1211278 – (CVE-2015-1819) CVE-2015-1819 libxml2: denial of service processing a crafted XML document

Bug 1211278 (CVE-2015-1819) - CVE-2015-1819 libxml2: denial of service processing a crafted XML document

Summary: CVE-2015-1819 libxml2: denial of service processing a crafted XML document

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2015-1819
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1214163 1286496 1286497
Blocks:	1193283 1211280
TreeView+	depends on / blocked

Reported:	2015-04-13 13:46 UTC by Vasyl Kaigorodov
Modified:	2021-02-17 05:26 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	A denial of service flaw was found in the way the libxml2 library parsed certain XML files. An attacker could provide a specially crafted XML file that, when parsed by an application using libxml2, could cause that application to use an excessive amount of memory.
Clone Of:
Environment:
Last Closed:	2019-06-08 02:40:50 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:1419	0	normal	SHIPPED_LIVE	Low: libxml2 security and bug fix update	2015-07-20 18:06:35 UTC
Red Hat Product Errata	RHSA-2015:2550	0	normal	SHIPPED_LIVE	Moderate: libxml2 security update	2015-12-07 16:59:33 UTC

Description Vasyl Kaigorodov 2015-04-13 13:46:10 UTC

Florian Weimer from Red Hat reported an issue against libxml2, where a parser which uses libxml2 chokes on a crafted XML document, allocating gigabytes of data.
This is a fine line between API misuse and an libxml2 bug.
Daniel Veillard have a fix for this issue already.

Comment 3 Daniel Veillard 2015-04-14 10:07:59 UTC

Patch updstream

https://git.gnome.org/browse/libxml2/commit/?id=213f1fe0d76d30eaed6e5853057defc43e6df2c9

Daniel

Comment 4 Maumita Mandal 2015-04-21 14:22:19 UTC

(In reply to Daniel Veillard from comment #3)
> Patch updstream
> 
> https://git.gnome.org/browse/libxml2/commit/
> ?id=213f1fe0d76d30eaed6e5853057defc43e6df2c9
> 
> Daniel


Could you please let me know the version in which the bug has been fixed and provide the URL for downloading the same ?

Comment 6 Huzaifa S. Sidhpurwala 2015-04-22 06:40:04 UTC

Acknowledgements:

Name: Florian Weimer (Red Hat Product Security)

Comment 7 Huzaifa S. Sidhpurwala 2015-04-22 06:45:20 UTC

Statement:

Red Hat Product Security has rated this issue as having low security impact, a future update may address this flaw in libxml2.

Comment 8 Florian Weimer 2015-04-22 06:53:32 UTC

I don't think the upstream fix is quite right, as explained here:

  <https://bugzilla.gnome.org/show_bug.cgi?id=748278>

Comment 10 Aakash 2015-05-20 10:15:29 UTC

Could you please help with the patch to fix this vulnerability.

Comment 11 Florian Weimer 2015-05-20 10:26:20 UTC

(In reply to Aakash from comment #10)
> Could you please help with the patch to fix this vulnerability.

Aakash, please open a customer support case here:

  <https://access.redhat.com/support/>.

This bug here is a public resource and thus not suitable for responding to support queries, I'm afraid.

Comment 12 errata-xmlrpc 2015-07-22 07:43:24 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1419 https://rhn.redhat.com/errata/RHSA-2015-1419.html

Comment 14 Fedora Update System 2015-11-26 20:56:44 UTC

libxml2-2.9.3-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2015-11-30 23:22:17 UTC

libxml2-2.9.3-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 16 Aakash 2015-12-03 13:06:03 UTC

I am getting the following error when i am trying to start apache server with mod security 2.8.0 and updated libxml version 2.9.3:

httpd: Syntax error on line 55 of /opt/apache/conf/httpd.conf: Cannot load /opt/apache/modules/mod_security2.so into server: /opt/apache/modules/mod_security2.so: symbol xmlOutputBufferGetSize, version LIBXML2_2.9.0 not defined in file libxml2.so.2 with link time reference

Could you please help.

Comment 17 errata-xmlrpc 2015-12-07 11:59:52 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2550 https://rhn.redhat.com/errata/RHSA-2015-2550.html

Note You need to log in before you can comment on or make changes to this bug.