1358641 – (CVE-2016-5131) CVE-2016-5131 libxml2: Use after free triggered by XPointer paths beginning with range-to

Bug 1358641 (CVE-2016-5131) - CVE-2016-5131 libxml2: Use after free triggered by XPointer paths beginning with range-to

Summary: CVE-2016-5131 libxml2: Use after free triggered by XPointer paths beginning w...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2016-5131
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1358710 1358711 1361439 1364322 1364323 1525811 1695415 1714050
Blocks:	1358650 1384433
TreeView+	depends on / blocked

Reported:	2016-07-21 08:03 UTC by Adam Mariš
Modified:	2023-09-26 13:23 UTC (History)
CC List:	16 users (show)
Fixed In Version:	Chrome 52.0.2743.82, libxml2 2.9.5
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-02-26 05:01:14 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:1485	0	normal	SHIPPED_LIVE	Important: chromium-browser security update	2016-07-26 09:18:37 UTC
Red Hat Product Errata	RHSA-2020:1190	0	None	None	None	2020-03-31 19:33:25 UTC

Description Adam Mariš 2016-07-21 08:03:06 UTC

An use-after-free flaw was found in the libxml component of the Chromium browser.

Upstream bug(s):

https://code.google.com/p/chromium/issues/detail?id=623378

External References:

https://googlechromereleases.blogspot.com/2016/07/stable-channel-update.html

Comment 2 errata-xmlrpc 2016-07-26 05:19:37 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2016:1485 https://rhn.redhat.com/errata/RHSA-2016-1485.html

Comment 3 Huzaifa S. Sidhpurwala 2016-07-29 05:43:16 UTC

Detailed analysis and explanation available in the upstream bug (currently closed) at:

https://bugzilla.gnome.org/show_bug.cgi?id=768428


Chromium used the following patch to fix this issue (not upstream yet):

https://codereview.chromium.org/2127493002

Comment 4 Huzaifa S. Sidhpurwala 2016-07-29 05:43:54 UTC

Created libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 1361439]

Comment 5 Huzaifa S. Sidhpurwala 2016-08-05 05:31:43 UTC

Created mingw-libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 1364322]
Affects: epel-7 [bug 1364323]

Comment 6 dafox7777777 2016-11-02 15:09:20 UTC

This issue seems to be in libxml, not just chromium. Is libxml planned to be updated?

Comment 7 Doran Moppert 2017-03-23 06:09:28 UTC

Upstream patch (libxml2):

https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e

Comment 12 Doran Moppert 2019-05-20 02:03:45 UTC

Statement:

This flaw in libxml2 requires exposing the library to XPath/XPointer expressions from an untrusted source, which is not common in practice for applications using libxml2.  For libxml2, Red Hat Product Security has rated this vulnerability as Moderate severity.

Comment 18 errata-xmlrpc 2020-03-31 19:33:23 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1190 https://access.redhat.com/errata/RHSA-2020:1190

Note You need to log in before you can comment on or make changes to this bug.