[security-announce] Security Update: libxml2: Multiple CVE fixes

Sona Sarmadi sona.sarmadi at enea.com
Tue Sep 20 12:26:39 CEST 2016


	Enea Linux Security Advisory

====================================================================
Product/package: Enea Linux 6.0: (libxml2 2.9.3)
Severity: See below
Architecture: all
CVE Name: See below
====================================================================

libxml2 has been upgraded in Enea Linux 6.0 from 2.9.3 to 2.9.4 to
address the following vulnerabilities:

CVE-2016-1840: High
CVE-2016-1762: Medium
CVE-2016-1833: Medium
CVE-2016-1834: Medium
CVE-2016-1835: Medium
CVE-2016-1836: Medium
CVE-2016-1837: Medium
CVE-2016-1838: Medium
CVE-2016-1839: Medium
CVE-2016-3627: Medium
CVE-2016-3705: Medium
CVE-2016-4449: Medium
CVE-2016-4483: Medium

Description
===========
CVE-2016-1840
Heap-based buffer overflow in the xmlFAParsePosCharGroup function in
libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before
10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote
attackers to execute arbitrary code or cause a denial of service (memory
corruption) via a crafted XML document.

CVE-2016-1762
The xmlNextChar function in libxml2 before 2.9.4 allows remote attackers
to cause a denial of service (heap-based buffer over-read) via a crafted
XML document.

CVE-2016-1833
he htmlCurrentChar function in libxml2 before 2.9.4, as used in Apple
iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS
before 2.2.1, allows remote attackers to cause a denial of service
(heap-based buffer over-read) via a crafted XML document.

CVE-2016-1834
Heap-based buffer overflow in the xmlStrncat function in libxml2 before
2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS
before 9.2.1, and watchOS before 2.2.1, allows remote attackers to
execute arbitrary code or cause a denial of service (memory corruption)
via a crafted XML document.


CVE-2016-1835
Use-after-free vulnerability in the xmlSAX2AttributeNs function in
libxml2 before 2.9.4, as used in Apple iOS before 9.3.2 and OS X before
10.11.5, allows remote attackers to cause a denial of service via a
crafted XML document.

CVE-2016-1836
Use-after-free vulnerability in the xmlDictComputeFastKey function in
libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before
10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote
attackers to cause a denial of service via a crafted XML document.

CVE-2016-1837
Multiple use-after-free vulnerabilities in the (1) htmlPArsePubidLiteral
and (2) htmlParseSystemiteral functions in libxml2 before 2.9.4, as used
in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and
watchOS before 2.2.1, allow remote attackers to cause a denial of
service via a crafted XML document.

CVE-2016-1838
The xmlPArserPrintFileContextInternal function in libxml2 before 2.9.4,
as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before
9.2.1, and watchOS before 2.2.1, allows remote attackers to cause a
denial of service (heap-based buffer over-read) via a crafted XML document.

CVE-2016-1839
The xmlDictAddString function in libxml2 before 2.9.4, as used in Apple
iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS
before 2.2.1, allows remote attackers to cause a denial of service
(heap-based buffer over-read) via a crafted XML document.

CVE-2016-3627
The xmlStringGetNodeList function in tree.c in libxml2 2.9.3 and
earlier, when used in recovery mode, allows context-dependent attackers
to cause a denial of service (infinite recursion, stack consumption, and
application crash) via a crafted XML document.

CVE-2016-3705
The (1) xmlParserEntityCheck and (2) xmlParseAttValueComplex functions
in parser.c in libxml2 2.9.3 do not properly keep track of the recursion
depth, which allows context-dependent attackers to cause a denial of
service (stack consumption and application crash) via a crafted XML
document containing a large number of nested entity references.

CVE-2016-4449
XML external entity (XXE) vulnerability in the
xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.4,
when not in validating mode, allows context-dependent attackers to read
arbitrary files or cause a denial of service (resource consumption) via
unspecified vectors.

CVE-2016-4483
** RESERVED ** This candidate has been reserved by an organization or
individual that will use it when announcing a new security problem. When
the candidate has been publicized, the details for this candidate will
be provided.

Fore more info please refer to http://xmlsoft.org/news.html.

References:
===========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1840
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1762
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1833
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1834
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1835
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1836
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1837
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1838
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1839
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3627
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3705
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4449
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4483


Correction for Enea Linux
=========================
http://git.enea.com/cgit/linux/poky.git/patch/?id=ff7c814661780ab95de219e21cf3e82051450e06


How to get the latest patches
=============================
- If you have already cloned needed repositories, update it to get new
security patches.

cd Enea-Linux-6.0
$ repo sync

- If you have not yet cloned needed repositories, do it as described
below. (Security patches are fetched implicitly when cloning the repos).

Use repo tool to download the source for Enea Linux, follow the steps below:
1. Make sure that the repo tool is installed. If not, follow the
instructions below:

$ curl https://storage.googleapis.com/git-repo-downloads/repo >
~/bin/repo
$ chmod a+x ~/bin/repo

The instruction assumes that ~/bin exists and is included in the PATH
variable.

2.Use the repo tool to download the source:
$ mkdir Enea-Linux-6.0
$ cd Enea-Linux-6.0
$ repo init \
-u git://git.enea.com/linux/el_manifests-standard.git \
-b krogoth\
-m <manifest file>
$ repo sync

The parameter <manifest file> depends on the target:
P2041RDB: p2041rdb/default.xml
LS1021a-IoT: ls1021aiot/default.xml
QEMUARM: qemuarm/default.xml
QEMUPCC: qemuppc/default.xml
QEMUX86: qemux86/default.xml

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://mail.lists.enea.com/pipermail/security-announce/attachments/20160920/d1398cfb/attachment.sig>


More information about the security-announce mailing list