Security update for libxml2
SUSE Security Update: Security update for libxml2
This is a LTSS rollup update for the libxml2 library that
fixes various security issues.
*
CVE-2013-2877: parser.c in libxml2 allowed remote
attackers to cause a denial of service (out-of-bounds read)
via a document that ends abruptly, related to the lack of
certain checks for the XML_PARSER_EOF state.
*
CVE-2013-0338: libxml2 allowed context-dependent
attackers to cause a denial of service (CPU and memory
consumption) via an XML file containing an entity
declaration with long replacement text and many references
to this entity, aka "internal entity expansion" with linear
complexity.
*
CVE-2012-5134: Heap-based buffer underflow in the
xmlParseAttValueComplex function in parser.c in libxml2
allowed remote attackers to cause a denial of service or
possibly execute arbitrary code via crafted entities in an
XML document.
*
CVE-2012-2807: Multiple integer overflows in libxml2
on 64-bit Linux platforms allowed remote attackers to cause
a denial of service or possibly have unspecified other
impact via unknown vectors.
*
CVE-2011-3102: Off-by-one error in libxml2 allowed
remote attackers to cause a denial of service
(out-of-bounds write) or possibly have unspecified other
impact via unknown vectors.
*
CVE-2012-0841: libxml2 computed hash values without
restricting the ability to trigger hash collisions
predictably, which allows context-dependent attackers to
cause a denial of service (CPU consumption) via crafted XML
data.
*
CVE-2011-3919: A heap-based buffer overflow during
decoding of entity references with overly long names has
been fixed.
Security Issue references:
* CVE-2013-0338
>
* CVE-2013-0339
>
* CVE-2012-5134
>
* CVE-2012-2807
>
* CVE-2011-3102
>
* CVE-2012-0841
>
* CVE-2011-3919
>
* CVE-2013-2877
>
| Announcement ID: | SUSE-SU-2013:1625-1 |
| Rating: | important |
| References: | #739894 #748561 #764538 #769184 #793334 #805233 #829077 |
| Affected Products: |
An update that fixes 8 vulnerabilities is now available.
Description:
This is a LTSS rollup update for the libxml2 library that
fixes various security issues.
*
CVE-2013-2877: parser.c in libxml2 allowed remote
attackers to cause a denial of service (out-of-bounds read)
via a document that ends abruptly, related to the lack of
certain checks for the XML_PARSER_EOF state.
*
CVE-2013-0338: libxml2 allowed context-dependent
attackers to cause a denial of service (CPU and memory
consumption) via an XML file containing an entity
declaration with long replacement text and many references
to this entity, aka "internal entity expansion" with linear
complexity.
*
CVE-2012-5134: Heap-based buffer underflow in the
xmlParseAttValueComplex function in parser.c in libxml2
allowed remote attackers to cause a denial of service or
possibly execute arbitrary code via crafted entities in an
XML document.
*
CVE-2012-2807: Multiple integer overflows in libxml2
on 64-bit Linux platforms allowed remote attackers to cause
a denial of service or possibly have unspecified other
impact via unknown vectors.
*
CVE-2011-3102: Off-by-one error in libxml2 allowed
remote attackers to cause a denial of service
(out-of-bounds write) or possibly have unspecified other
impact via unknown vectors.
*
CVE-2012-0841: libxml2 computed hash values without
restricting the ability to trigger hash collisions
predictably, which allows context-dependent attackers to
cause a denial of service (CPU consumption) via crafted XML
data.
*
CVE-2011-3919: A heap-based buffer overflow during
decoding of entity references with overly long names has
been fixed.
Security Issue references:
* CVE-2013-0338
* CVE-2013-0339
* CVE-2012-5134
* CVE-2012-2807
* CVE-2011-3102
* CVE-2012-0841
* CVE-2011-3919
* CVE-2013-2877
Package List:
- SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64):
- libxml2-2.6.23-15.39.1
- libxml2-devel-2.6.23-15.39.1
- libxml2-python-2.6.23-15.39.1
- SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64):
- libxml2-32bit-2.6.23-15.39.1
- libxml2-devel-32bit-2.6.23-15.39.1
References:
- http://support.novell.com/security/cve/CVE-2011-3102.html
- http://support.novell.com/security/cve/CVE-2011-3919.html
- http://support.novell.com/security/cve/CVE-2012-0841.html
- http://support.novell.com/security/cve/CVE-2012-2807.html
- http://support.novell.com/security/cve/CVE-2012-5134.html
- http://support.novell.com/security/cve/CVE-2013-0338.html
- http://support.novell.com/security/cve/CVE-2013-0339.html
- http://support.novell.com/security/cve/CVE-2013-2877.html
- https://bugzilla.novell.com/739894
- https://bugzilla.novell.com/748561
- https://bugzilla.novell.com/764538
- https://bugzilla.novell.com/769184
- https://bugzilla.novell.com/793334
- https://bugzilla.novell.com/805233
- https://bugzilla.novell.com/829077
- http://download.suse.com/patch/finder/?keywords=a3fdb1e2e30b1877238605841d41d573