Bug 829077 – VUL-1: CVE-2013-2877: libxml2: denial of service (out of bounds read) at EOF

Bug 829077 - (CVE-2013-2877) VUL-1: CVE-2013-2877: libxml2: denial of service (out of bounds read) at EOF

(CVE-2013-2877)
Summary:	VUL-1: CVE-2013-2877: libxml2: denial of service (out of bounds read) at EOF

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assigned To:	Vítězslav Čížek
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle10-sp4:54722 maint:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2013-07-11 14:38 UTC by Marcus Meissner
Modified:	2014-10-28 13:12 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2013-07-11 14:38:14 UTC

is public, via chrome release and cve db

parser.c in libxml2 before 2.9.0, as used in Google Chrome before
28.0.1500.71 and other products, allows remote attackers to cause a
denial of service (out-of-bounds read) via a document that ends
abruptly, related to the lack of certain checks for the XML_PARSER_EOF
state.

http://git.chromium.org/gitweb/?p=chromium/chromium.git;a=commit;h=e5d7f7e5dc21d3ae7be3cbb949ac4d8701e06de1

Comment 2 Bernhard Wiedemann 2013-07-11 16:00:09 UTC

This is an autogenerated message for OBS integration:
This bug (829077) was mentioned in
https://build.opensuse.org/request/show/182857 Maintenance /

Comment 3 Swamp Workflow Management 2013-07-11 22:00:33 UTC

bugbot adjusting priority

Comment 4 Bernhard Wiedemann 2013-07-18 16:00:14 UTC

This is an autogenerated message for OBS integration:
This bug (829077) was mentioned in
https://build.opensuse.org/request/show/183678 Evergreen:11.2 / libxml2

Comment 5 Swamp Workflow Management 2013-07-19 09:04:21 UTC

openSUSE-SU-2013:1221-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 829077
CVE References: CVE-2013-2877
Sources used:
openSUSE 12.3 (src):    libxml2-2.9.0-2.17.1, python-libxml2-2.9.0-2.17.1
openSUSE 12.2 (src):    libxml2-2.7.8+git20120223-8.30.1, python-libxml2-2.7.8+git20120223-8.30.1

Comment 6 Bernhard Wiedemann 2013-07-24 13:00:16 UTC

This is an autogenerated message for OBS integration:
This bug (829077) was mentioned in
https://build.opensuse.org/request/show/184191 Evergreen:11.2 / libxml2

Comment 7 Swamp Workflow Management 2013-07-24 13:04:24 UTC

openSUSE-SU-2013:1246-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 829077
CVE References: CVE-2013-2877
Sources used:
openSUSE 11.4 (src):    libxml2-2.7.8-45.1

Comment 13 Swamp Workflow Management 2013-11-04 12:51:25 UTC

Update released for: libxml2, libxml2-32bit, libxml2-debuginfo, libxml2-devel, libxml2-devel-32bit, libxml2-python, libxml2-python-debuginfo, libxml2-test
Products:
SLE-DEBUGINFO 10-SP3 (i386, s390x, x86_64)
SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)

Comment 14 Swamp Workflow Management 2013-11-04 13:04:17 UTC

Update released for: libxml2, libxml2-32bit, libxml2-debuginfo, libxml2-devel, libxml2-devel-32bit, libxml2-python, libxml2-python-debuginfo, libxml2-test
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)

Comment 15 Swamp Workflow Management 2013-11-04 13:04:34 UTC

Update released for: libxml2, libxml2-32bit, libxml2-debuginfo, libxml2-devel, libxml2-devel-32bit, libxml2-python, libxml2-python-debuginfo, libxml2-test
Products:
SLE-DEBUGINFO 10-SP4 (i386, s390x, x86_64)
SLE-SERVER 10-SP4-LTSS (i386, s390x, x86_64)

Comment 17 Swamp Workflow Management 2014-01-28 11:52:30 UTC

Update released for: libxml2, libxml2-32bit, libxml2-64bit, libxml2-debuginfo, libxml2-debuginfo-32bit, libxml2-debuginfo-64bit, libxml2-debuginfo-x86, libxml2-debugsource, libxml2-devel, libxml2-devel-32bit, libxml2-devel-64bit, libxml2-doc, libxml2-python, libxml2-python-debuginfo, libxml2-python-debugsource, libxml2-x86
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)

Comment 18 Swamp Workflow Management 2014-01-28 11:58:43 UTC

Update released for: libxml2, libxml2-32bit, libxml2-64bit, libxml2-debuginfo, libxml2-debuginfo-32bit, libxml2-debuginfo-64bit, libxml2-debuginfo-x86, libxml2-debugsource, libxml2-devel, libxml2-devel-32bit, libxml2-devel-64bit, libxml2-doc, libxml2-python, libxml2-python-debuginfo, libxml2-python-debugsource, libxml2-x86
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)

Comment 19 Swamp Workflow Management 2014-01-28 12:05:51 UTC

Update released for: libxml2, libxml2-debuginfo, libxml2-debugsource, libxml2-devel, libxml2-doc
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)

Comment 20 Swamp Workflow Management 2014-01-28 12:46:40 UTC

Update released for: libxml2, libxml2-32bit, libxml2-debuginfo, libxml2-debuginfo-32bit, libxml2-debuginfo-x86, libxml2-debugsource, libxml2-devel, libxml2-devel-32bit, libxml2-doc, libxml2-python, libxml2-python-debuginfo, libxml2-python-debugsource, libxml2-x86
Products:
SLE-DEBUGINFO 11-SP1 (i386, s390x, x86_64)
SLE-SERVER 11-SP1-LTSS (i386, s390x, x86_64)

Comment 21 Sebastian Krahmer 2014-01-28 14:40:39 UTC

released

Comment 22 Swamp Workflow Management 2014-01-28 16:04:31 UTC

SUSE-SU-2014:0150-1: An update that solves one vulnerability and has one errata is now available.

Category: security (low)
Bug References: 829077,854869
CVE References: CVE-2013-2877
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    libxml2-2.7.6-0.25.1
SUSE Linux Enterprise Software Development Kit 11 SP2 (src):    libxml2-2.7.6-0.25.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    libxml2-2.7.6-0.25.1, libxml2-python-2.7.6-0.25.1
SUSE Linux Enterprise Server 11 SP3 (src):    libxml2-2.7.6-0.25.1, libxml2-python-2.7.6-0.25.1
SUSE Linux Enterprise Server 11 SP2 for VMware (src):    libxml2-2.7.6-0.25.1, libxml2-python-2.7.6-0.25.1
SUSE Linux Enterprise Server 11 SP2 (src):    libxml2-2.7.6-0.25.1, libxml2-python-2.7.6-0.25.1
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    libxml2-2.7.6-0.25.1, libxml2-python-2.7.6-0.25.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    libxml2-2.7.6-0.25.1, libxml2-python-2.7.6-0.25.1
SUSE Linux Enterprise Desktop 11 SP2 (src):    libxml2-2.7.6-0.25.1, libxml2-python-2.7.6-0.25.1