StarlingX

CVE-2016-4658 libxml2: Use after free via namespace node in XPointer ranges

Bug #1954718 reported by Ghada Khalil
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Joe Slater

Bug Description

CVE-2016-4658 libxml2: Use after free via namespace node in XPointer ranges

Score:
CVSSv2: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Description:
xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.

References:
https://nvd.nist.gov/vuln/detail/CVE-2016-4658
https://access.redhat.com/errata/RHSA-2021:3810
https://access.redhat.com/security/cve/CVE-2016-4658
https://lists.centos.org/pipermail/centos-announce/2021-November/048378.html

Required package version:
libxml2-2.9.1-6.el7_9.6.x86_64.rpm
libxml2-devel-2.9.1-6.el7_9.6.x86_64.rpm
libxml2-python-2.9.1-6.el7_9.6.x86_64.rpm

Packages:
libxml2

Found during December 2021 CVE Scan

CVE References

Revision history for this message
Ghada Khalil (gkhalil) wrote (last edit ):

Screening: Marking as medium priority as this CVE meets the StarlingX fix criteria. Should be fixed in stx master and cherrypicked to the r/stx.6.0 release branch at some point. However, we will not hold up the stx.6.0 release on this as CVEs can be reported at any time.

tags: added: stx.security
Changed in starlingx:
status: New → Triaged
importance: Undecided → High
tags: added: stx.7.0
Changed in starlingx:
assignee: nobody → Yue Tao (wrytao)
tags: added: stx.6.0
Ghada Khalil (gkhalil)
information type: Public → Public Security
Ghada Khalil (gkhalil)
Changed in starlingx:
assignee: Yue Tao (wrytao) → Joe Slater (jslater0wind)
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: High → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/822742

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/822742
Committed: https://opendev.org/starlingx/tools/commit/e225629101ad8a120b4d582f4200e1bf5c5f3cc5
Submitter: "Zuul (22348)"
Branch: master

commit e225629101ad8a120b4d582f4200e1bf5c5f3cc5
Author: Joe Slater <email address hidden>
Date: Wed Dec 22 11:31:09 2021 -0500

    libxml2: fix CVE-2016-4658

    Fix use after free memory corruption involving XPointer ranges by
    advancing to version 2.9.1-6.el7_9.6.

    Testing

    build-pkgs; build-iso (not used); create designer patch
    install patch
    execute sanity test
    remove patch
    execute sanity test

    --- sanity test ---
    #!/bin/python
    import libxml2, sys
    doc = libxml2.parseFile("/etc/firewalld/zones/public.xml")
    print doc.name
    ---

    Closes-Bug: 1954718
    Signed-off-by: Joe Slater <email address hidden>
    Change-Id: I18ca9f179b6db2f95dfd532f62195f69b29add9b

Changed in starlingx:
status: In Progress → Fix Released
Revision history for this message
Ghada Khalil (gkhalil) wrote :

@Joe Slater, please cherry-pick this CVE fix to r/stx.6.0

tags: added: stx.cherrypickneeded
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (r/stx.6.0)

Fix proposed to branch: r/stx.6.0
Review: https://review.opendev.org/c/starlingx/tools/+/823369

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (r/stx.6.0)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/823369
Committed: https://opendev.org/starlingx/tools/commit/f3d363232d4c90150e798a0e182d85ead81519f2
Submitter: "Zuul (22348)"
Branch: r/stx.6.0

commit f3d363232d4c90150e798a0e182d85ead81519f2
Author: Joe Slater <email address hidden>
Date: Wed Dec 22 11:31:09 2021 -0500

    libxml2: fix CVE-2016-4658

    Fix use after free memory corruption involving XPointer ranges by
    advancing to version 2.9.1-6.el7_9.6.

    Testing

    build-pkgs; build-iso (not used); create designer patch
    install patch
    execute sanity test
    remove patch
    execute sanity test

    --- sanity test ---
    #!/bin/python
    import libxml2, sys
    doc = libxml2.parseFile("/etc/firewalld/zones/public.xml")
    print doc.name
    ---

    Closes-Bug: 1954718
    Signed-off-by: Joe Slater <email address hidden>
    Change-Id: I18ca9f179b6db2f95dfd532f62195f69b29add9b
    (cherry picked from commit e225629101ad8a120b4d582f4200e1bf5c5f3cc5)

Ghada Khalil (gkhalil)
tags: added: in-r-stx60
removed: stx.cherrypickneeded
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.