml2/commit/?id=
ab2b9a93ff19cedde7befbf2fcc48c6e352b6cbe

Correction for Enea Linux 5.0:
http://git.enea.com/cgit/linux/poky.git/commit/?h=dizzy&id=
cdf91befc739cbeae281e7bd4a4ff0028e6e10c6


How to get the latest patches
=============================
- - If you have already cloned meta-enea, update it to get new
security patches.

cd Enea-Linux-5.0/poky
git pull

- - If you have not yet cloned needed repositories, do it as described
below. (All patches are fetched implicitly when cloning the repos).

mkdir Enea-Linux-5.0
git -C Enea-Linux-5.0 clone -b dizzy git://git.enea.com/linux/poky.git
POKY=Enea-Linux-5.0/poky git -C $POKY clone -b dizzy
git://git.enea.com/linux/meta-enea.git;
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-
hierofalcon.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-linaro.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-
openembedded.git
git -C $POKY clone -b dizzy
git://git.enea.com/linux/meta-virtualization.git
git -C $POKY/meta-enea clone -b dizzy
git://git.enea.com/linux/meta-enea/meta-vt.git


If you have any questions regarding the security patches and security
updates please contact security at enea.com.


Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWVAwsAAoJEHc+9u9ocWoUUWcP/3fYlMlpdeAEI1VKaszPghP2
eticERVPUF7RYALEnIaNrHUx4Mr3sEaDtkYGFvO/1XORUGgim2FDfbF3YWOS3SO3
CWfr6Blbq1Rbgg3g8MzvWHXBmFl0iXzfF9vyJui9KqPK4+709/q5OJMmEBtRvyqZ
bWEEqq6+dB3aXbG6cccVEnTR7j0LnsBnLGD+TQ4E7gFnOlsEQftXH9l+BnMMpXPr
55K1yGDlgKqEJ8G+s+gAZRPt/tkWNIFGkm/Kn8di+Ifcvxmgrr17za+qbGjfRTTq
XnNL1d5DOPh+LCL+PzbS+1Qd1EJTuN77RagWpJ1vpB9VboFxa+UuJREOfZY/Is/9
DHdhr/oaH1GVKp5SntfnRXgiTRMwJpHR7KDJK4sDkY17xgqUtr4qzgx5lO6jAboa
BYqtCXeHe4qYq0+f+Ew4o9PBdGb/JWhoX/yM53sMp5Txceon4Vh0+2AfThohK8Ib
brFw0D6agD9h8g43kTYW2y2D8ID2Aqqu3ScP2wZtCvzTrDtEHPT3PWV4nUPZ5Vom
GJ2VXgr8KfgZSuT9Z6t5qh/AvcWTSLvVkNsOR47N/aTh6oWSXkzolipFwZWMyVU+
hml0wT0s6q1G5150tURJpUjdYGgN/xsuL07AzOhQ+zrnI0FzEU7AVB8rWVODdewG
4OnVq1wi8tsAVa+xukh6
=VofF
-----END PGP SIGNATURE-----



More information about the security-announce mailing list