libxml upstream security bugs tracking bug |
|||||||
Issue description1) https://bugzilla.gnome.org/show_bug.cgi?id=759020 : Heap use-after-free in xmlSAX2AttributeNs 2) https://bugzilla.gnome.org/show_bug.cgi?id=759398 : Heap use-after-free in xmlDictComputeFastKey 3) https://bugzilla.gnome.org/show_bug.cgi?id=759495 : Infinite recursion in parser.c 4) https://bugzilla.gnome.org/show_bug.cgi?id=759579 : Infinite recursion in parser.c (variant) 5) https://bugzilla.gnome.org/show_bug.cgi?id=756525 : heap-buffer-overflow in xmlParseMisc 6) https://bugzilla.gnome.org/show_bug.cgi?id=757711 : heap-buffer-overflow in xmlFAParsePosCharGroup 7) https://bugzilla.gnome.org/show_bug.cgi?id=758549 : heap-buffer-overflow in xmlParseEndTag2 (the same as https://bugs.chromium.org/p/chromium/issues/detail?id=595262) 8) https://bugzilla.gnome.org/show_bug.cgi?id=760263 : Heap use-after-free in htmlParsePubidLiteral 9) https://bugzilla.gnome.org/show_bug.cgi?id=764615 : libxml2 heap-buffer-overflow in htmlCurrentChar 10) https://bugzilla.gnome.org/show_bug.cgi?id=764616 : Unsigned addition may overflow when computing allocation size in xmlMallocAtomicLoc() in xmlmemory.c 11) https://bugzilla.gnome.org/show_bug.cgi?id=759573 : Heap-based buffer-underreads due to xmlParseName (xmlDictComputeFastKey)
,
Apr 13 2016
,
Apr 13 2016
This was fixed as part of libxml2 v2.9.3, so that fix has already been shipped: > 5) https://bugzilla.gnome.org/show_bug.cgi?id=756525 : heap-buffer-overflow in xmlParseMisc Possibly missing from the list: <https://bugzilla.gnome.org/show_bug.cgi?id=758588> <https://bugzilla.gnome.org/show_bug.cgi?id=758605> <https://bugzilla.gnome.org/show_bug.cgi?id=758606> <https://bugzilla.gnome.org/show_bug.cgi?id=761029> <https://bugzilla.gnome.org/show_bug.cgi?id=761430> <https://bugzilla.gnome.org/show_bug.cgi?id=763071>
,
Apr 14 2016
Could someone CC dominicc@chromium.org on the upstream bugs so I can track these?
,
Apr 14 2016
What's the thinking with Pri 3 yet Sec-Sev-High?
,
Apr 14 2016
Okay, I've CCed dominicc@chromium.org on all of the bugs mentioned here so far.
,
Apr 14 2016
Thanks David, updated list: 1) https://bugzilla.gnome.org/show_bug.cgi?id=759020 : Heap use-after-free in xmlSAX2AttributeNs 2) https://bugzilla.gnome.org/show_bug.cgi?id=759398 : Heap use-after-free in xmlDictComputeFastKey 3) https://bugzilla.gnome.org/show_bug.cgi?id=759495 : Infinite recursion in parser.c 4) https://bugzilla.gnome.org/show_bug.cgi?id=759579 : Infinite recursion in parser.c (variant) FIXED: 5) https://bugzilla.gnome.org/show_bug.cgi?id=756525 : heap-buffer-overflow in xmlParseMisc 6) https://bugzilla.gnome.org/show_bug.cgi?id=757711 : heap-buffer-overflow in xmlFAParsePosCharGroup 7) https://bugzilla.gnome.org/show_bug.cgi?id=758549 : heap-buffer-overflow in xmlParseEndTag2 (the same as https://bugs.chromium.org/p/chromium/issues/detail?id=595262) 8) https://bugzilla.gnome.org/show_bug.cgi?id=760263 : Heap use-after-free in htmlParsePubidLiteral 9) https://bugzilla.gnome.org/show_bug.cgi?id=764615 : libxml2 heap-buffer-overflow in htmlCurrentChar 10) https://bugzilla.gnome.org/show_bug.cgi?id=764616 : Unsigned addition may overflow when computing allocation size in xmlMallocAtomicLoc() in xmlmemory.c 11) https://bugzilla.gnome.org/show_bug.cgi?id=759573 : Heap-based buffer-underreads due to xmlParseName (xmlDictComputeFastKey) 12) https://bugzilla.gnome.org/show_bug.cgi?id=758588 : Heap-based buffer overread in xmlParserPrintFileContextInternal 13) https://bugzilla.gnome.org/show_bug.cgi?id=758605 : Heap-based buffer overread in xmlDictAddString 14) https://bugzilla.gnome.org/show_bug.cgi?id=758606 : Heap-based buffer overread in htmlCurrentChar 15) https://bugzilla.gnome.org/show_bug.cgi?id=761029 : Fixing libxml2 format string warnings reveals possible user-controlled format string vulnerability 16) https://bugzilla.gnome.org/show_bug.cgi?id=763071 : heap-buffer-overflow in xmlStrncat 17) https://bugzilla.gnome.org/show_bug.cgi?id=761430 : xmlReadMemory causes file and network access
,
Apr 14 2016
Dominic, thanks for pointing this out. Looks like Pri-3 was default value I forgot to change. However, if I'm setting wrong severity or priority, please fix me :)
,
May 4 2016
Looks like some of bugs have been fixed in the upstream. Can we roll out new version, but continue to keep issues with restricted access (and do not publish information about that security update) due to coordinated disclosure?
,
May 4 2016
One more bug to the list: 18) https://bugzilla.gnome.org/show_bug.cgi?id=762100 : Stack exhaustion parsing xml in recover mode
,
May 5 2016
Sure, I can work on that. I guess I will just leave the bugs open and hence the restrictions will still apply.
,
May 14 2016
Can anyone tell me about these? https://bugzilla.gnome.org/show_bug.cgi?id=758514 https://bugzilla.gnome.org/show_bug.cgi?id=759671 Chromium review to roll theses in here: https://codereview.chromium.org/1977213002
,
May 14 2016
> Can anyone tell me about these? > > https://bugzilla.gnome.org/show_bug.cgi?id=758514 > https://bugzilla.gnome.org/show_bug.cgi?id=759671 I've added you to the CC list. Bug 758514 is a NULL pointer deref. Bug 759671 is a heap-buffer-overflow read. > Chromium review to roll theses in here: > > https://codereview.chromium.org/1977213002 I believe Daniel Veillard is going to push a few more security fixes upstream this weekend, so you may want to hold off until those land before fixing this bug.
,
Jun 17 2016
I am going to mark this bug obsolete. Most of these issues are fixed. Here are the exceptions: * Of ongoing interest but tracked in Issue 616040 gnome:759495 gnome:759579 gnome:764615 * Unverified but may be fixed gnome:756525 gnome:758549 * Fixed but waiting test gnome:761029
,
Sep 23 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by mmoroz@chromium.org
, Apr 13 2016