Bug 1408305 (CVE-2016-9597) - CVE-2016-9597 libxml2: stack overflow before detecting invalid XML file (unfixed CVE-2016-3705 in JBCS)
Summary: CVE-2016-9597 libxml2: stack overflow before detecting invalid XML file (unfi...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-9597
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1426171
TreeView+ depends on / blocked
 
Reported: 2016-12-22 20:34 UTC by Bharti Kundal
Modified: 2021-12-10 14:51 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-09-05 05:46:01 UTC
Embargoed:

Attachments (Terms of Use)

Description Bharti Kundal 2016-12-22 20:34:19 UTC 
It was found that Red Hat JBoss Core Services incorrectly included CVE-2016-3705 as resolved in Apache HTTP 2.4.23 (erratum RHSA-2016:2957). The release did not include the fix to libxml2, leaving it vulnerable to a Denial of Service attack due to a Stack Overflow. This is a regression CVE for CVE-2016-3705.
Comment 2 Salvatore Bonaccorso 2016-12-22 20:45:02 UTC 
 Are there any details available for this? Upsteam bug, commit reference?
Comment 3 Adam Mariš 2017-01-03 11:03:12 UTC 
(In reply to Salvatore Bonaccorso from comment #2)
>  Are there any details available for this? Upsteam bug, commit reference?

Referring to https://bugzilla.redhat.com/show_bug.cgi?id=1408302#c4
Comment 4 Salvatore Bonaccorso 2017-01-12 06:19:10 UTC 
Hi Adam

Thanks for the information here and in the related bugs. I guess there is though some confusion around the CVEs. E.g. then SuSE is tracking that CVE for https://bugzilla.novell.com/show_bug.cgi?id=1017497 .

Regards,
Salvatore
Comment 5 Adam Mariš 2017-01-16 14:55:58 UTC 
> Thanks for the information here and in the related bugs. I guess there is
> though some confusion around the CVEs. E.g. then SuSE is tracking that CVE
> for https://bugzilla.novell.com/show_bug.cgi?id=1017497 .

Thank you for notifying us about that, Salvatore. I put the comment in Suse bugzilla:

https://bugzilla.novell.com/show_bug.cgi?id=1017497#c18
Comment 7 Tomas Hoger 2017-02-23 17:25:35 UTC 
This CVE id is for the same issue as CVE-2016-3705 (bug 1332443).  This additional CVE was assigned because the original issue was listed as fixed in RHSA-2016:2957 for the Red Hat JBoss Core Services:

https://rhn.redhat.com/errata/RHSA-2016-2957.html

However, that erratum actually failed to include the fix for the issue.

Therefore, this new CVE is specific to the Red Hat JBoss Core Services product and is better described as: missing/incorrect fix for CVE-2016-3705 in the Red Hat JBoss Core Services.
Comment 17 Tanaya Patil 2018-08-30 09:47:55 UTC 
Hi,

Waiting for a fix on this CVE. As the bug status is still 'NEW', would like to know if we getting the complete fix for this CVE. If yes please share when.

Thanks,
Tanaya
Comment 19 Timothy Walsh 2018-09-05 04:16:09 UTC 
JBCS 2.4.29 RHSA-2018:2486 includes rebased libxml2 to 2.9.7 which addresses this CVE and CVE-2016-9596.
Comment 20 Tanaya Patil 2018-11-26 10:29:21 UTC 
Can anyone please specify the version in which this issue is fixed or mention it in the "target milestone" field?
Comment 21 Adam Mariš 2018-11-26 14:58:29 UTC 
(In reply to Tanaya Patil from comment #20)
> Can anyone please specify the version in which this issue is fixed or
> mention it in the "target milestone" field?

It seems the previous comment already answers your question, doesn't it?
Note You need to log in before you can comment on or make changes to this bug.