Bug 835863 (CVE-2012-2807)
Summary: | CVE-2012-2807 libxml2 (64-bit): Multiple integer overflows, leading to DoS or possibly other unspecified impact | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | a9016009, ccoleman, c.david86, drizt72, erik-fedora, fedora-mingw, mmcgrath, mnewsome, ohudlick, paul, rjones, teger, usurse, vcizek, veillard |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-19 21:55:00 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 843739, 843740, 843741, 843742, 843743, 858914, 858915 | ||
Bug Blocks: | 835864 |
Description
Jan Lieskovsky
2012-06-27 10:29:19 UTC
Relevant Google Chrome patch: [3] http://git.chromium.org/gitweb/?p=chromium/src.git;a=commitdiff;h=f183580d61c054f7f6bb35cfe29e1b342390fbeb Okay, i finally pushed a patch upstream that I think should backport rather easily http://git.gnome.org/browse/libxml2/commit/?id=459eeb9dc752d5185f57ff6b135027f11981a626 that one http://git.gnome.org/browse/libxml2/commit/?id=4f9fdc709c4861c390cd84e2ed1fd878b3442e28 should also be applied in the errata to avoid similar problem elsewhere. Somehow that's not a complete fix but that's the most immediate and simple way to stop the given problem. I'm still working on a (rather large and intrusive) set of patches for upstream but I would not suggest to push that in RHEL. For fedora I may be tempted to rebase once a new libxml2 version is out Daniel The above patches, described in comment #4 seems to solve the problem here. libxml2 no longer crashes with them. For Red Hat Enterprise Linux use case, we may however require few more patches from upstream. Created libxml2 tracking bugs for this issue Affects: fedora-all [bug 843743] This has been reported over 2 months ago with a possible fix coming in a little over a month. Is there any plan of action to fix libxml2 vulnerabilities? Primarily this is a bump to put in back on someones to do list. Thank you This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2012:1288 https://rhn.redhat.com/errata/RHSA-2012-1288.html Created mingw32-libxml2 tracking bugs for this issue Affects: epel-5 [bug 858914] Affects: fedora-all [bug 858915] This flaw affects x86_64 version of libxml2 only, however mingw32-libxml2 is only shipped as x86 (32-bit) and therefore it is not affected. Statement: This issue affected the version of libxml2 as shipped with Red Hat Enterprise Linux 5 and 6 has been addressed via RHSA-2012:1288. This issue does not affect the version of mingw32-libxml2 as shipped with Red Hat Enterprise Linux 6. |