Red Hat Bugzilla – Bug 1213957
CVE-2015-8710 libxml2: out-of-bounds memory access when parsing an unclosed HTML comment
Last modified: 2017-03-08 02:37:21 EST
Following issue was reported in libxml2 (http://seclists.org/oss-sec/2015/q2/214): """ This is an out-of-bounds memory access in libxml2. By entering a unclosed html comment such as <!-- the libxml2 parser didn't stop parsing at the end of the buffer, causing random memory to be included in the parsed comment that was returned to ruby. In Shopify, this caused ruby objects from previous http requests to be disclosed in the rendered page. Link to the issue in libxml2's bugtracker: https://bugzilla.gnome.org/show_bug.cgi?id=746048 A patched version of nokogiri (which uses a embedded libxml2) is available here: https://github.com/Shopify/nokogiri/compare/1b1fcad8bd64ab70256666c38d2c998e86ade8c0...master This bug is still not patched upstream, but both libxml2 and nokogiri developers are aware of the issue. """ No upstream patches exist at the time of creating this Bugzilla.
Created libxml2 tracking bugs for this issue: Affects: fedora-all [bug 1213958]
Created mingw-libxml2 tracking bugs for this issue: Affects: fedora-all [bug 1213959] Affects: epel-all [bug 1213960]
Upstream patch: https://git.gnome.org/browse/libxml2/commit/?id=e724879d964d774df9b7969fc846605aa1bac54c
*** Bug 1262849 has been marked as a duplicate of this bug. ***
The upstream patch for this is https://git.gnome.org/browse/libxml2/commit/?id=e724879d964d774df9b7969fc846605aa1bac54c Daniel
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:2549 https://rhn.redhat.com/errata/RHSA-2015-2549.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2550 https://rhn.redhat.com/errata/RHSA-2015-2550.html
CVE assignment: http://seclists.org/oss-sec/2015/q4/616
This issue has been addressed in the following products: Via RHSA-2016:1089 https://rhn.redhat.com/errata/RHSA-2016-1089.html