Date: Sat, 21 Nov 2015 10:12:53 +0100 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Libxml2: Several out of bounds reads https://blog.fuzzing-project.org/28-Libxml2-Several-out-of-bounds-reads.html Libxml2: Several out of bounds reads I discovered several out of bounds read issues in Libxml2. The upstream developers have just released version 2.9.3, which fixes all relevant issues. A malformed XML file can cause a heap out of bounds read access in the function xmlParseXMLDecl. https://bugzilla.gnome.org/show_bug.cgi?id=751603 Upstream bug #751603 (sample input attached) https://git.gnome.org/browse/libxml2/commit/?id=9aa37588ee78a06ca1379a9d9356eab16686099c Git commit / fix A second, very similar issue in the same function xmlParseXMLDecl. https://bugzilla.gnome.org/show_bug.cgi?id=751631 Upstream bug #751631 (sample input attached) https://git.gnome.org/browse/libxml2/commit/?id=709a952110e98621c9b78c4f26462a9d8333102e Git commit / fix A malformed XML file can cause a global out of bounds read access in the function xmlNextChar. This only affected the git code and was never an issue in any release version. Upstream bug #751643 (sample input attached) All three issues above were found with american fuzzy lop and address sanitizer. Some inputs can cause a stack out of bounds read. This was found by running the test suite with Address Sanitizer (make check). The issue was re-found by fuzzing independently by Hugh Davenport: https://bugzilla.gnome.org/show_bug.cgi?id=752191 Upstream bug #752191 https://bugzilla.gnome.org/show_bug.cgi?id=756372 Upstream bug #756372 (duplicate) https://git.gnome.org/browse/libxml2/commit/?id=8fb4a770075628d6441fb17a1e435100e2f3b1a2 Git commit / fix https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8242 CVE-2015-8242 Unfortunately there is another issue affecting the test suite (also documented in upstream bug #752191) that isn't fixed yet, but the bug is in the code of the test itself, therefore it's not affecting the use of Libxml2. A large number of other issues have been fixed, many of them found with american fuzzy lop and libfuzzer. The release notes of 2.9.3 mention 10 CVEs. If you use Libxml2 please update as soon as possible. http://www.xmlsoft.org/news.html -- Hanno Böck http://hboeck.de/ mail/jabber: hanno@...eck.de GPG: BBB51E42 Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.