[security-announce] libxml2: CVE-2015-8317: Security Update

Sona Sarmadi sona.sarmadi at enea.com
Thu Feb 25 12:41:45 CET 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

	Enea Linux Security Advisory

=========================================================
Product/package: libxml2 2.9.1
Severity: Low
CVE Name: CVE-2015-8317
Layer: poky
=========================================================

This security update fixes out-of-bounds heap read when parsing file
with unfinished xml declaration.

Description:
The xmlParseXMLDecl function in parser.c in libxml2 before 2.9.3
allows context-dependent attackers to obtain sensitive information via
an (1) unterminated encoding value or (2) incomplete XML declaration
in XML data, which triggers an out-of-bounds heap read.

Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8317

Patch is backported from:
http://git.yoctoproject.org/cgit/cgit.cgi/poky/patch/?id=7aaf773d3243203
b11592f92442f68009c476541

Correction for Enea Linux 5.0:
http://git.enea.com/cgit/linux/poky.git/patch/?id=0abe94ddc51e964eec027d
22637381f274f8b133

How to get the latest patches
=============================
- - If you have already cloned meta-enea, update it to get new
security patches.

cd Enea-Linux-5.0/poky
git pull

- - If you have not yet cloned needed repositories, do it as described
below. (All patches are fetched implicitly when cloning the repos).

mkdir Enea-Linux-5.0
git -C Enea-Linux-5.0 clone -b dizzy git://git.enea.com/linux/poky.git
POKY=Enea-Linux-5.0/poky
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-enea.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-fsl-ppc.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-
hierofalcon.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-linaro.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-
openembedded.git
git -C $POKY clone -b dizzy
git://git.enea.com/linux/meta-virtualization.git
git -C $POKY/meta-enea clone -b dizzy
git://git.enea.com/linux/meta-enea/meta-vt.git


If you have any questions regarding the security patches and security
updates please contact security at enea.com.


Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJWzuh5AAoJEAilI68fskZdIP4H+QH1vrS40f+4lgGbScKI6n0B
0wJM50+laDvu7tshYgJzoHKAIWPBthctG6twZXsmIAN40yw0z+gEiExTZMASPHdQ
dJKxF66doRHy/Nm6flW5hYwgvNpKtJnFUHrZVoJ8UoZZyZALRoPJuVYbLGODgcdu
f7XatsUukmnfYU1oVGwIFfUiZY7Wit4Dc1qweRbuo87fz+1+G+4oUSZA3h68M+43
v+eN23wS4J7KxYKOy4vEWZMM5yij4gKhsiQS4UxXcYztnytspMEo7aXj75M/nq4a
KhOe1dUwRtm/Hz4YZJY4/w6ERDxWWOC+upIFuSP424YhKRquKgVARVeq5cAooro=
=p4Cg
-----END PGP SIGNATURE-----



More information about the security-announce mailing list