Bug 1211278 (CVE-2015-1819)

Summary: CVE-2015-1819 libxml2: denial of service processing a crafted XML document
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: AL00339146, carnil, fweimer, mcermak, ohudlick, security-response-team, veillard
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20150414,reported=20150323,source=redhat,cvss2=2.6/AV:N/AC:H/Au:N/C:N/I:N/A:P,fedora-all/libxml2=affected,rhel-5/libxml2=wontfix,rhel-6/libxml2=affected,rhel-7/libxml2=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A denial of service flaw was found in the way the libxml2 library parsed certain XML files. An attacker could provide a specially crafted XML file that, when parsed by an application using libxml2, could cause that application to use an excessive amount of memory.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:40:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1214163, 1286496, 1286497    
Bug Blocks: 1193283, 1211280    

Description Vasyl Kaigorodov 2015-04-13 13:46:10 UTC
Florian Weimer from Red Hat reported an issue against libxml2, where a parser which uses libxml2 chokes on a crafted XML document, allocating gigabytes of data.
This is a fine line between API misuse and an libxml2 bug.
Daniel Veillard have a fix for this issue already.

Comment 3 Daniel Veillard 2015-04-14 10:07:59 UTC
Patch updstream

https://git.gnome.org/browse/libxml2/commit/?id=213f1fe0d76d30eaed6e5853057defc43e6df2c9

Daniel

Comment 4 Maumita Mandal 2015-04-21 14:22:19 UTC
(In reply to Daniel Veillard from comment #3)
> Patch updstream
> 
> https://git.gnome.org/browse/libxml2/commit/
> ?id=213f1fe0d76d30eaed6e5853057defc43e6df2c9
> 
> Daniel


Could you please let me know the version in which the bug has been fixed and provide the URL for downloading the same ?

Comment 6 Huzaifa S. Sidhpurwala 2015-04-22 06:40:04 UTC
Acknowledgements:

Name: Florian Weimer (Red Hat Product Security)

Comment 7 Huzaifa S. Sidhpurwala 2015-04-22 06:45:20 UTC
Statement:

Red Hat Product Security has rated this issue as having low security impact, a future update may address this flaw in libxml2.

Comment 8 Florian Weimer 2015-04-22 06:53:32 UTC
I don't think the upstream fix is quite right, as explained here:

  <https://bugzilla.gnome.org/show_bug.cgi?id=748278>

Comment 10 Aakash 2015-05-20 10:15:29 UTC
Could you please help with the patch to fix this vulnerability.

Comment 11 Florian Weimer 2015-05-20 10:26:20 UTC
(In reply to Aakash from comment #10)
> Could you please help with the patch to fix this vulnerability.

Aakash, please open a customer support case here:

  <https://access.redhat.com/support/>.

This bug here is a public resource and thus not suitable for responding to support queries, I'm afraid.

Comment 12 errata-xmlrpc 2015-07-22 07:43:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1419 https://rhn.redhat.com/errata/RHSA-2015-1419.html

Comment 14 Fedora Update System 2015-11-26 20:56:44 UTC
libxml2-2.9.3-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2015-11-30 23:22:17 UTC
libxml2-2.9.3-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 16 Aakash 2015-12-03 13:06:03 UTC
I am getting the following error when i am trying to start apache server with mod security 2.8.0 and updated libxml version 2.9.3:

httpd: Syntax error on line 55 of /opt/apache/conf/httpd.conf: Cannot load /opt/apache/modules/mod_security2.so into server: /opt/apache/modules/mod_security2.so: symbol xmlOutputBufferGetSize, version LIBXML2_2.9.0 not defined in file libxml2.so.2 with link time reference

Could you please help.

Comment 17 errata-xmlrpc 2015-12-07 11:59:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2550 https://rhn.redhat.com/errata/RHSA-2015-2550.html