Bug 1358641 (CVE-2016-5131)

Summary: CVE-2016-5131 libxml2: Use after free triggered by XPointer paths beginning with range-to
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bcook, csutherl, dafox7777777, dmoppert, gzaronik, jclere, jupittma, mbabacek, mturk, ohudlick, rbean, rh-spice-bugs, sardella, tpopela, twalsh, veillard
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Chrome 52.0.2743.82, libxml2 2.9.5 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-26 05:01:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1358710, 1358711, 1361439, 1364322, 1364323, 1525811, 1695415, 1714050    
Bug Blocks: 1358650, 1384433    

Description Adam Mariš 2016-07-21 08:03:06 UTC 
An use-after-free flaw was found in the libxml component of the Chromium browser.

Upstream bug(s):

https://code.google.com/p/chromium/issues/detail?id=623378

External References:

https://googlechromereleases.blogspot.com/2016/07/stable-channel-update.html
Comment 2 errata-xmlrpc 2016-07-26 05:19:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2016:1485 https://rhn.redhat.com/errata/RHSA-2016-1485.html
Comment 3 Huzaifa S. Sidhpurwala 2016-07-29 05:43:16 UTC 
Detailed analysis and explanation available in the upstream bug (currently closed) at:

https://bugzilla.gnome.org/show_bug.cgi?id=768428


Chromium used the following patch to fix this issue (not upstream yet):

https://codereview.chromium.org/2127493002
Comment 4 Huzaifa S. Sidhpurwala 2016-07-29 05:43:54 UTC 
Created libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 1361439]
Comment 5 Huzaifa S. Sidhpurwala 2016-08-05 05:31:43 UTC 
Created mingw-libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 1364322]
Affects: epel-7 [bug 1364323]
Comment 6 dafox7777777 2016-11-02 15:09:20 UTC 
This issue seems to be in libxml, not just chromium. Is libxml planned to be updated?
Comment 7 Doran Moppert 2017-03-23 06:09:28 UTC 
Upstream patch (libxml2):

https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e
Comment 12 Doran Moppert 2019-05-20 02:03:45 UTC 
Statement:

This flaw in libxml2 requires exposing the library to XPath/XPointer expressions from an untrusted source, which is not common in practice for applications using libxml2.  For libxml2, Red Hat Product Security has rated this vulnerability as Moderate severity.
Comment 18 errata-xmlrpc 2020-03-31 19:33:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1190 https://access.redhat.com/errata/RHSA-2020:1190