Bug 1384424 (CVE-2016-4658)

Summary: CVE-2016-4658 libxml2: Use after free via namespace node in XPointer ranges
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: athmanem, c.david86, dmoppert, erik-fedora, fedora-mingw, jimhart, ktietz, mm00341408, ohudlick, rh-spice-bugs, rjones, sardella, slawomir, veillard
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libxml2 2.9.5 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-26 05:00:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1384430, 1384427, 1384429, 1548946, 1695386    
Bug Blocks: 1384433    

Description Adam Mariš 2016-10-13 09:21:10 UTC
Possible use after free vulnerability via namespace nodes in XPointer ranges was found.

Upstream patch:

https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b

Comment 1 Adam Mariš 2016-10-13 09:24:00 UTC
Created libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 1384427]

Comment 2 Adam Mariš 2016-10-13 09:24:09 UTC
Created mingw-libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 1384429]
Affects: epel-7 [bug 1384430]

Comment 5 Maumita Mandal 2017-03-24 11:43:09 UTC
(In reply to Adam Mariš from comment #0)
> Possible use after free vulnerability via namespace nodes in XPointer ranges
> was found.
> 
> Upstream patch:
> 
> https://git.gnome.org/browse/libxml2/commit/
> ?id=c1d1f7121194036608bf555f08d3062a36fd344b

Hello Adam,

We have been monitoring the URL ftp://xmlsoft.org/libxml2/ for the latest release of the official patch of libxml2 containing the patches for the bugs associated with the CVE-2016-4658, CVE-2016-9318 and CVE-2016-9597, but have observed that no binary files have been released yet.

From the URL http://rpmfind.net/linux/RPM/opensuse/updates/leap/42.2/oss/src/libxml2-2.9.4-3.1.src.html we found that a RPM file has been released, but as our requirement is a binary version we can't go for the RPM version.

Could you kindly confirm the ETA for the release of the official libxml2 2.9.4-3.1 binary package containing all the above mentioned patches?

Kind regards,
Maumita Mandal

Comment 6 Jim Hart 2017-08-09 20:31:50 UTC
Is this still being considered for a fix?  Please let me know.