Bug 1319829 (CVE-2016-3627)

Summary: CVE-2016-3627 libxml2: stack exhaustion while parsing xml files in recovery mode
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: athmanem, carnil, cbuissar, c.david86, csutherl, dknox, erik-fedora, fedora-mingw, gzaronik, jclere, ktietz, lgao, mbabacek, mturk, myarboro, ohudlick, rjones, sardella, slawomir, twalsh, veillard, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
See Also: https://issues.redhat.com/browse/JWS-440
https://issues.redhat.com/browse/JBCS-101
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Missing recursive loop detection checks were found in the xmlParserEntityCheck() and xmlStringGetNodeList() functions of libxml2, causing application using the library to crash by stack exhaustion while building the associated data. An attacker able to send XML data to be parsed in recovery mode could launch a Denial of Service on the application.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:50:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1319830, 1319831, 1319832, 1340367, 1340369, 1340370, 1340371    
Bug Blocks: 1332827, 1395463    

Description Andrej Nemec 2016-03-21 15:47:44 UTC 
A vulnerability was found in a way libxml2 parses certain files. With the libxml2 in recovery mode, a maliciously crafted filed could cause libxml2 to crash.

References:

http://seclists.org/oss-sec/2016/q1/682

CVE assignment:

http://seclists.org/oss-sec/2016/q1/683
Comment 1 Andrej Nemec 2016-03-21 15:48:20 UTC 
Created libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 1319830]
Comment 2 Andrej Nemec 2016-03-21 15:48:26 UTC 
Created mingw-libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 1319831]
Affects: epel-7 [bug 1319832]
Comment 3 Huzaifa S. Sidhpurwala 2016-05-25 06:02:21 UTC 
Upstream bug: 
https://bugzilla.gnome.org/show_bug.cgi?id=762100 (private)

Patch: 
https://git.gnome.org/browse/libxml2/commit/?id=bdd66182ef53fe1f7209ab6535fda56366bd7ac9
Comment 6 Daniel Veillard 2016-06-06 14:32:54 UTC 
*** Bug 1332820 has been marked as a duplicate of this bug. ***
Comment 7 errata-xmlrpc 2016-06-23 10:32:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2016:1292 https://access.redhat.com/errata/RHSA-2016:1292
Comment 8 errata-xmlrpc 2016-12-15 22:16:49 UTC 
This issue has been addressed in the following products:



Via RHSA-2016:2957 https://rhn.redhat.com/errata/RHSA-2016-2957.html