Bug 975947 (CVE-2016-3705) - VUL-0: CVE-2016-3705: libxml2: crash in xml validator (parser)
Summary: VUL-0: CVE-2016-3705: libxml2: crash in xml validator (parser)
Status: RESOLVED FIXED
Alias: CVE-2016-3705
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other SLES 11
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2016-05-06
Assignee: Peter Simons
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle10-sp3:62651
Keywords:
Depends on:
Blocks:
 
Reported: 2016-04-18 12:01 UTC by Simon Lees
Modified: 2016-06-16 11:08 UTC (History)
5 users (show)

See Also:
Found By: Development
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 4 Simon Lees 2016-04-18 12:35:09 UTC 
Upstream bug report https://bugzilla.gnome.org/show_bug.cgi?id=765207
Comment 8 Swamp Workflow Management 2016-04-19 22:00:12 UTC 
bugbot adjusting priority
Comment 9 Swamp Workflow Management 2016-04-22 08:31:18 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-05-06.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62650
Comment 11 Marcus Meissner 2016-04-27 09:28:21 UTC 
kurt assigned CVE-2016-3705
Comment 12 Marcus Meissner 2016-05-03 14:18:46 UTC 
Hi
This is a disclosure of the following issue that was raised a week ago
on the distro's mailing list. Both bugs on the gnome bugtracker are
currently private and should be made public now. The two attached
patches are based off the 2.9.3 libxml2 release.

A couple of weeks back while working on a related bug [CVE-2016-3627] I
discovered a specially created xml file is capable of triggering a stack
overflow before libxml2 can detect its a invalid xml file.

We raised this issue upstream on 2016-04-18 and informed them that we
would place a two week embargo on the issue in case we didn't here back.
As of yet we have had no response so we have posted here.
https://bugzilla.gnome.org/show_bug.cgi?id=765207

We intend to keep the current embargo (ending May 3) unless we get
advise otherwise here. Below is a script to generate the xml file along
with a tested patch to fix the issue. I will also include our
unpublished patch and simplified reproducer for CVE-2016-3627 as again
we have had no response upstream and its likely that you will want to
fix this less severe issue at the same time.
https://bugzilla.gnome.org/show_bug.cgi?id=762100

python3 repoducer.py ; xmllint repo.xml

repoducer.py
-----------------------------------------------------------------------
#!/bin/python3

f = open('repo.xml', 'w')

f.write( "<!DOCTYPE a [ ")

i = 1

while (i < 30000):
    f.write ("<!ENTITY a" + str(i) + " \"&a" + str(i+1) + ";\">")
    i = i+1

f.write("<!ENTITY a" + str(i+1) + " \"&a1;\">]> <bruces bogans=\"&a1;\">")

f.close()
-----------------------------------------------------------------------
Comment 13 Swamp Workflow Management 2016-05-03 17:23:50 UTC 
SUSE-SU-2016:1204-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 972335,975947
CVE References: CVE-2016-3627
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    libxml2-2.9.1-20.1
SUSE Linux Enterprise Software Development Kit 12 (src):    libxml2-2.9.1-20.1
SUSE Linux Enterprise Server 12-SP1 (src):    libxml2-2.9.1-20.1, python-libxml2-2.9.1-20.1
SUSE Linux Enterprise Server 12 (src):    libxml2-2.9.1-20.1, python-libxml2-2.9.1-20.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    libxml2-2.9.1-20.1, python-libxml2-2.9.1-20.1
SUSE Linux Enterprise Desktop 12 (src):    libxml2-2.9.1-20.1, python-libxml2-2.9.1-20.1
Comment 14 Swamp Workflow Management 2016-05-03 17:24:17 UTC 
SUSE-SU-2016:1205-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 972335,975947
CVE References: CVE-2016-3627
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    libxml2-2.7.6-0.40.1
SUSE Linux Enterprise Server 11-SP4 (src):    libxml2-2.7.6-0.40.1, libxml2-python-2.7.6-0.40.3
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libxml2-2.7.6-0.40.1, libxml2-python-2.7.6-0.40.3
Comment 15 Swamp Workflow Management 2016-05-13 12:08:34 UTC 
openSUSE-SU-2016:1298-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 972335,975947
CVE References: CVE-2016-3627
Sources used:
openSUSE Leap 42.1 (src):    libxml2-2.9.1-16.1, python-libxml2-2.9.1-16.1
Comment 16 Alexander Bergmann 2016-05-23 07:24:23 UTC 
Details are now pushed to the libxml2 git repo:

https://git.gnome.org/browse/libxml2/tag/?h=CVE-2016-3705

Add missing increments of recursion depth counter to XML parser. [CVE-2016-3705]

For https://bugzilla.gnome.org/show_bug.cgi?id=765207

CVE-2016-3705

The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call
xmlStringDecodeEntities() in a recursive context without incrementing the
'depth' counter in the parser context. Because of that omission, the parser
failed to detect attribute recursions in certain documents before running out
of stack space.

https://git.gnome.org/browse/libxml2/commit/?h=CVE-2016-3705&id=8f30bdff69edac9075f4663ce3b56b0c52d48ce6
Comment 17 Sebastian Krahmer 2016-05-25 07:34:07 UTC 
released
Comment 19 Hanns-Joachim Uhl 2016-05-30 08:13:38 UTC 
(In reply to Swamp Workflow Management from comment #14)
> SUSE-SU-2016:1205-1: An update that solves one vulnerability and has one
> errata is now available.
> 
> Category: security (moderate)
> Bug References: 972335,975947
> CVE References: CVE-2016-3627
> Sources used:
> SUSE Linux Enterprise Software Development Kit 11-SP4 (src):   
> libxml2-2.7.6-0.40.1
> SUSE Linux Enterprise Server 11-SP4 (src):    libxml2-2.7.6-0.40.1,
> libxml2-python-2.7.6-0.40.3
> SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libxml2-2.7.6-0.40.1,
> libxml2-python-2.7.6-0.40.3
.
Hello SUSE,
quick question ...
... now that this bugzilla is closed do I understand correctly that
also 'CVE-2016-3705' is resolved with the above maintweb update ...?
Please confirm or advise ...
Thanks in advance for your support.
Comment 20 Vítězslav Čížek 2016-05-30 08:22:55 UTC 
(In reply to Hanns-Joachim Uhl from comment #19)
> ... now that this bugzilla is closed do I understand correctly that
> also 'CVE-2016-3705' is resolved with the above maintweb update ...?
Yes, the bug was discovered by SUSE, the CVE isn't mentioned in the update because the package was built long before the bug got the CVE assigned.
Comment 21 Swamp Workflow Management 2016-05-30 17:10:24 UTC 
openSUSE-SU-2016:1446-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 962796,972335,975947
CVE References: CVE-2016-3627,CVE-2016-3705
Sources used:
openSUSE 13.2 (src):    libxml2-2.9.3-7.11.1, python-libxml2-2.9.3-7.11.1
Comment 22 Swamp Workflow Management 2016-06-16 11:08:43 UTC 
openSUSE-SU-2016:1594-1: An update that solves 12 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 972335,975947,978395,981040,981041,981108,981109,981110,981111,981112,981114,981115,983288
CVE References: CVE-2016-1762,CVE-2016-1833,CVE-2016-1834,CVE-2016-1835,CVE-2016-1836,CVE-2016-1837,CVE-2016-1838,CVE-2016-1839,CVE-2016-1840,CVE-2016-3627,CVE-2016-3705,CVE-2016-4483
Sources used:
openSUSE 13.2 (src):    libxml2-2.9.4-7.17.1, python-libxml2-2.9.4-7.17.1