CVE-2016-4447

Properties

Published:
08.06.2016
Updated:
24.07.2016
Patch available:
Severity:
Medium
CVSS vector:
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Product:
debian: debian_linux
canonical: ubuntu_linux
canonical: ubuntu_linux
canonical: ubuntu_linux

Vulnerability description

The xmlParseElementDecl function in parser.c in libxml2 before 2.9.4 allows context-dependent attackers to cause a denial of service (heap-based buffer underread and application crash) via a crafted file, involving xmlParseName.

References:

APPLE: http://lists.apple.com/archives/security-announce/2016/Jul/msg00000.html
APPLE: http://lists.apple.com/archives/security-announce/2016/Jul/msg00001.html
APPLE: http://lists.apple.com/archives/security-announce/2016/Jul/msg00002.html
APPLE: http://lists.apple.com/archives/security-announce/2016/Jul/msg00003.html
APPLE: http://lists.apple.com/archives/security-announce/2016/Jul/msg00005.html
MLIST: http://www.openwall.com/lists/oss-security/2016/05/25/2
SLACKWARE: http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.404722
UBUNTU: http://www.ubuntu.com/usn/USN-2994-1
CONFIRM: http://xmlsoft.org/news.html
REDHAT: https://access.redhat.com/errata/RHSA-2016:1292
CONFIRM: https://git.gnome.org/browse/libxml2/commit/?id=00906759053986b8079985644172085f74331f83
CONFIRM: https://support.apple.com/HT206899
CONFIRM: https://support.apple.com/HT206901
CONFIRM: https://support.apple.com/HT206902
CONFIRM: https://support.apple.com/HT206903
CONFIRM: https://support.apple.com/HT206904
CONFIRM: https://support.apple.com/HT206905
DEBIAN: https://www.debian.org/security/2016/dsa-3593