Bug 1408302 (CVE-2016-9596)

Summary: CVE-2016-9596 libxml2: stack exhaustion while parsing xml files in recovery mode (unfixed CVE-2016-3627 in JBCS)
Product: [Other] Security Response Reporter: Bharti Kundal <bkundal>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: brian, carnil, chazlett, csutherl, dmoppert, gzaronik, jclere, mbabacek, meissner, mturk, sardella, twalsh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20160321,reported=20160321,source=oss-security,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:N/A:P,cwe=CWE-674,jbcs-1/httpd=affected,rhel-5/libxml2=notaffected,rhel-6/libxml2=notaffected,rhel-7/libxml2=notaffected,fedora-all/libxml2=notaffected,fedora-all/mingw-libxml2=notaffected,epel-7/mingw-libxml2=notaffected
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-09-05 05:35:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 1426171    

Description Bharti Kundal 2016-12-22 20:24:59 UTC
It was found that Red Hat JBoss Core Services incorrectly fixed CVE-2016-3627 in Apache HTTP 2.4.23 (erratum RHSA-2016:2957), leaving libxml2 vulnerable to a Denial of Service attack via stack consumption.

Comment 2 Salvatore Bonaccorso 2016-12-22 20:45:27 UTC
Are there any details available for this? Upsteam bug, commit reference?

Comment 4 Tomas Hoger 2017-01-02 10:21:14 UTC
(In reply to Salvatore Bonaccorso from comment #2)
> Are there any details available for this? Upsteam bug, commit reference?

This and the other two should be for a Red Hat specific security regressions, effectively duplicates of other public CVEs.  I'm going to ask Bharti to fix these bugs up properly.

Comment 7 Marcus Meissner 2017-02-20 10:14:34 UTC
dup of CVE-2016-3627 I would say

Comment 8 Tomas Hoger 2017-02-23 17:23:11 UTC
This CVE id is for the same issue as CVE-2016-3627 (bug 1319829).  This additional CVE was assigned because the original issue was listed as fixed in RHSA-2016:2957 for the Red Hat JBoss Core Services:


However, that erratum actually failed to include the fix for the issue.

Therefore, this new CVE is specific to the Red Hat JBoss Core Services product and is better described as: missing/incorrect fix for CVE-2016-3627 in the Red Hat JBoss Core Services.

Comment 10 Timothy Walsh 2018-09-05 04:14:58 UTC
JBCS 2.4.29 RHSA-2018:2486 includes rebased libxml2 to 2.9.7 which addresses this CVE and CVE-2016-9597.