Red Hat Bugzilla – Bug 835863
CVE-2012-2807 libxml2 (64-bit): Multiple integer overflows, leading to DoS or possibly other unspecified impact
Last modified: 2016-03-04 05:50:18 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-2807 to the following vulnerability:
Multiple integer overflows in libxml2, as used in Google Chrome before 20.0.1132.43, on 64-bit Linux platforms allow remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
Relevant Google Chrome patch:
Okay, i finally pushed a patch upstream that I think should backport
should also be applied in the errata to avoid similar problem elsewhere.
Somehow that's not a complete fix but that's the most immediate and
simple way to stop the given problem. I'm still working on a (rather
large and intrusive) set of patches for upstream but I would not suggest
to push that in RHEL. For fedora I may be tempted to rebase once a new
libxml2 version is out
The above patches, described in comment #4 seems to solve the problem here. libxml2 no longer crashes with them.
For Red Hat Enterprise Linux use case, we may however require few more patches from upstream.
Created libxml2 tracking bugs for this issue
Affects: fedora-all [bug 843743]
This has been reported over 2 months ago with a possible fix coming in a little over a month. Is there any plan of action to fix libxml2 vulnerabilities?
Primarily this is a bump to put in back on someones to do list.
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Via RHSA-2012:1288 https://rhn.redhat.com/errata/RHSA-2012-1288.html
Created mingw32-libxml2 tracking bugs for this issue
Affects: epel-5 [bug 858914]
Affects: fedora-all [bug 858915]
This flaw affects x86_64 version of libxml2 only, however mingw32-libxml2 is only shipped as x86 (32-bit) and therefore it is not affected.
This issue affected the version of libxml2 as shipped with Red Hat Enterprise Linux 5 and 6 has been addressed via RHSA-2012:1288. This issue does not affect the version of mingw32-libxml2 as shipped with Red Hat Enterprise Linux 6.