Bug 1213957 (CVE-2015-8710) - CVE-2015-8710 libxml2: out-of-bounds memory access when parsing an unclosed HTML comment
Summary: CVE-2015-8710 libxml2: out-of-bounds memory access when parsing an unclosed H...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-8710
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1262849 (view as bug list)
Depends On: 1213958 1213959 1213960 1284794 1286495 1286496 1286497 1323038
Blocks: 1214246 1262850 1274223 1276694 1318206
TreeView+ depends on / blocked
 
Reported: 2015-04-21 15:46 UTC by Vasyl Kaigorodov
Modified: 2019-09-29 13:31 UTC (History)
24 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was discovered that libxml2 could access out-of-bounds memory when parsing unclosed HTML comments. A remote attacker could provide a specially crafted XML file that, when processed by an application linked against libxml2, could cause the application to disclose heap memory contents.
Clone Of:
Environment:
Last Closed: 2015-12-08 06:19:21 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2549 0 normal SHIPPED_LIVE Moderate: libxml2 security update 2015-12-07 15:13:44 UTC
Red Hat Product Errata RHSA-2015:2550 0 normal SHIPPED_LIVE Moderate: libxml2 security update 2015-12-07 16:59:33 UTC
Red Hat Product Errata RHSA-2016:1089 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 3.0.3 security update 2016-05-17 20:12:21 UTC

Description Vasyl Kaigorodov 2015-04-21 15:46:24 UTC 
Following issue was reported in libxml2 (http://seclists.org/oss-sec/2015/q2/214):

"""
This is an out-of-bounds memory access in libxml2. By entering a unclosed
html comment such as <!-- the libxml2 parser didn't stop parsing at the end
of the buffer, causing random memory to be included in the parsed comment
that was returned to ruby. In Shopify, this caused ruby objects from
previous http requests to be disclosed in the rendered page.

Link to the issue in libxml2's bugtracker:
https://bugzilla.gnome.org/show_bug.cgi?id=746048

A patched version of nokogiri (which uses a embedded libxml2) is available
here:
https://github.com/Shopify/nokogiri/compare/1b1fcad8bd64ab70256666c38d2c998e86ade8c0...master

This bug is still not patched upstream, but both libxml2 and nokogiri
developers are aware of the issue.
"""

No upstream patches exist at the time of creating this Bugzilla.
Comment 1 Vasyl Kaigorodov 2015-04-21 15:47:02 UTC 
Created libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 1213958]
Comment 2 Vasyl Kaigorodov 2015-04-21 15:47:05 UTC 
Created mingw-libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 1213959]
Affects: epel-all [bug 1213960]
Comment 5 Adam Mariš 2015-11-13 16:19:34 UTC 
Upstream patch:

https://git.gnome.org/browse/libxml2/commit/?id=e724879d964d774df9b7969fc846605aa1bac54c
Comment 6 Adam Mariš 2015-11-13 16:19:53 UTC 
*** Bug 1262849 has been marked as a duplicate of this bug. ***
Comment 10 Daniel Veillard 2015-11-30 08:02:53 UTC 
The upstream patch for this is 

https://git.gnome.org/browse/libxml2/commit/?id=e724879d964d774df9b7969fc846605aa1bac54c

Daniel
Comment 11 errata-xmlrpc 2015-12-07 10:13:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:2549 https://rhn.redhat.com/errata/RHSA-2015-2549.html
Comment 12 errata-xmlrpc 2015-12-07 12:00:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2550 https://rhn.redhat.com/errata/RHSA-2015-2550.html
Comment 13 Adam Mariš 2016-01-04 14:40:50 UTC 
CVE assignment:

http://seclists.org/oss-sec/2015/q4/616
Comment 17 errata-xmlrpc 2016-05-17 16:13:22 UTC 
This issue has been addressed in the following products:



Via RHSA-2016:1089 https://rhn.redhat.com/errata/RHSA-2016-1089.html
Note You need to log in before you can comment on or make changes to this bug.