Bug 1213957 (CVE-2015-8710)

Summary: CVE-2015-8710 libxml2: out-of-bounds memory access when parsing an unclosed HTML comment
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: athmanem, c.david86, csutherl, dknox, drizt72, erik-fedora, fedora-mingw, jclere, jdoyle, jrusnack, lfarkas, lgao, mbabacek, mcermak, mnewsome, mturk, myarboro, ohudlick, rjones, sardella, slawomir, twalsh, veillard, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was discovered that libxml2 could access out-of-bounds memory when parsing unclosed HTML comments. A remote attacker could provide a specially crafted XML file that, when processed by an application linked against libxml2, could cause the application to disclose heap memory contents.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-08 06:19:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1213958, 1213959, 1213960, 1284794, 1286495, 1286496, 1286497, 1323038    
Bug Blocks: 1214246, 1262850, 1274223, 1276694, 1318206    

Description Vasyl Kaigorodov 2015-04-21 15:46:24 UTC 
Following issue was reported in libxml2 (http://seclists.org/oss-sec/2015/q2/214):

"""
This is an out-of-bounds memory access in libxml2. By entering a unclosed
html comment such as <!-- the libxml2 parser didn't stop parsing at the end
of the buffer, causing random memory to be included in the parsed comment
that was returned to ruby. In Shopify, this caused ruby objects from
previous http requests to be disclosed in the rendered page.

Link to the issue in libxml2's bugtracker:
https://bugzilla.gnome.org/show_bug.cgi?id=746048

A patched version of nokogiri (which uses a embedded libxml2) is available
here:
https://github.com/Shopify/nokogiri/compare/1b1fcad8bd64ab70256666c38d2c998e86ade8c0...master

This bug is still not patched upstream, but both libxml2 and nokogiri
developers are aware of the issue.
"""

No upstream patches exist at the time of creating this Bugzilla.
Comment 1 Vasyl Kaigorodov 2015-04-21 15:47:02 UTC 
Created libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 1213958]
Comment 2 Vasyl Kaigorodov 2015-04-21 15:47:05 UTC 
Created mingw-libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 1213959]
Affects: epel-all [bug 1213960]
Comment 5 Adam Mariš 2015-11-13 16:19:34 UTC 
Upstream patch:

https://git.gnome.org/browse/libxml2/commit/?id=e724879d964d774df9b7969fc846605aa1bac54c
Comment 6 Adam Mariš 2015-11-13 16:19:53 UTC 
*** Bug 1262849 has been marked as a duplicate of this bug. ***
Comment 10 Daniel Veillard 2015-11-30 08:02:53 UTC 
The upstream patch for this is 

https://git.gnome.org/browse/libxml2/commit/?id=e724879d964d774df9b7969fc846605aa1bac54c

Daniel
Comment 11 errata-xmlrpc 2015-12-07 10:13:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:2549 https://rhn.redhat.com/errata/RHSA-2015-2549.html
Comment 12 errata-xmlrpc 2015-12-07 12:00:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2550 https://rhn.redhat.com/errata/RHSA-2015-2550.html
Comment 13 Adam Mariš 2016-01-04 14:40:50 UTC 
CVE assignment:

http://seclists.org/oss-sec/2015/q4/616
Comment 17 errata-xmlrpc 2016-05-17 16:13:22 UTC 
This issue has been addressed in the following products:



Via RHSA-2016:1089 https://rhn.redhat.com/errata/RHSA-2016-1089.html