SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Libxml2 Vendors:   xmlsoft.org
Libxml2 Memory Allocation Error in xmlStringGetNodeList() Lets Remote Users Consume Excessive Memory Resources
SecurityTracker Alert ID:  1035335
SecurityTracker URL:  http://securitytracker.com/id/1035335
CVE Reference:   CVE-2016-3627   (Links to External Site)
Date:  Mar 21 2016
Impact:   Denial of service via network


Description:   A vulnerability was reported in Libxml2. A remote user can consume excessive memory on the target system.

A remote user can supply a specially crafted XML file that, when processed by libxml2, will trigger a memory allocation error in xmlStringGetNodeList() andconsume excessive memory on the target system.

The vendor has assigned bug ID 762100 to this vulnerability.

Gustavo Grieco reported this vulnerability.

Impact:   A remote user can consume excessive memory resources on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.xmlsoft.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 6 2016 (Ubuntu Issues Fix) Libxml2 Memory Allocation Error in xmlStringGetNodeList() Lets Remote Users Consume Excessive Memory Resources
Ubuntu has issued a fix for Ubuntu Linux 12.04 LTS, 14.04 LTS, 15.10, and 16.04 LTS.
Jun 14 2016 (HPE Issues Fix for HPE IceWall) Libxml2 Memory Allocation Error in xmlStringGetNodeList() Lets Remote Users Consume Excessive Memory Resources
HPE has issued a fix for HPE IceWall.
Jun 24 2016 (CentOS Issues Fix) Libxml2 Memory Allocation Error in xmlStringGetNodeList() Lets Remote Users Consume Excessive Memory Resources
CentOS has issued a fix for CentOS 7.



 Source Message Contents

Subject:  [oss-security] Re: CVE request: Stack exhaustion in libxml2 parsing xml files in recover mode

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> gdb --args xmllint --recover no-recover.xml

> Program received signal SIGSEGV, Segmentation fault.
> _int_malloc (av=0x7ffff7826760 <main_arena>, bytes=2) at malloc.c:3302

Use CVE-2016-3627.

> It was reported to the libxml2 bug tracker some
> time ago but the maintainers are quite busy, so they haven't fixed it.

It's typically useful to mention the bug number even if it isn't
currently a public bug, in case correlation is needed later.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJW8AsWAAoJEL54rhJi8gl58g4P/i/POnAJzcVBHPdk0svtHKl+
+510uhal1JlA6r3y3AiDnqsaRM5TMzuzYs+0l9EA8ydM9nx0UMAOkA/1tHVl48P1
cJcMMoHj/dv/pBBsAaSuJEr2VttXOn4gCuhhVOJQBc1g4sMYUNEdsn3dJ9HbyI6W
sL2fkuGxXCMTl5at94lLJI+Hij8t+VrDSmS+0e+W7AvL4uDuyYH6b4Bcp4BmlX8l
m52hCy9Y72MoSHeituWXLZZ75EIWdwy8ftTmjxpO08ZPR2YjUIiwDYBZKvfWCpFt
aQc/FJrvygTbXtfvT6WUli8qrz1Q2EzYV5c1/jGSfh+0YaNJkvDdLsRlCE0qMm4L
TnoZmD2boumgRmCLAwmqQrkCZeSh6I8ET/I6NHhor8f0LXEuVGOjjN1IJCJ2wRT7
QGp7iejweiDoL1EioQg2pZij4BmG8jxy4XtJRZUBtJzt8yYfIP//z5Lm+3MwO7Uq
UCscXaI0xpLAP4WW/kQTij9wVBnByu61USK7z96dytNcxYqmQhFhaBbUcT3phqwe
JhwGxCONz1wDJG028cXD/r1DX/s/3dHLKWbSrg6zjETaBNTkuIgQBO6SJ9tPcRht
/7T/LPgsNvuqydPksZWan1ytstfOhEDrl2pexJBgnwpt6QlsZnKtIScHDn3PNBND
rpeM6ZE03EVFPNQRk0sK
=1y/J
-----END PGP SIGNATURE-----
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC