[security-announce] Security Update: libxml2: CVE-2015-8710

Sona Sarmadi sona.sarmadi at enea.com
Fri Apr 8 08:21:15 CEST 2016


	Enea Linux Security Advisory

=========================================================
Product/package: libxml2 2.9.1/ Enea Linux 5.0
Severity: Medium
CVE Name: CVE-2015-8710
Layer: meta
=========================================================

This security update fixes an out-of-bounds memory access in libxml2. l

Description:
By entering a unclosed html comment such as <!-- the libxml2 parser
didn't stop parsing at the end of the buffer, causing random memory to
be included in the parsed comment that was returned to ruby. In Shopify,
this caused ruby objects from previous http requests to be disclosed in
the rendered page.

References:
https://bugzilla.gnome.org/show_bug.cgi?id=746048

Reference to upstream patch:
Patch is backported from:
http://git.yoctoproject.org/cgit/cgit.cgi/poky/patch/?id=1bbf18385b76eccb2a413d72088d1ba66acaac02

Correction for Enea Linux 5.0:
http://git.enea.com/cgit/linux/poky.git/patch/?id=9f53426654e9a75a085901ca33fe1ea8173e7b7f

How to get the latest patches
=============================
- If you have already cloned needed repositories, update it to get new
security patches.

cd Enea-Linux-5.0/poky
git pull

- If you have not yet cloned needed repositories, do it as described
below. (All patches are fetched implicitly when cloning the repos).

mkdir Enea-Linux-5.0
git -C Enea-Linux-5.0 clone -b dizzy git://git.enea.com/linux/poky.git
POKY=Enea-Linux-5.0/poky
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-enea.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-fsl-ppc.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-
hierofalcon.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-linaro.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-
openembedded.git
git -C $POKY clone -b dizzy
git://git.enea.com/linux/meta-virtualization.git
git -C $POKY/meta-enea clone -b dizzy
git://git.enea.com/linux/meta-enea/meta-vt.git

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://mail.lists.enea.com/pipermail/security-announce/attachments/20160408/ec1bb5e7/attachment.sig>


More information about the security-announce mailing list