Issue metadata
Sign in to add a comment
|
CrOS: Vulnerability reported in dev-libs/libxml2 |
||||||||||||||||||||
Issue descriptionAutomated analysis has detected that the following third party packages have had vulnerabilities publicly reported. NOTE: There may be several bugs listed below - in almost all cases, all bugs can be quickly addressed by upgrading to the latest version of the package. Package Name: dev-libs/libxml2 Package Version: [cpe:/a:xmlsoft:libxml2:2.9.4] Advisory: CVE-2017-9047 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-9047 CVSS severity score: 5/10.0 Confidence: high Description: A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content->type is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to buf (if it actually fits) whereupon (ii) content->name is written to the buffer. However, the check for whether the content->name actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about "size" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash. Advisory: CVE-2017-9048 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-9048 CVSS severity score: 5/10.0 Confidence: high Description: libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 < size. This vulnerability causes programs that use libxml2, such as PHP, to crash. Advisory: CVE-2017-9049 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-9049 CVSS severity score: 5/10.0 Confidence: high Description: libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398 . Advisory: CVE-2017-9050 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-9050 CVSS severity score: 5/10.0 Confidence: high Description: libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.
,
May 30 2017
CVE-2017-9047, CVE-2017-9048: I don't think we are vulnerable, I think we do not have any callers of xmlSnprintfElementContent. CVE-2017-9049, CVE-2017-9050: I can't reproduce these. I notice they use XML_PARSE_OLD10, which we don't use. But I can't reproduce these even with xmllint actually :/
,
Jun 6 2017
Assigning severity with the assumption we're affected, but feel free to close it out if there's no work to do here.
,
Jun 6 2017
,
Jun 6 2017
,
Jun 13 2017
dominicc: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 27 2017
dominicc: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 28 2017
I am going to WontFix this because I could not reproduce it and I don't think we are calling these functions anyway.
,
Oct 4 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by kenrb@chromium.org
, May 29 2017Owner: dominicc@chromium.org
Status: Assigned (was: Untriaged)