Bug 1452554 (CVE-2017-9047)

Summary: CVE-2017-9047 libxml2: Buffer overflow in function xmlSnprintfElementContent
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: athmanem, c.david86, csutherl, dmoppert, erik-fedora, fedora-mingw, gzaronik, jclere, ktietz, lgao, mbabacek, mturk, myarboro, ohudlick, rh-spice-bugs, rjones, sardella, slawomir, twalsh, veillard, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libxml2 2.9.5 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-26 05:10:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1452550, 1452551, 1548944, 1695415    
Bug Blocks: 1452558    

Description Andrej Nemec 2017-05-19 08:00:09 UTC 
A buffer overflow was discovered in libxml2. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content->type is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to buf (if it actually fits) whereupon (ii) content->name is written to the buffer. However, the check for whether the content->name actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about "size" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2 to crash.

References:

http://seclists.org/oss-sec/2017/q2/258
Comment 1 Andrej Nemec 2017-05-19 08:05:10 UTC 
Created libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 1452550]
Comment 2 Andrej Nemec 2017-05-19 08:05:21 UTC 
Created mingw-libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 1452551]
Comment 4 Doran Moppert 2018-02-26 04:54:12 UTC 
Statement:

This vulnerability exists in the DTD validation functionality of libxml2.  Applications that do not attempt to validate untrusted documents are not impacted.
Comment 8 Doran Moppert 2019-04-03 03:04:59 UTC 
Upstream patch:

https://gitlab.gnome.org/GNOME/libxml2/commit/932cc9896ab