951735 – (CVE-2015-7942) VUL-1: CVE-2015-7942: libxml2: heap-buffer-overflow in xmlParseConditionalSections

Bug 951735 (CVE-2015-7942) - VUL-1: CVE-2015-7942: libxml2: heap-buffer-overflow in xmlParseConditionalSections

Summary: VUL-1: CVE-2015-7942: libxml2: heap-buffer-overflow in xmlParseConditionalSec...

Status:	RESOLVED FIXED

Alias:	CVE-2015-7942

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Deadline:	2016-01-22
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/158142/
Whiteboard:	CVSSv2:RedHat:CVE-2015-7942:4.3:(AV:N...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-10-23 09:05 UTC by Andreas Stieger
Modified:	2016-01-22 09:20 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
upstream patch (455 bytes, patch) 2015-11-20 13:40 UTC, Kristyna Streitova	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Stieger 2015-10-23 09:05:27 UTC

heap-buffer-overflow found by ASAN

Reproducer (with ASAN):

echo PCFET0NUWVBFIGRvYyBbCjwhRU5USVRZICUgZSAiPCFbSU5DTFVERVs8IVtJTkNMVVRFWzxoRSBNWVNTVGNvPXBsZXguZXRkIj4KJWU7Cl0+Ojxkb210bCB4bWxucz0iaHR0cDovL193d2M+PCAuKE1vZzw8 | base64 --decode  | ASAN_OPTIONS=strip_path_prefix=`pwd`/:fast_unwind_on_malloc=0  ./xmllint -

The target function used with libFuzzer was: 
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  if (auto doc = xmlReadMemory(reinterpret_cast<const char *>(data), size,
                               "noname.xml", NULL, 0)) {
    xmlFreeDoc(doc);
  }
  return 0;
}


Reported discussion : https://bugzilla.gnome.org/show_bug.cgi?id=744980

Use CVE-2015-7942 for
https://bugzilla.gnome.org/show_bug.cgi?id=744980#c8 and
https://bugzilla.gnome.org/show_bug.cgi?id=756456#c0 (i.e., the
finding by a different person, Kostya Serebryany).


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7941
http://seclists.org/oss-sec/2015/q4/130
https://bugzilla.gnome.org/show_bug.cgi?id=756456
https://bugzilla.gnome.org/show_bug.cgi?id=744980

Comment 1 Swamp Workflow Management 2015-10-23 22:00:25 UTC

bugbot adjusting priority

Comment 2 Kristyna Streitova 2015-11-20 13:40:01 UTC

Created attachment 656788 [details]
upstream patch

Attaching upstream patch:

- part 1: https://git.gnome.org/browse/libxml2/commit/?id=bd0526e66a56e75a18da8c15c4750db8f801c52d
- part2: https://git.gnome.org/browse/libxml2/commit/?id=41ac9049a27f52e7a1f3b341f8714149fc88d450

Comment 3 SMASH SMASH 2015-11-30 12:16:15 UTC

An update workflow for this issue was started.

This issue was rated as "low".
Please submit fixed packages until "Dec. 14, 2015".

When done, reassign the bug to "security-team@suse.de".
/update/121058/.

Comment 4 Hanns-Joachim Uhl 2015-12-02 13:30:56 UTC

Hello SUSE,
... I got the following question from the field:
"
... we are using libxml2, version 2.7.x, so there is the potential that this 
CVE may apply. ...
"
... can you confirm that the CVE addressed in this bugzilla is also applicable
to the libxml2 2.7.x as included in SLES 11 SP3 ..?
Please advise ..
Thanks in advance for your support.

Comment 5 Kristyna Streitova 2015-12-04 15:07:44 UTC

(In reply to Hanns-Joachim Uhl from comment #4)
> ... can you confirm that the CVE addressed in this bugzilla is also
> applicable
> to the libxml2 2.7.x as included in SLES 11 SP3 ..?

Yes, version 2.7.x seems to be affected too.

Comment 6 Hanns-Joachim Uhl 2015-12-04 16:06:06 UTC

(In reply to Kristyna Streitova from comment #5)
> (In reply to Hanns-Joachim Uhl from comment #4)
> > ... can you confirm that the CVE addressed in this bugzilla is also
> > applicable
> > to the libxml2 2.7.x as included in SLES 11 SP3 ..?
> 
> Yes, version 2.7.x seems to be affected too.
.
Hello SUSE / Kristyna,
... thanks for confirmation ... 
... then the next question is:
do you have an outlook when the updated libxml2 will be available
for SLES 11 SP3 on the maintweb ..? 
Please advise ..
Thanks for your support.

Comment 7 Kristyna Streitova 2015-12-04 16:11:34 UTC

(In reply to Hanns-Joachim Uhl from comment #6)
> do you have an outlook when the updated libxml2 will be available
> for SLES 11 SP3 on the maintweb ..? 

It should be released at the start of the January.

Comment 11 Bernhard Wiedemann 2015-12-17 14:00:26 UTC

This is an autogenerated message for OBS integration:
This bug (951735) was mentioned in
https://build.opensuse.org/request/show/349390 13.2+13.1 / libxml2

Comment 13 Swamp Workflow Management 2015-12-27 00:13:23 UTC

openSUSE-SU-2015:2372-1: An update that fixes 14 vulnerabilities is now available.

Category: security (moderate)
Bug References: 928193,951734,951735,954429,956018,956021,956260,957105,957106,957107,957109,957110
CVE References: CVE-2014-0191,CVE-2014-3660,CVE-2015-1819,CVE-2015-5312,CVE-2015-7497,CVE-2015-7498,CVE-2015-7499,CVE-2015-7500,CVE-2015-7941,CVE-2015-7942,CVE-2015-8035,CVE-2015-8241,CVE-2015-8242,CVE-2015-8317
Sources used:
openSUSE 13.2 (src):    libxml2-2.9.3-7.4.1, python-libxml2-2.9.3-7.4.1
openSUSE 13.1 (src):    libxml2-2.9.3-2.19.1, python-libxml2-2.9.3-2.19.1

Comment 14 Swamp Workflow Management 2016-01-05 14:27:14 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-01-19.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62411

Comment 15 Swamp Workflow Management 2016-01-05 19:12:00 UTC

SUSE-SU-2016:0030-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 928193,951734,951735,956018,956021,956260,957105,957106,957107,957109,957110
CVE References: CVE-2015-1819,CVE-2015-5312,CVE-2015-7497,CVE-2015-7498,CVE-2015-7499,CVE-2015-7500,CVE-2015-7941,CVE-2015-7942,CVE-2015-8241,CVE-2015-8242,CVE-2015-8317
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    libxml2-2.7.6-0.34.1
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    libxml2-2.7.6-0.34.1
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    libxml2-2.7.6-0.34.1, libxml2-python-2.7.6-0.34.4
SUSE Linux Enterprise Server 11-SP4 (src):    libxml2-2.7.6-0.34.1, libxml2-python-2.7.6-0.34.4
SUSE Linux Enterprise Server 11-SP3 (src):    libxml2-2.7.6-0.34.1, libxml2-python-2.7.6-0.34.4
SUSE Linux Enterprise Desktop 11-SP4 (src):    libxml2-2.7.6-0.34.1, libxml2-python-2.7.6-0.34.4
SUSE Linux Enterprise Desktop 11-SP3 (src):    libxml2-2.7.6-0.34.1, libxml2-python-2.7.6-0.34.4
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libxml2-2.7.6-0.34.1, libxml2-python-2.7.6-0.34.4
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    libxml2-2.7.6-0.34.1, libxml2-python-2.7.6-0.34.4

Comment 16 Swamp Workflow Management 2016-01-07 16:13:19 UTC

SUSE-SU-2016:0049-1: An update that fixes 12 vulnerabilities is now available.

Category: security (moderate)
Bug References: 928193,951734,951735,954429,956018,956021,956260,957105,957106,957107,957109,957110
CVE References: CVE-2015-1819,CVE-2015-5312,CVE-2015-7497,CVE-2015-7498,CVE-2015-7499,CVE-2015-7500,CVE-2015-7941,CVE-2015-7942,CVE-2015-8035,CVE-2015-8241,CVE-2015-8242,CVE-2015-8317
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    libxml2-2.9.1-13.1
SUSE Linux Enterprise Software Development Kit 12 (src):    libxml2-2.9.1-13.1
SUSE Linux Enterprise Server 12-SP1 (src):    libxml2-2.9.1-13.1, python-libxml2-2.9.1-13.1
SUSE Linux Enterprise Server 12 (src):    libxml2-2.9.1-13.1, python-libxml2-2.9.1-13.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    libxml2-2.9.1-13.1, python-libxml2-2.9.1-13.1
SUSE Linux Enterprise Desktop 12 (src):    libxml2-2.9.1-13.1, python-libxml2-2.9.1-13.1

Comment 17 SMASH SMASH 2016-01-08 15:01:35 UTC

An update workflow for this issue was started.

This issue was rated as "low".
Please submit fixed packages until "Jan. 22, 2016".

When done, reassign the bug to "security-team@suse.de".
/update/121235/.

Comment 18 Swamp Workflow Management 2016-01-08 15:05:58 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-01-22.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62418

Comment 19 SMASH SMASH 2016-01-08 15:06:21 UTC

An update workflow for this issue was started.

This issue was rated as "low".
Please submit fixed packages until "Jan. 22, 2016".

When done, reassign the bug to "security-team@suse.de".
/update/62418/.

Comment 20 Swamp Workflow Management 2016-01-13 17:12:45 UTC

openSUSE-SU-2016:0106-1: An update that fixes 12 vulnerabilities is now available.

Category: security (moderate)
Bug References: 928193,951734,951735,954429,956018,956021,956260,957105,957106,957107,957109,957110
CVE References: CVE-2015-1819,CVE-2015-5312,CVE-2015-7497,CVE-2015-7498,CVE-2015-7499,CVE-2015-7500,CVE-2015-7941,CVE-2015-7942,CVE-2015-8035,CVE-2015-8241,CVE-2015-8242,CVE-2015-8317
Sources used:
openSUSE Leap 42.1 (src):    libxml2-2.9.1-10.1, python-libxml2-2.9.1-10.1

Comment 21 Andreas Stieger 2016-01-22 09:20:18 UTC

All done, closing