SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   expat Vendors:   libexpat.org
(Red Hat Issues Fix for expat) Apple macOS/OS X Multiple Flaws Let Remote and Local Users Deny Service, Obtain Potentially Sensitive Information, and Execute Arbitrary Code
SecurityTracker Alert ID:  1037348
SecurityTracker URL:  http://securitytracker.com/id/1037348
CVE Reference:   CVE-2016-0718   (Links to External Site)
Date:  Nov 28 2016
Impact:   Denial of service via local system, Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Multiple vulnerabilities were reported in Apple macOS/OS X. A remote user can cause arbitrary code to be executed on the target user's system. A local user can cause denial of service conditions on the target system. A remote or local user can obtain potentially sensitive information. A local user can obtain elevated privileges on the target system. A local user can obtain passwords on the target system. expat is affected.

A remote user can trigger a flaw in apache_mod_php to execute arbitrary code on the target system [CVE-2016-4650].

A local user can trigger a memory corruption error in the Audio component to execute arbitrary code with kernel-level privileges [CVE-2016-4647].

A local user can trigger an out-of-bounds memory read error to determine kernel memory layout [CVE-2016-4648].

A remote user can create a specially crafted audio file that, when loaded by the target user, will trigger an out-of-bounds memory read error and obtain potentially sensitive user information [CVE-2016-4646].

A local user can trigger a null pointer dereference in the Audio function to cause denial of service conditions [CVE-2016-4649].

A local user can trigger a permissions flaw in the processing of web browser cookies to view potentially sensitive information [CVE-2016-4645].

A local user can trigger an out-of-bounds memory read error to view the contents of kernel memory and obtain elevated privileges [CVE-2016-4652].

A local user can trigger a memory corruption error in the Graphics Drivers component to execute arbitrary code with kernel-level privileges [CVE-2016-4634].

A remote user can trigger a memory corruption error in ImageIO and execute arbitrary code [CVE-2016-4629, CVE-2016-4630].

An application can trigger a memory corruption error in the Intel Graphics Driver to execute arbitrary code [CVE-2016-4633].

A local user can trigger a use-after-free memory error in the IOSurface component to execute arbitrary code [CVE-2016-4625].

An application can trigger a memory corruption error in libc++abi to execute arbitrary code with root privileges [CVE-2016-4621].

A remote user can create specially crafted XML to trigger a memory corruption error in libexpat and execute arbitrary code [CVE-2016-0718].

A remote user can create specially crafted XML document that, when processed, will trigger a flaw in libxml2 and access potentially sensitive user information [CVE-2016-4449].

A user can trigger memory corruption errors in libxml2 [CVE-2016-4447, CVE-2016-4448, CVE-2016-4483, CVE-2016-4614, CVE-2016-4615, CVE-2016-4616, CVE-2016-4619].

A user can trigger memory corruption errors in libxslt [CVE-2016-4607, CVE-2016-4608, CVE-2016-4609, CVE-2016-4610, CVE-2016-4612].

An application can trigger a memory corruption error in the Login Window function to execute arbitrary code and obtain potentially sensitive user information [CVE-2016-4640].

An application can trigger a type confusion error in the Login Window function to execute arbitrary code and obtain user information [CVE-2016-4641].

A local user can exploit a memory initialization flaw in the Login Window function and cause denial of service conditions [CVE-2016-4639].

An application can trigger a type confusion error in the Login Window function and gain root privileges [CVE-2016-4638].

A remote user can create a specially crafted FlashPix Bitmap Image that, when loaded by the target user, will trigger a memory corruption error in QuickTime and execute arbitrary code on the target user's system [CVE-2016-4596, CVE-2016-4597, CVE-2016-4600, CVE-2016-4602].

A remote user can create a specially crafted image that, when loaded by the target user, will trigger a memory corruption error in QuickTime and execute arbitrary code on the target user's system [CVE-2016-4598].

A remote user can create a specially crafted SGI file that, when loaded by the target user, will trigger a memory corruption error in QuickTime and execute arbitrary code on the target user's system [CVE-2016-4601].

A remote user can create a specially crafted Photoshop document that, when loaded by the target user, will trigger a memory corruption error in QuickTime and execute arbitrary code on the target user's system [CVE-2016-4599].

A physically local user can exploit a flaw in the Safari password auto-fill function to view the target user's password [CVE-2016-4595].

Juwei Lin (@fuzzerDOTcn) of Trend Micro, Steven Seeley of Source Incite (via Trend Micro's Zero Day Initiative), Abhinav Bansal of Zscaler Inc., Yubin Fu of Tencent KeenLab (via Trend Micro's Zero Day Initiative), Stefan Esser of SektionEins, Tyler Bohan of Cisco Talos, an anonymous researcher, Ian Beer of Google Project Zero,
Gustavo Grieco, Kostya Serebryany, Wei Lei and Liu Yang of Nanyang Technological University, Nick Wellnhofer, Michael Paddon, Hanno Boeck, Nicolas Gregoire, Ke Liu of Tencent's Xuanwu Lab, and Jonathan Lewis from DeARX Services (PTY) LTD reported these vulnerabilities.

Impact:   A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.

A local user can cause denial of service conditions on the target system.

A remote or local user can obtain potentially sensitive information on the target system.

A local user can obtain elevated privileges on the target system.

A physically local user can view passwords.

Solution:   Red Hat has issued a fix for CVE-2016-0718 for expat.

The Red Hat advisory is available at:

https://rhn.redhat.com/errata/RHSA-2016-2824.html

Vendor URL:  rhn.redhat.com/errata/RHSA-2016-2824.html (Links to External Site)
Cause:   Access control error, Boundary error, Input validation error
Underlying OS:  Linux (Red Hat Enterprise)
Underlying OS Comments:  6, 7

Message History:   This archive entry is a follow-up to the message listed below.
Jul 19 2016 Apple macOS/OS X Multiple Flaws Let Remote and Local Users Deny Service, Obtain Potentially Sensitive Information, and Execute Arbitrary Code



 Source Message Contents

Subject:  [RHSA-2016:2824-01] Moderate: expat security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: expat security update
Advisory ID:       RHSA-2016:2824-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2016-2824.html
Issue date:        2016-11-28
CVE Names:         CVE-2016-0718 
=====================================================================

1. Summary:

An update for expat is now available for Red Hat Enterprise Linux 6 and Red
Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

Expat is a C library for parsing XML documents.

Security Fix(es):

* An out-of-bounds read flaw was found in the way Expat processed certain
input. A remote attacker could send specially crafted XML that, when parsed
by an application using the Expat library, would cause that application to
crash or, possibly, execute arbitrary code with the permission of the user
running the application. (CVE-2016-0718)

Red Hat would like to thank Gustavo Grieco for reporting this issue.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, applications using the Expat library
must be restarted for the update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1296102 - CVE-2016-0718 expat: Out-of-bounds heap read on crafted input causing crash

6. Package List:

Red Hat Enterprise Linux Desktop (v. 6):

Source:
expat-2.0.1-13.el6_8.src.rpm

i386:
expat-2.0.1-13.el6_8.i686.rpm
expat-debuginfo-2.0.1-13.el6_8.i686.rpm

x86_64:
expat-2.0.1-13.el6_8.i686.rpm
expat-2.0.1-13.el6_8.x86_64.rpm
expat-debuginfo-2.0.1-13.el6_8.i686.rpm
expat-debuginfo-2.0.1-13.el6_8.x86_64.rpm

Red Hat Enterprise Linux Desktop Optional (v. 6):

i386:
expat-debuginfo-2.0.1-13.el6_8.i686.rpm
expat-devel-2.0.1-13.el6_8.i686.rpm

x86_64:
expat-debuginfo-2.0.1-13.el6_8.i686.rpm
expat-debuginfo-2.0.1-13.el6_8.x86_64.rpm
expat-devel-2.0.1-13.el6_8.i686.rpm
expat-devel-2.0.1-13.el6_8.x86_64.rpm

Red Hat Enterprise Linux HPC Node (v. 6):

Source:
expat-2.0.1-13.el6_8.src.rpm

x86_64:
expat-2.0.1-13.el6_8.i686.rpm
expat-2.0.1-13.el6_8.x86_64.rpm
expat-debuginfo-2.0.1-13.el6_8.i686.rpm
expat-debuginfo-2.0.1-13.el6_8.x86_64.rpm

Red Hat Enterprise Linux HPC Node Optional (v. 6):

x86_64:
expat-debuginfo-2.0.1-13.el6_8.i686.rpm
expat-debuginfo-2.0.1-13.el6_8.x86_64.rpm
expat-devel-2.0.1-13.el6_8.i686.rpm
expat-devel-2.0.1-13.el6_8.x86_64.rpm

Red Hat Enterprise Linux Server (v. 6):

Source:
expat-2.0.1-13.el6_8.src.rpm

i386:
expat-2.0.1-13.el6_8.i686.rpm
expat-debuginfo-2.0.1-13.el6_8.i686.rpm
expat-devel-2.0.1-13.el6_8.i686.rpm

ppc64:
expat-2.0.1-13.el6_8.ppc.rpm
expat-2.0.1-13.el6_8.ppc64.rpm
expat-debuginfo-2.0.1-13.el6_8.ppc.rpm
expat-debuginfo-2.0.1-13.el6_8.ppc64.rpm
expat-devel-2.0.1-13.el6_8.ppc.rpm
expat-devel-2.0.1-13.el6_8.ppc64.rpm

s390x:
expat-2.0.1-13.el6_8.s390.rpm
expat-2.0.1-13.el6_8.s390x.rpm
expat-debuginfo-2.0.1-13.el6_8.s390.rpm
expat-debuginfo-2.0.1-13.el6_8.s390x.rpm
expat-devel-2.0.1-13.el6_8.s390.rpm
expat-devel-2.0.1-13.el6_8.s390x.rpm

x86_64:
expat-2.0.1-13.el6_8.i686.rpm
expat-2.0.1-13.el6_8.x86_64.rpm
expat-debuginfo-2.0.1-13.el6_8.i686.rpm
expat-debuginfo-2.0.1-13.el6_8.x86_64.rpm
expat-devel-2.0.1-13.el6_8.i686.rpm
expat-devel-2.0.1-13.el6_8.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 6):

Source:
expat-2.0.1-13.el6_8.src.rpm

i386:
expat-2.0.1-13.el6_8.i686.rpm
expat-debuginfo-2.0.1-13.el6_8.i686.rpm
expat-devel-2.0.1-13.el6_8.i686.rpm

x86_64:
expat-2.0.1-13.el6_8.i686.rpm
expat-2.0.1-13.el6_8.x86_64.rpm
expat-debuginfo-2.0.1-13.el6_8.i686.rpm
expat-debuginfo-2.0.1-13.el6_8.x86_64.rpm
expat-devel-2.0.1-13.el6_8.i686.rpm
expat-devel-2.0.1-13.el6_8.x86_64.rpm

Red Hat Enterprise Linux Client (v. 7):

Source:
expat-2.1.0-10.el7_3.src.rpm

x86_64:
expat-2.1.0-10.el7_3.i686.rpm
expat-2.1.0-10.el7_3.x86_64.rpm
expat-debuginfo-2.1.0-10.el7_3.i686.rpm
expat-debuginfo-2.1.0-10.el7_3.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:
expat-debuginfo-2.1.0-10.el7_3.i686.rpm
expat-debuginfo-2.1.0-10.el7_3.x86_64.rpm
expat-devel-2.1.0-10.el7_3.i686.rpm
expat-devel-2.1.0-10.el7_3.x86_64.rpm
expat-static-2.1.0-10.el7_3.i686.rpm
expat-static-2.1.0-10.el7_3.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
expat-2.1.0-10.el7_3.src.rpm

x86_64:
expat-2.1.0-10.el7_3.i686.rpm
expat-2.1.0-10.el7_3.x86_64.rpm
expat-debuginfo-2.1.0-10.el7_3.i686.rpm
expat-debuginfo-2.1.0-10.el7_3.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

x86_64:
expat-debuginfo-2.1.0-10.el7_3.i686.rpm
expat-debuginfo-2.1.0-10.el7_3.x86_64.rpm
expat-devel-2.1.0-10.el7_3.i686.rpm
expat-devel-2.1.0-10.el7_3.x86_64.rpm
expat-static-2.1.0-10.el7_3.i686.rpm
expat-static-2.1.0-10.el7_3.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
expat-2.1.0-10.el7_3.src.rpm

aarch64:
expat-2.1.0-10.el7_3.aarch64.rpm
expat-debuginfo-2.1.0-10.el7_3.aarch64.rpm
expat-devel-2.1.0-10.el7_3.aarch64.rpm

ppc64:
expat-2.1.0-10.el7_3.ppc.rpm
expat-2.1.0-10.el7_3.ppc64.rpm
expat-debuginfo-2.1.0-10.el7_3.ppc.rpm
expat-debuginfo-2.1.0-10.el7_3.ppc64.rpm
expat-devel-2.1.0-10.el7_3.ppc.rpm
expat-devel-2.1.0-10.el7_3.ppc64.rpm

ppc64le:
expat-2.1.0-10.el7_3.ppc64le.rpm
expat-debuginfo-2.1.0-10.el7_3.ppc64le.rpm
expat-devel-2.1.0-10.el7_3.ppc64le.rpm

s390x:
expat-2.1.0-10.el7_3.s390.rpm
expat-2.1.0-10.el7_3.s390x.rpm
expat-debuginfo-2.1.0-10.el7_3.s390.rpm
expat-debuginfo-2.1.0-10.el7_3.s390x.rpm
expat-devel-2.1.0-10.el7_3.s390.rpm
expat-devel-2.1.0-10.el7_3.s390x.rpm

x86_64:
expat-2.1.0-10.el7_3.i686.rpm
expat-2.1.0-10.el7_3.x86_64.rpm
expat-debuginfo-2.1.0-10.el7_3.i686.rpm
expat-debuginfo-2.1.0-10.el7_3.x86_64.rpm
expat-devel-2.1.0-10.el7_3.i686.rpm
expat-devel-2.1.0-10.el7_3.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

aarch64:
expat-debuginfo-2.1.0-10.el7_3.aarch64.rpm
expat-static-2.1.0-10.el7_3.aarch64.rpm

ppc64:
expat-debuginfo-2.1.0-10.el7_3.ppc.rpm
expat-debuginfo-2.1.0-10.el7_3.ppc64.rpm
expat-static-2.1.0-10.el7_3.ppc.rpm
expat-static-2.1.0-10.el7_3.ppc64.rpm

ppc64le:
expat-debuginfo-2.1.0-10.el7_3.ppc64le.rpm
expat-static-2.1.0-10.el7_3.ppc64le.rpm

s390x:
expat-debuginfo-2.1.0-10.el7_3.s390.rpm
expat-debuginfo-2.1.0-10.el7_3.s390x.rpm
expat-static-2.1.0-10.el7_3.s390.rpm
expat-static-2.1.0-10.el7_3.s390x.rpm

x86_64:
expat-debuginfo-2.1.0-10.el7_3.i686.rpm
expat-debuginfo-2.1.0-10.el7_3.x86_64.rpm
expat-static-2.1.0-10.el7_3.i686.rpm
expat-static-2.1.0-10.el7_3.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
expat-2.1.0-10.el7_3.src.rpm

x86_64:
expat-2.1.0-10.el7_3.i686.rpm
expat-2.1.0-10.el7_3.x86_64.rpm
expat-debuginfo-2.1.0-10.el7_3.i686.rpm
expat-debuginfo-2.1.0-10.el7_3.x86_64.rpm
expat-devel-2.1.0-10.el7_3.i686.rpm
expat-devel-2.1.0-10.el7_3.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:
expat-debuginfo-2.1.0-10.el7_3.i686.rpm
expat-debuginfo-2.1.0-10.el7_3.x86_64.rpm
expat-static-2.1.0-10.el7_3.i686.rpm
expat-static-2.1.0-10.el7_3.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2016-0718
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFYPIyBXlSAg2UNWIIRAmHXAJ0XmPOxvAJOT6/eusxHQBKBs/LPDgCguirS
H8Bczzxw4Aj5YxGpyacoQBE=
=GbHX
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC