Bug 1281950 (CVE-2015-8242) - CVE-2015-8242 libxml2: Buffer overread with HTML parser in push mode in xmlSAX2TextNode
Summary: CVE-2015-8242 libxml2: Buffer overread with HTML parser in push mode in xmlSA...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-8242
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1281951 1281952 1281953 1284794 1286495 1286496 1286497 1323037
Blocks: 1274223 1281961 1318206
TreeView+ depends on / blocked
 
Reported: 2015-11-13 21:44 UTC by Adam Mariš
Modified: 2023-09-14 23:58 UTC (History)
22 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A denial of service flaw was found in libxml2. A remote attacker could provide a specially crafted XML or HTML file that, when processed by an application using libxml2, would cause that application to leak potentially sensitive information.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:45:27 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2549 0 normal SHIPPED_LIVE Moderate: libxml2 security update 2015-12-07 15:13:44 UTC
Red Hat Product Errata RHSA-2015:2550 0 normal SHIPPED_LIVE Moderate: libxml2 security update 2015-12-07 16:59:33 UTC
Red Hat Product Errata RHSA-2016:1089 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 3.0.3 security update 2016-05-17 20:12:21 UTC

Description Adam Mariš 2015-11-13 21:44:44 UTC 
Stack-based buffer overread vulnerability with HTML parser in push mode in xmlSAX2TextNode causing segmentation fault when compiled with ASAN.

Upstream bug (containing reproducer):

https://bugzilla.gnome.org/show_bug.cgi?id=756372
Comment 1 Adam Mariš 2015-11-13 21:46:21 UTC 
Created libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 1281951]
Comment 2 Adam Mariš 2015-11-13 21:46:30 UTC 
Created mingw-libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 1281952]
Affects: epel-7 [bug 1281953]
Comment 3 Adam Mariš 2015-11-19 11:33:41 UTC 
Acknowledgments:

Name: the GNOME project
Upstream: Hugh Davenport
Comment 4 Adam Mariš 2015-11-19 12:57:45 UTC 
CVE assignment:

http://openwall.com/lists/oss-security/2015/11/18/23
Comment 5 Adam Mariš 2015-11-23 14:06:49 UTC 
Upstream patch:

https://git.gnome.org/browse/libxml2/commit/?id=8fb4a770075628d6441fb17a1e435100e2f3b1a2
Comment 11 errata-xmlrpc 2015-12-07 10:15:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:2549 https://rhn.redhat.com/errata/RHSA-2015-2549.html
Comment 12 errata-xmlrpc 2015-12-07 12:01:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2550 https://rhn.redhat.com/errata/RHSA-2015-2550.html
Comment 16 errata-xmlrpc 2016-05-17 16:15:04 UTC 
This issue has been addressed in the following products:



Via RHSA-2016:1089 https://rhn.redhat.com/errata/RHSA-2016-1089.html
Comment 17 Red Hat Bugzilla 2023-09-14 23:58:41 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days
Note You need to log in before you can comment on or make changes to this bug.