963963 – (CVE-2016-2073) VUL-0: CVE-2016-2073: libxml2: out-of-bounds read in htmlParseNameComplex()

Bug 963963 (CVE-2016-2073) - VUL-0: CVE-2016-2073: libxml2: out-of-bounds read in htmlParseNameComplex()

Summary: VUL-0: CVE-2016-2073: libxml2: out-of-bounds read in htmlParseNameComplex()

Status:	RESOLVED FIXED

Alias:	CVE-2016-2073

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/161313/
Whiteboard:	CVSSv2:SUSE:CVE-2016-2073:4.3:(AV:N/A...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-01-28 11:43 UTC by Johannes Segitz
Modified:	2016-08-31 12:20 UTC (History)
CC List:	7 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Reproducer (1.11 KB, application/zip) 2016-01-28 11:43 UTC, Johannes Segitz	Details
CVE-2016-2073.c (601 bytes, text/plain) 2016-06-07 09:51 UTC, Marcus Meissner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2016-01-28 11:43:25 UTC

Created attachment 663587 [details]
Reproducer

http://seclists.org/oss-sec/2016/q1/199

Qihoo 360 Codesafe Team reports:
We find a vulnerability in the way libxml2's htmlParseNameComplex() function parsed certain xml file.
I was successful in reproducing this issuel in the latest version of libxml2(git clone git://git.gnome.org/libxml2).
HTMLparser.c line:2517 :

       return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));

"ctxt->input->cur - len"  cause Out-of-bounds Read.

Bug info:
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60620000d8ff at pc 0x62f90d bp 0x7fffa1464060 sp 
0x7fffa1464058
READ of size 1 at 0x60620000d8ff thread T0
    #0 0x62f90c (/home/r/libxml2/testHTML+0x62f90c)
    #1 0x631c40 (/home/r/libxml2/testHTML+0x631c40)
    #2 0x4eb94c (/home/r/libxml2/testHTML+0x4eb94c)
    #3 0x4eb09c (/home/r/libxml2/testHTML+0x4eb09c)
    #4 0x4ecdb4 (/home/r/libxml2/testHTML+0x4ecdb4)
    #5 0x4f993b (/home/r/libxml2/testHTML+0x4f993b)
    #6 0x4ff225 (/home/r/libxml2/testHTML+0x4ff225)
    #7 0x5008d1 (/home/r/libxml2/testHTML+0x5008d1)
    #8 0x50ba97 (/home/r/libxml2/testHTML+0x50ba97)
    #9 0x50bc89 (/home/r/libxml2/testHTML+0x50bc89)
    #10 0x403df6 (/home/r/libxml2/testHTML+0x403df6)
    #11 0x4046a0 (/home/r/libxml2/testHTML+0x4046a0)
    #12 0x7fb1877a5ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
    #13 0x4025b8 (/home/r/libxml2/testHTML+0x4025b8)
0x60620000d8ff is located 1 bytes to the left of 4096-byte region [0x60620000d900,0x60620000e900)
allocated by thread T0 here:
    #0 0x7fb187e6541a (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x1541a)
    #1 0x5aa0a2 (/home/r/libxml2/testHTML+0x5aa0a2)
    #2 0x67f4b0 (/home/r/libxml2/testHTML+0x67f4b0)
    #3 0x67f873 (/home/r/libxml2/testHTML+0x67f873)
    #4 0x67ed01 (/home/r/libxml2/testHTML+0x67ed01)
    #5 0x4e47cd (/home/r/libxml2/testHTML+0x4e47cd)
    #6 0x4eb704 (/home/r/libxml2/testHTML+0x4eb704)
    #7 0x4eb09c (/home/r/libxml2/testHTML+0x4eb09c)
    #8 0x4ecdb4 (/home/r/libxml2/testHTML+0x4ecdb4)
    #9 0x4f993b (/home/r/libxml2/testHTML+0x4f993b)
    #10 0x4ff225 (/home/r/libxml2/testHTML+0x4ff225)
    #11 0x5008d1 (/home/r/libxml2/testHTML+0x5008d1)
    #12 0x50ba97 (/home/r/libxml2/testHTML+0x50ba97)
    #13 0x50bc89 (/home/r/libxml2/testHTML+0x50bc89)
    #14 0x403df6 (/home/r/libxml2/testHTML+0x403df6)
    #15 0x4046a0 (/home/r/libxml2/testHTML+0x4046a0)
    #16 0x7fb1877a5ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
Shadow bytes around the buggy address:
  0x0c0cbfff9ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0cbfff9ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0cbfff9ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0cbfff9af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0cbfff9b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0cbfff9b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c0cbfff9b20:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0cbfff9b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0cbfff9b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0cbfff9b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0cbfff9b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==20154== ABORTING

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1301928
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2073
http://seclists.org/oss-sec/2016/q1/216
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2073.html

Comment 2 Swamp Workflow Management 2016-01-28 23:02:45 UTC

bugbot adjusting priority

Comment 3 Hanns-Joachim Uhl 2016-02-12 12:24:07 UTC

Hello SUSE,
... I got the following question from the field:
- do you still plan to provide an update for SLES 11 SP3 
  (or will it be available for SLES 11 SP4 only) ...?
Please advise ...
Thanks in advance for your support.

Comment 4 Hanns-Joachim Uhl 2016-02-22 10:33:49 UTC

(In reply to Hanns-Joachim Uhl from comment #3)
> Hello SUSE,
> ... I got the following question from the field:
> - do you still plan to provide an update for SLES 11 SP3 
>   (or will it be available for SLES 11 SP4 only) ...?
> Please advise ...
> Thanks in advance for your support.
.
Hello SUSE,
... do you have already any thoughts about my above question ...?
Please advise ...
Thanks in advance for your support.

Comment 5 Marcus Meissner 2016-02-22 10:48:50 UTC

No, we are currently not planning a update for 11-sp3 general support.

At some point we can release a roll-up update for libxml2 for 11-sp3 in LTSS support, but I do not think we plan to do that currently.

A PTF could be requested via our support channels.

Comment 6 Simon Lees 2016-05-27 02:37:22 UTC

From https://bugzilla.redhat.com/show_bug.cgi?id=1301928#c4 This is also a duplicate of CVE-2016-1839/CVE-2015-8806 bsc#981114 which has a fix already.

Comment 9 Tony Yuan 2016-06-07 08:41:41 UTC

Does anyone know how to use the reproducer in Description?

Comment 10 Marcus Meissner 2016-06-07 09:51:37 UTC

Created attachment 679840 [details]
CVE-2016-2073.c

QA REPRODUCER:

gcc -O2 -o CVE-2016-2073 CVE-2016-2073.c -lxml2
valgrind ./CVE-2016-2073 


before:
will report things like:
==26724== Invalid read of size 1
==26724==    at 0x4C2CAAC: memcpy (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==26724==    by 0x4F36035: ??? (in /usr/lib64/libxml2.so.2.7.6)
==26724==    by 0x4F3675E: xmlDictLookup (in /usr/lib64/libxml2.so.2.7.6)
==26724==    by 0x4EA8339: ??? (in /usr/lib64/libxml2.so.2.7.6)
==26724==    by 0x4EA8D19: htmlParseEntityRef (in /usr/lib64/libxml2.so.2.7.6)
==26724==    by 0x4EA9B13: ??? (in /usr/lib64/libxml2.so.2.7.6)
==26724==    by 0x4EAB4F1: htmlParseChunk (in /usr/lib64/libxml2.so.2.7.6)
==26724==    by 0x4006D7: main (in /suse/meissner/Downloads/CVE-2016-2073)

after: 
should not report any invalid reads

Comment 11 Swamp Workflow Management 2016-06-09 16:08:06 UTC

SUSE-SU-2016:1538-1: An update that fixes 15 vulnerabilities is now available.

Category: security (important)
Bug References: 963963,965283,978395,981040,981041,981108,981109,981111,981112,981114,981115,981548,981549,981550
CVE References: CVE-2015-8806,CVE-2016-1762,CVE-2016-1833,CVE-2016-1834,CVE-2016-1835,CVE-2016-1837,CVE-2016-1838,CVE-2016-1839,CVE-2016-1840,CVE-2016-2073,CVE-2016-3705,CVE-2016-4447,CVE-2016-4448,CVE-2016-4449,CVE-2016-4483
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    libxml2-2.9.1-24.1
SUSE Linux Enterprise Software Development Kit 12 (src):    libxml2-2.9.1-24.1
SUSE Linux Enterprise Server 12-SP1 (src):    libxml2-2.9.1-24.1, python-libxml2-2.9.1-24.1
SUSE Linux Enterprise Server 12 (src):    libxml2-2.9.1-24.1, python-libxml2-2.9.1-24.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    libxml2-2.9.1-24.1, python-libxml2-2.9.1-24.1
SUSE Linux Enterprise Desktop 12 (src):    libxml2-2.9.1-24.1, python-libxml2-2.9.1-24.1

Comment 12 Swamp Workflow Management 2016-06-16 11:10:57 UTC

openSUSE-SU-2016:1595-1: An update that fixes 15 vulnerabilities is now available.

Category: security (important)
Bug References: 963963,965283,978395,981040,981041,981108,981109,981111,981112,981114,981115,981548,981549,981550
CVE References: CVE-2015-8806,CVE-2016-1762,CVE-2016-1833,CVE-2016-1834,CVE-2016-1835,CVE-2016-1837,CVE-2016-1838,CVE-2016-1839,CVE-2016-1840,CVE-2016-2073,CVE-2016-3705,CVE-2016-4447,CVE-2016-4448,CVE-2016-4449,CVE-2016-4483
Sources used:
openSUSE Leap 42.1 (src):    libxml2-2.9.1-19.1, python-libxml2-2.9.1-19.1

Comment 13 Swamp Workflow Management 2016-06-17 13:08:37 UTC

SUSE-SU-2016:1604-1: An update that fixes 15 vulnerabilities is now available.

Category: security (important)
Bug References: 963963,965283,978395,981040,981041,981108,981109,981111,981112,981114,981115,981548,981549,981550
CVE References: CVE-2015-8806,CVE-2016-1762,CVE-2016-1833,CVE-2016-1834,CVE-2016-1835,CVE-2016-1837,CVE-2016-1838,CVE-2016-1839,CVE-2016-1840,CVE-2016-2073,CVE-2016-3705,CVE-2016-4447,CVE-2016-4448,CVE-2016-4449,CVE-2016-4483
Sources used:
SUSE OpenStack Cloud 5 (src):    libxml2-2.7.6-0.44.1, libxml2-python-2.7.6-0.44.4
SUSE Manager Proxy 2.1 (src):    libxml2-2.7.6-0.44.1, libxml2-python-2.7.6-0.44.4
SUSE Manager 2.1 (src):    libxml2-2.7.6-0.44.1, libxml2-python-2.7.6-0.44.4
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    libxml2-2.7.6-0.44.1
SUSE Linux Enterprise Server 11-SP4 (src):    libxml2-2.7.6-0.44.1, libxml2-python-2.7.6-0.44.4
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    libxml2-2.7.6-0.44.1, libxml2-python-2.7.6-0.44.4
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    libxml2-2.7.6-0.44.1, libxml2-python-2.7.6-0.44.4
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libxml2-2.7.6-0.44.1, libxml2-python-2.7.6-0.44.4
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    libxml2-2.7.6-0.44.1, libxml2-python-2.7.6-0.44.4
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    libxml2-2.7.6-0.44.1, libxml2-python-2.7.6-0.44.4

Comment 14 Marcus Meissner 2016-08-01 09:14:25 UTC

all released