Fixed
Created: Jun 18, 2015
Updated: Dec 3, 2018
Resolved Date: Jun 18, 2015
Previous ID: LIN4-32799
Found In Version: 6.0.0.20
Fix Version: 6.0.0.22
Severity: Standard
Applicable for: Wind River Linux 6
Component/s: Kernel
Customer came across a security notification, for which the CVE has not been reported : libxml = 2.9.2 - Multiple XML Parsing Vulnerabilities
But the description of the vulnerability still talks about libxml2.
Description :
Some vulnerabilities have been reported in libxml2, which can be exploited by malicious people to disclose potentially sensitive information and cause a DoS (Denial of Service) of an application using the library.
1) A boundary error when parsing XML comments can be exploited to cause out-of-bounds read memory accesses via an unterminated XML comment.
2) Some boundary errors when parsing XML data can be exploited to cause out-of-bounds read memory accesses.
The vulnerabilities are reported in version 2.9.2. Other versions may also be affected.
Vendor Affected Components:
libxml = 2.9.2
And we found an open source patch in the below link :
https://bugzilla.gnome.org/show_bug.cgi?id=746048
So could you please let us know if the above changes seen in the open source patch, in HTMLparser.c
is applicable to libxml2 package as well?? If so, could you please provide the patch for this defect
We have already received this patch for the CVE--2015-1819. But we came across another notification, as mentioned by me previously, which does not have any CVE ID.
libxml = 2.9.2 - Multiple XML Parsing Vulnerabilities
The affected vendor component mentioned is libxml , but the description still talks about the libxml2 package, and the open source patch link above, has a change in a different file, (HTMLparser.c) which is different from the patch given for CVE--2015-1819 (where the changes are in tree.h, tree.c and xmlreader.c)
Hence could you please confirm if this is a different issue and a fix is available for this vulnerability as well and if it is applicable to libxml2?