|Summary:||CVE-2015-1819 libxml2: denial of service processing a crafted XML document|
|Product:||[Other] Security Response||Reporter:||Vasyl Kaigorodov <vkaigoro>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||AL00339146, carnil, fweimer, mcermak, ohudlick, security-response-team, veillard|
|Fixed In Version:||Doc Type:||Bug Fix|
A denial of service flaw was found in the way the libxml2 library parsed certain XML files. An attacker could provide a specially crafted XML file that, when parsed by an application using libxml2, could cause that application to use an excessive amount of memory.
|Last Closed:||2019-06-08 02:40:50 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||1214163, 1286496, 1286497|
|Bug Blocks:||1193283, 1211280|
Description Vasyl Kaigorodov 2015-04-13 13:46:10 UTC
Florian Weimer from Red Hat reported an issue against libxml2, where a parser which uses libxml2 chokes on a crafted XML document, allocating gigabytes of data. This is a fine line between API misuse and an libxml2 bug. Daniel Veillard have a fix for this issue already.
Comment 3 Daniel Veillard 2015-04-14 10:07:59 UTC
Patch updstream https://git.gnome.org/browse/libxml2/commit/?id=213f1fe0d76d30eaed6e5853057defc43e6df2c9 Daniel
Comment 4 Maumita Mandal 2015-04-21 14:22:19 UTC
(In reply to Daniel Veillard from comment #3) > Patch updstream > > https://git.gnome.org/browse/libxml2/commit/ > ?id=213f1fe0d76d30eaed6e5853057defc43e6df2c9 > > Daniel Could you please let me know the version in which the bug has been fixed and provide the URL for downloading the same ?
Comment 6 Huzaifa S. Sidhpurwala 2015-04-22 06:40:04 UTC
Acknowledgements: Name: Florian Weimer (Red Hat Product Security)
Comment 7 Huzaifa S. Sidhpurwala 2015-04-22 06:45:20 UTC
Statement: Red Hat Product Security has rated this issue as having low security impact, a future update may address this flaw in libxml2.
Comment 8 Florian Weimer 2015-04-22 06:53:32 UTC
I don't think the upstream fix is quite right, as explained here: <https://bugzilla.gnome.org/show_bug.cgi?id=748278>
Comment 10 Aakash 2015-05-20 10:15:29 UTC
Could you please help with the patch to fix this vulnerability.
Comment 11 Florian Weimer 2015-05-20 10:26:20 UTC
(In reply to Aakash from comment #10) > Could you please help with the patch to fix this vulnerability. Aakash, please open a customer support case here: <https://access.redhat.com/support/>. This bug here is a public resource and thus not suitable for responding to support queries, I'm afraid.
Comment 12 errata-xmlrpc 2015-07-22 07:43:24 UTC
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:1419 https://rhn.redhat.com/errata/RHSA-2015-1419.html
Comment 14 Fedora Update System 2015-11-26 20:56:44 UTC
libxml2-2.9.3-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2015-11-30 23:22:17 UTC
libxml2-2.9.3-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 16 Aakash 2015-12-03 13:06:03 UTC
I am getting the following error when i am trying to start apache server with mod security 2.8.0 and updated libxml version 2.9.3: httpd: Syntax error on line 55 of /opt/apache/conf/httpd.conf: Cannot load /opt/apache/modules/mod_security2.so into server: /opt/apache/modules/mod_security2.so: symbol xmlOutputBufferGetSize, version LIBXML2_2.9.0 not defined in file libxml2.so.2 with link time reference Could you please help.