Bug 1220607 (CVE-2015-2716)

Summary: CVE-2015-2716 expat: Integer overflow leading to buffer overflow in XML_GetBuffer()
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: chazlett, huzaifas, jhorak, jorton, sardella, security-response-team, stransky
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-31 22:31:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1232574, 1579625, 1831819    
Bug Blocks: 1209788    

Description Huzaifa S. Sidhpurwala 2015-05-12 01:19:04 UTC 
Security researcher Ucha Gobejishvili used the Address Sanitizer tool to find a buffer overflow while parsing compressed XML content. This was due to an error in how buffer space is created and modified when handling large amounts of XML data. This results in a potentially exploitable crash.

In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.



External Reference:

http://www.mozilla.org/security/announce/2015/mfsa2015-54.html


Acknowledgements:

Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Ucha Gobejishvili as the original reporter.
Comment 1 errata-xmlrpc 2015-05-12 18:50:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 5

Via RHSA-2015:0988 https://rhn.redhat.com/errata/RHSA-2015-0988.html
Comment 3 errata-xmlrpc 2015-05-18 09:04:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2015:1012 https://rhn.redhat.com/errata/RHSA-2015-1012.html
Comment 4 Huzaifa S. Sidhpurwala 2015-06-17 05:14:28 UTC 
Created expat tracking bugs for this issue:

Affects: fedora-all [bug 1232574]
Comment 5 Huzaifa S. Sidhpurwala 2015-06-17 05:15:50 UTC 
The following patch was applied by Mozilla to fix this issue:

https://hg.mozilla.org/releases/mozilla-esr31/rev/2f3e78643f5c
Comment 6 Huzaifa S. Sidhpurwala 2015-06-17 05:18:03 UTC 
Statement:

This issue affects the version of expat package as shipped with Red Hat Enterprise Linux 5, 6 and 7. Red Hat Product Security has rated this issue as having Moderate security impact, a future update may address this flaw.

Red Hat Enterprise Linux 5 is now in Extended Life Cycle phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates.
Comment 16 Tomas Hoger 2020-03-18 13:06:18 UTC 
expat upstream bug:
https://sourceforge.net/p/expat/bugs/505/

expat upstream commits:
2.1.1: https://github.com/libexpat/libexpat/commit/ba0f9c3b40c264b8dd392e02a7a060a8fa54f032
2.2.0: https://github.com/libexpat/libexpat/commit/f0bec73b018caa07d3e75ec8dd967f3785d71bde
Comment 17 errata-xmlrpc 2020-03-31 19:10:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1011 https://access.redhat.com/errata/RHSA-2020:1011
Comment 18 Product Security DevOps Team 2020-03-31 22:31:52 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2015-2716
Comment 21 errata-xmlrpc 2020-06-10 17:44:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:2508 https://access.redhat.com/errata/RHSA-2020:2508