Bug 1408305 (CVE-2016-9597)

Summary: CVE-2016-9597 libxml2: stack overflow before detecting invalid XML file (unfixed CVE-2016-3705 in JBCS)
Product: [Other] Security Response Reporter: Bharti Kundal <bkundal>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amaris, carnil, chazlett, csutherl, gmollett, gzaronik, jclere, mbabacek, mbliss, mturk, sardella, security-response-team, tanaya_patil, twalsh, vpakolu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-09-05 05:46:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1426171    

Description Bharti Kundal 2016-12-22 20:34:19 UTC 
It was found that Red Hat JBoss Core Services incorrectly included CVE-2016-3705 as resolved in Apache HTTP 2.4.23 (erratum RHSA-2016:2957). The release did not include the fix to libxml2, leaving it vulnerable to a Denial of Service attack due to a Stack Overflow. This is a regression CVE for CVE-2016-3705.
Comment 2 Salvatore Bonaccorso 2016-12-22 20:45:02 UTC 
 Are there any details available for this? Upsteam bug, commit reference?
Comment 3 Adam Mariš 2017-01-03 11:03:12 UTC 
(In reply to Salvatore Bonaccorso from comment #2)
>  Are there any details available for this? Upsteam bug, commit reference?

Referring to https://bugzilla.redhat.com/show_bug.cgi?id=1408302#c4
Comment 4 Salvatore Bonaccorso 2017-01-12 06:19:10 UTC 
Hi Adam

Thanks for the information here and in the related bugs. I guess there is though some confusion around the CVEs. E.g. then SuSE is tracking that CVE for https://bugzilla.novell.com/show_bug.cgi?id=1017497 .

Regards,
Salvatore
Comment 5 Adam Mariš 2017-01-16 14:55:58 UTC 
> Thanks for the information here and in the related bugs. I guess there is
> though some confusion around the CVEs. E.g. then SuSE is tracking that CVE
> for https://bugzilla.novell.com/show_bug.cgi?id=1017497 .

Thank you for notifying us about that, Salvatore. I put the comment in Suse bugzilla:

https://bugzilla.novell.com/show_bug.cgi?id=1017497#c18
Comment 7 Tomas Hoger 2017-02-23 17:25:35 UTC 
This CVE id is for the same issue as CVE-2016-3705 (bug 1332443).  This additional CVE was assigned because the original issue was listed as fixed in RHSA-2016:2957 for the Red Hat JBoss Core Services:

https://rhn.redhat.com/errata/RHSA-2016-2957.html

However, that erratum actually failed to include the fix for the issue.

Therefore, this new CVE is specific to the Red Hat JBoss Core Services product and is better described as: missing/incorrect fix for CVE-2016-3705 in the Red Hat JBoss Core Services.
Comment 17 Tanaya Patil 2018-08-30 09:47:55 UTC 
Hi,

Waiting for a fix on this CVE. As the bug status is still 'NEW', would like to know if we getting the complete fix for this CVE. If yes please share when.

Thanks,
Tanaya
Comment 19 Timothy Walsh 2018-09-05 04:16:09 UTC 
JBCS 2.4.29 RHSA-2018:2486 includes rebased libxml2 to 2.9.7 which addresses this CVE and CVE-2016-9596.
Comment 20 Tanaya Patil 2018-11-26 10:29:21 UTC 
Can anyone please specify the version in which this issue is fixed or mention it in the "target milestone" field?
Comment 21 Adam Mariš 2018-11-26 14:58:29 UTC 
(In reply to Tanaya Patil from comment #20)
> Can anyone please specify the version in which this issue is fixed or
> mention it in the "target milestone" field?

It seems the previous comment already answers your question, doesn't it?