Ubuntu
libxml2 package

Libxml2 2.9.3 fails to parse multi-byte character in large CDATA section that is split across buffer

  1. Xenial (16.04)
  2. Bug #1652325
Bug #1652325 reported by Loïc Dardant
42
This bug affects 7 people
Affects Status Importance Assigned to Milestone
libxml2
Fix Released
Medium
libxml2 (Ubuntu)
Invalid
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned

Bug Description

Ubuntu 16.04 packages libxml2 version 2.9.3*, which contains a regression documented here: https://git.gnome.org/browse/libxml2/commit/?id=4f8606c13cb7f2684839f850b83de5ce647d3ca7

Full release notes of 2.9.4 can be seen here: http://xmlsoft.org/news.html

The bug will affect XML push parser that fails with bogus UTF-8 encoding error when multi-byte character in large CDATA section is split across buffer, which can be quite common.

As Xenial is an LTS version and this bug is quite *critical*, I wonder if we should provide an update to fix this one. If I remember correctly, we're not supposed to update to a newer version a given package for a given version of Ubuntu, but as this version of Ubuntu will be used in many servers in the coming years and XML parsing is quite a common task, it may help a lot of developers to have a backported fix of this issue.

Let me know you if you need more information.

CVE References

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libxml2 (Ubuntu):
status: New → Confirmed
Revision history for this message
Joern Heissler (joernheissler) wrote :

I'm currently moving servers to 16.04. I'm affected by this bug.
Would you please fix it in 16.04? Cheers!

Bug Watch Updater (bug-watch-updater)
Changed in libxml2:
importance: Unknown → Medium
status: Unknown → Fix Released
Łukasz Zemczak (sil2100)
Changed in libxml2 (Ubuntu Xenial):
status: New → Confirmed
Changed in libxml2 (Ubuntu):
status: Confirmed → Invalid
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libxml2 - 2.9.3+dfsg1-1ubuntu0.2

---------------
libxml2 (2.9.3+dfsg1-1ubuntu0.2) xenial-security; urgency=medium

  * SECURITY UPDATE: format string vulnerabilities
    - debian/patches/CVE-2016-4448-1.patch: fix format string warnings in
      HTMLparser.c, SAX2.c, catalog.c, configure.ac, debugXML.c,
      encoding.c, entities.c, error.c, include/libxml/parserInternals.h,
      include/libxml/xmlerror.h, include/libxml/xmlstring.h, libxml.h,
      parser.c, parserInternals.c, relaxng.c, schematron.c, testModule.c,
      valid.c, xinclude.c, xmlIO.c, xmllint.c, xmlreader.c, xmlschemas.c,
      xmlstring.c, xmlwriter.c, xpath.c, xpointer.c.
    - debian/patches/CVE-2016-4448-2.patch: fix format string warnings in
      libxml.h, relaxng.c, xmlschemas.c, xmlstring.c.
    - debian/libxml2.symbols: added new symbol.
    - CVE-2016-4448
  * SECURITY UPDATE: use-after-free via namespace nodes in XPointer ranges
    - debian/patches/CVE-2016-4658.patch: disallow namespace nodes in
      XPointer ranges in xpointer.c.
    - CVE-2016-4658
  * SECURITY UPDATE: use-after-free in XPointer range-to function
    - debian/patches/CVE-2016-5131-1.patch: fix XPointer paths beginning
      with range-to in xpath.c, xpointer.c.
    - debian/patches/CVE-2016-5131-2.patch: fix comparison with root node
      in xmlXPathCmpNodes in xpath.c.
    - CVE-2016-5131
  * debian/patches/lp1652325.patch: XML push parser fails with bogus
    UTF-8 encoding error when multi-byte character in large CDATA section
    is split across buffer (LP: #1652325)

 -- Marc Deslauriers <email address hidden> Tue, 14 Mar 2017 16:06:13 -0400

Changed in libxml2 (Ubuntu Xenial):
status: Confirmed → Fix Released
Revision history for this message
Benjamin Bolton (benpbolton) wrote :

Confirming libxml2:amd64 (2.9.3+dfsg1-1ubuntu0.2) fixes the issue. Appreciate the release!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.