A vulnerability was found in libxml2. Parsing a maliciously crafted xml file could cause the application to crash if recover mode is used. References: http://seclists.org/oss-sec/2016/q2/195
Created libxml2 tracking bugs for this issue: Affects: fedora-all [bug 1332823]
Created mingw-libxml2 tracking bugs for this issue: Affects: fedora-all [bug 1332824] Affects: epel-7 [bug 1332825]
This issue has been addressed in the following products: Via RHSA-2016:2957 https://rhn.redhat.com/errata/RHSA-2016-2957.html
CVE-2016-4483 is NOT a duplicate of CVE-2016-3627! This issue has NOT been fixed for at least RHEL6 (CVE-2016-3627 has been). This issue was fixed upstream with commit c97750d11bb8b6f3303e7131fe526a61ac65bcfd https://git.gnome.org/browse/libxml2/commit/?h=CVE-2016-4483&id=c97750d11bb8b6f3303e7131fe526a61ac65bcfd
Created attachment 1265117 [details] Fix for CVE-2016-4483, upstream commit c97750d11bb8b6f3303e7131fe526a61ac65bcfd Upstream commit that fixes CVE-2016-4483.
CVE-2016-4483 has also NOT been fixed for RHEL7. Patch applies cleanly.
(In reply to Leonard den Ottolander from comment #9) > CVE-2016-4483 is NOT a duplicate of CVE-2016-3627! > > This issue has NOT been fixed for at least RHEL6 (CVE-2016-3627 has been). > > This issue was fixed upstream with commit > c97750d11bb8b6f3303e7131fe526a61ac65bcfd > > https://git.gnome.org/browse/libxml2/commit/?h=CVE-2016- > 4483&id=c97750d11bb8b6f3303e7131fe526a61ac65bcfd Thanks for the update: CVE-2016-3627 was fixed via: https://git.gnome.org/browse/libxml2/commit/?id=bdd66182ef53fe1f7209ab6535fda56366bd7ac9 CVE-2016-4483 was fixed via: https://git.gnome.org/browse/libxml2/commit/?id=c97750d11bb8b6f3303e7131fe526a61ac65bcfd
Statement: When a specially-crafted XML file is parsed via an application compiled against libxml2, this can cause the application to crash. (No code execution)
Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=766414