An out-of-bounds heap read in xmlParseXMLDecl happens when a file containing unfinished xml declaration, e.g. <?xml versionencoding="ISO88598", is followed by 0xff byte. Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=751631 Upstream patch: https://git.gnome.org/browse/libxml2/commit/?id=709a952110e98621c9b78c4f26462a9d8333102e Out-of-bounds heap read also occurs in xmlParseXMLDecl when file contains unterminated encoding value. Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=751603 Upstream patch: https://git.gnome.org/browse/libxml2/commit/?id=9aa37588ee78a06ca1379a9d9356eab16686099c
Created libxml2 tracking bugs for this issue: Affects: fedora-all [bug 1281931]
Created mingw-libxml2 tracking bugs for this issue: Affects: fedora-all [bug 1281932] Affects: epel-7 [bug 1281933]
Acknowledgments: Name: the GNOME project Upstream: Hanno Boeck
CVE assignment: http://seclists.org/oss-sec/2015/q4/354
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:2549 https://rhn.redhat.com/errata/RHSA-2015-2549.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2550 https://rhn.redhat.com/errata/RHSA-2015-2550.html
This issue has been addressed in the following products: Via RHSA-2016:1089 https://rhn.redhat.com/errata/RHSA-2016-1089.html