Bug 953722 (CVE-2013-1969)

Summary: CVE-2013-1969 libxml2: multiple use-after-free flaws
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: c.david86, ohudlick, veillard
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libxml2 2.9.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-24 12:01:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 953723    

Description Vincent Danen 2013-04-19 03:36:40 UTC
Multiple use-after-free flaws were reported [1] in libxml2 2.9.0, which could be used to cause a denial of service or, possibly, the execution of arbitrary code by the privileges of the user running an application linked to libxml2.

1) A use-after-free error in the "htmlParseChunk()" function can be exploited to dereference already freed memory.

2) Two use-after-free errors in the "xmldecl_done()" function can be exploited to dereference already freed memory.

These issues have been fixed in git [2].  Based on the bug report, the implication is that these flaws were introduced in version 2.9.0 (this has not yet been verified though).


[1] https://bugzilla.gnome.org/show_bug.cgi?id=690202
[2] https://git.gnome.org/browse/libxml2/commit/?id=de0cc20c29cb3f056062925395e0f68d2250a46f

Comment 2 Stefan Cornelius 2013-04-30 13:56:42 UTC
Statement:

This issue does not affect the version of libxml2 as shipped with Red Hat Enterprise Linux 5 and 6. This issue does not affect version of mingw32-libxml2 as shipped with Red Hat Enterprise Linux 5 and 6.

Comment 3 Stefan Cornelius 2013-07-24 12:01:10 UTC
These issues were introduced in version 2.9.0 and subsequently fixed in version 2.9.1.