Wind River Support Network

HomeDefectsLIN6-10040
Fixed

LIN6-10040 : CLONE - Multiple XML Parsing Vulnerabilities

Created: Jun 18, 2015    Updated: Dec 3, 2018
Resolved Date: Jun 18, 2015
Previous ID: LIN4-32799
Found In Version: 6.0.0.20
Fix Version: 6.0.0.22
Severity: Standard
Applicable for: Wind River Linux 6
Component/s: Kernel

Description

Customer came across a security notification, for which the CVE has not been reported : libxml = 2.9.2 - Multiple XML Parsing Vulnerabilities 

But the description of the vulnerability still talks about libxml2. 

Description : 

Some vulnerabilities have been reported in libxml2, which can be exploited by malicious people to disclose potentially sensitive information and cause a DoS (Denial of Service) of an application using the library. 

1) A boundary error when parsing XML comments can be exploited to cause out-of-bounds read memory accesses via an unterminated XML comment. 

2) Some boundary errors when parsing XML data can be exploited to cause out-of-bounds read memory accesses. 

The vulnerabilities are reported in version 2.9.2. Other versions may also be affected. 

Vendor Affected Components: 
libxml = 2.9.2 

And we found an open source patch in the below link : 
https://bugzilla.gnome.org/show_bug.cgi?id=746048 

So could you please let us know if the above changes seen in the open source patch, in HTMLparser.c 
is applicable to libxml2 package as well?? If so, could you please provide the patch for this defect

We have already received this patch for the CVE--2015-1819. But we came across another notification, as mentioned by me previously, which does not have any CVE ID.

libxml = 2.9.2 - Multiple XML Parsing Vulnerabilities

The affected vendor component mentioned is libxml , but the description still talks about the libxml2 package, and the open source patch link above, has a change in a different file, (HTMLparser.c) which is different from the patch given for CVE--2015-1819 (where the changes are in tree.h, tree.c and xmlreader.c)

Hence could you please confirm if this is a different issue and a fix is available for this vulnerability as well and if it is applicable to libxml2?

Other Downloads


Live chat
Online