Bug 1078813 - (CVE-2016-5131) VUL-0: CVE-2016-5131: libxml2: chromium-browser: use-after-free in libxml
(CVE-2016-5131)
VUL-0: CVE-2016-5131: libxml2: chromium-browser: use-after-free in libxml
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/171180/
CVSSv3:SUSE:CVE-2016-5131:8.8:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-02-01 16:16 UTC by Marcus Meissner
Modified: 2020-06-11 12:18 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
uaf.xsl (1.41 KB, text/plain)
2018-02-01 16:21 UTC, Marcus Meissner
Details
range-to-uaf-poc.xml (57 bytes, text/plain)
2018-02-01 16:22 UTC, Marcus Meissner
Details
Patches for SLE-1{0,1,2} (2.83 KB, application/gzip)
2018-02-02 13:54 UTC, Pedro Monreal Gonzalez
Details

Note You need to log in before you can comment on or make changes to this bug.
Comment 3 Marcus Meissner 2018-02-01 16:21:53 UTC
Created attachment 758444 [details]
uaf.xsl

QA REPRODUCER file 1: uaf.xsl
Comment 4 Marcus Meissner 2018-02-01 16:22:40 UTC
Created attachment 758446 [details]
range-to-uaf-poc.xml

QA REPRODUCER:

xsltproc range-to-uaf-poc.xml

should not crash.

(It currently does not for me ... weird.)
Comment 5 Marcus Meissner 2018-02-01 16:25:33 UTC
Ah, you need to run it with valgrind.

QA REPRODUCER:

valgrind xsltproc range-to-uaf-poc.xml

should not report:
==31571== Invalid write of size 8
...
==31571==  Address 0x64b3700 is 432 bytes inside a block of size 640 free'd
==31571==    at 0x4C2A1AC: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)

and similar errors.
Comment 6 Pedro Monreal Gonzalez 2018-02-02 13:53:08 UTC
Packages submitted:

openSUSE:Factory        2.9.7      Fixed upstream
SUSE:SLE-15             2.9.7      Fixed upstream
SUSE:SLE-12-SP2:Update  2.9.4      libxml2-2.9.4-CVE-2016-5131.patch sr#153759
SUSE:SLE-11-SP1:Update  2.7.6      libxml2-2.7.6-CVE-2016-5131.patch sr#153763
SUSE:SLE-10-SP3:Update  2.6.23     libxml2-2.7.6-CVE-2016-5131.patch sr#153764

Note that also libxml2-xmlXPathCmpNodes.patch is needed for the tests to pass.
Comment 7 Pedro Monreal Gonzalez 2018-02-02 13:54:14 UTC
Tested in polio in all codestreams, results:

==5477== HEAP SUMMARY:
==5477==     in use at exit: 304 bytes in 15 blocks
==5477==   total heap usage: 782 allocs, 767 frees, 243,214 bytes allocated
==5477==
==5477== LEAK SUMMARY:
==5477==    definitely lost: 0 bytes in 0 blocks
==5477==    indirectly lost: 0 bytes in 0 blocks
==5477==      possibly lost: 0 bytes in 0 blocks
==5477==    still reachable: 304 bytes in 15 blocks
==5477==         suppressed: 0 bytes in 0 blocks
==5477==
==5477== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Comment 8 Pedro Monreal Gonzalez 2018-02-02 13:54:43 UTC
Created attachment 758616 [details]
Patches for SLE-1{0,1,2}
Comment 11 Swamp Workflow Management 2018-02-06 12:28:28 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2018-02-20.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63962
Comment 12 Swamp Workflow Management 2018-02-08 11:12:03 UTC
SUSE-SU-2018:0395-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1069689,1077993,1078806,1078813
CVE References: CVE-2016-5131,CVE-2017-15412,CVE-2017-16932,CVE-2017-5130
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    libxml2-2.7.6-0.77.10.1
SUSE Linux Enterprise Server 11-SP4 (src):    libxml2-2.7.6-0.77.10.1, libxml2-python-2.7.6-0.77.10.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libxml2-2.7.6-0.77.10.1, libxml2-python-2.7.6-0.77.10.1
Comment 13 Swamp Workflow Management 2018-02-08 20:07:48 UTC
SUSE-SU-2018:0401-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1077993,1078806,1078813
CVE References: CVE-2016-5131,CVE-2017-15412,CVE-2017-5130
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    libxml2-2.9.4-46.12.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    libxml2-2.9.4-46.12.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    libxml2-2.9.4-46.12.1, python-libxml2-2.9.4-46.12.1
SUSE Linux Enterprise Server 12-SP3 (src):    libxml2-2.9.4-46.12.1, python-libxml2-2.9.4-46.12.1
SUSE Linux Enterprise Server 12-SP2 (src):    libxml2-2.9.4-46.12.1, python-libxml2-2.9.4-46.12.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    libxml2-2.9.4-46.12.1, python-libxml2-2.9.4-46.12.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    libxml2-2.9.4-46.12.1, python-libxml2-2.9.4-46.12.1
SUSE CaaS Platform ALL (src):    libxml2-2.9.4-46.12.1
OpenStack Cloud Magnum Orchestration 7 (src):    libxml2-2.9.4-46.12.1
Comment 14 Swamp Workflow Management 2018-02-09 23:08:29 UTC
openSUSE-SU-2018:0418-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1077993,1078806,1078813
CVE References: CVE-2016-5131,CVE-2017-15412,CVE-2017-5130
Sources used:
openSUSE Leap 42.3 (src):    libxml2-2.9.4-15.1, python-libxml2-2.9.4-15.1
Comment 15 Marcus Meissner 2018-02-10 10:41:34 UTC
released