CVE-2015-8035: DoS with XZ compression support loop

Debian Bug report logs - #803942
CVE-2015-8035: DoS with XZ compression support loop

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: submit@bugs.debian.org

Subject: CVE-2015-8035: DoS with XZ compression support loop

Date: Tue, 3 Nov 2015 14:50:15 +0100

Package: libxml2
Severity: important
Tags: security patch fixed-upstream
Control: forwarded -1 https://bugzilla.gnome.org/show_bug.cgi?id=757466

Hi,

the following vulnerability was published for libxml2.

CVE-2015-8035[0]: DoS if xz enabled

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-8035
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8035
    Please adjust the affected versions in the BTS as needed.

The upstream patch is here:
https://git.gnome.org/browse/libxml2/commit/?id=f0709e3ca8f8947f2d91ed34e92e38a4c23eae63

wheezy/jessie are affected.

sid is not affected because XZ support is currently broken but it will be
fixed in the next upstream release.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #20 received at 803942-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 803942-close@bugs.debian.org

Subject: Bug#803942: fixed in libxml2 2.9.1+dfsg1-5+deb8u1

Date: Sun, 27 Dec 2015 17:32:09 +0000

Source: libxml2
Source-Version: 2.9.1+dfsg1-5+deb8u1

We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 803942@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libxml2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 19 Dec 2015 15:29:45 +0100
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-utils-dbg libxml2-dev libxml2-dbg libxml2-doc python-libxml2 python-libxml2-dbg
Architecture: all source
Version: 2.9.1+dfsg1-5+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 782782 782985 783010 802827 803942 806384
Description: 
 libxml2    - GNOME XML library
 libxml2-dbg - Debugging symbols for the GNOME XML library
 libxml2-dev - Development files for the GNOME XML library
 libxml2-doc - Documentation for the GNOME XML library
 libxml2-utils - XML utilities
 libxml2-utils-dbg - XML utilities (debug extension)
 python-libxml2 - Python bindings for the GNOME XML library
 python-libxml2-dbg - Python bindings for the GNOME XML library (debug extension)
Changes:
 libxml2 (2.9.1+dfsg1-5+deb8u1) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add patches to address CVE-2015-7941.
     CVE-2015-7941: Denial of service via out-of-bounds read. (Closes: #783010)
   * Add 0058-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch.
     CVE-2015-1819: Enforce the reader to run in constant memory.
     (Closes: #782782)
   * Add patches to address CVE-2015-8317.
     CVE-2015-8317: Out-of-bounds heap read when parsing file with unfinished
     xml declaration.
   * Add patches to address CVE-2015-7942.
     CVE-2015-7942: heap-based buffer overflow in
     xmlParseConditionalSections(). (Closes: #802827)
   * Add 0063-Fix-parsing-short-unclosed-comment-uninitialized-acc.patch patch.
     Parsing an unclosed comment can result in `Conditional jump or move
     depends on uninitialised value(s)` and unsafe memory access.
     (Closes: #782985)
   * Add 0064-CVE-2015-8035-Fix-XZ-compression-support-loop.patch patch.
     CVE-2015-8035: DoS when parsing specially crafted XML document if XZ
     support is enabled. (Closes: #803942)
   * Add 0065-Avoid-extra-processing-of-MarkupDecl-when-EOF.patch patch.
     CVE-2015-8241: Buffer overread with XML parser in xmlNextChar.
     (Closes: #806384)
   * Add 0066-Avoid-processing-entities-after-encoding-conversion-.patch patch.
     CVE-2015-7498: Heap-based buffer overflow in xmlParseXmlDecl.
   * Add 0067-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch patch.
     CVE-2015-7497: Heap-based buffer overflow in xmlDictComputeFastQKey.
   * Add 0068-CVE-2015-5312-Another-entity-expansion-issue.patch patch.
     CVE-2015-5312: CPU exhaustion when processing specially crafted XML
     input.
   * Add patches to address CVE-2015-7499.
     CVE-2015-7499: Heap-based buffer overflow in xmlGROW.
   * Add 0071-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch patch.
     CVE-2015-7500: Heap buffer overflow in xmlParseMisc.
Checksums-Sha1: 
 4d69762c6f1d5f748daf80b712a18e5a94a8d947 2591 libxml2_2.9.1+dfsg1-5+deb8u1.dsc
 357366e7afc9dd03ba883c605d5c369decb2b2e1 3793894 libxml2_2.9.1+dfsg1.orig.tar.gz
 004a1df14622f17e21971e6830a04625e51bbebb 48620 libxml2_2.9.1+dfsg1-5+deb8u1.debian.tar.xz
 98aa0e0043be46271211df7f063675b70f15f092 814120 libxml2-doc_2.9.1+dfsg1-5+deb8u1_all.deb
Checksums-Sha256: 
 edf831eba01aedd2643c3f867d9e2cab00242983f801b268019307901517ef9f 2591 libxml2_2.9.1+dfsg1-5+deb8u1.dsc
 f3ec5256412192f74833286c4490672500b232ed1c9195214db2c641df064a28 3793894 libxml2_2.9.1+dfsg1.orig.tar.gz
 03e6e7ece4183fb8028688c0cec39b55dce60d7f67c8351c5655801d9e79c7ac 48620 libxml2_2.9.1+dfsg1-5+deb8u1.debian.tar.xz
 e2a1e9b873a324286ec89828b8bf0f629f3ccf482a77eeff7a7c2314e5863c53 814120 libxml2-doc_2.9.1+dfsg1-5+deb8u1_all.deb
Files: 
 0f86c710bec848296ce3180fe830a6a9 2591 libs optional libxml2_2.9.1+dfsg1-5+deb8u1.dsc
 5f111980c06f927a62492b7b9781b7bf 3793894 libs optional libxml2_2.9.1+dfsg1.orig.tar.gz
 89ca676465cdde570e22ff4588abc937 48620 libs optional libxml2_2.9.1+dfsg1-5+deb8u1.debian.tar.xz
 f281fb339413bae63912385a43997eb1 814120 doc optional libxml2-doc_2.9.1+dfsg1-5+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWdcofAAoJEAVMuPMTQ89EALIP/RcI05QIxyi8O0ImrlDUGkBB
sLLUMjidLMTTvsYXovxRB+4KSx8UWD9gqmoakNvy6j6J6tpNKdTkEBDke9DkHIQz
TOaMLoOVouXo0bhc8+gUEI1D5z6OiNpHzmkzoof9CSRwoFVYJHnRFPi6z22i14NZ
wgFkCS/gd2ltPVwFP+4wPEOdWs7VuZfCfxJrzQwlr5Mna5z8tlyMRq3I8FIf3Nps
QMcuBMlSXq3SC0I2Ln9paZWXo8u1JMHU0Dp60tD6C8O/DLw0hD+XAiiJ+CKATRyn
WJIJ7m9DEivBjoMq3eiv3KnMQkIZYDapq2SrDGSoX6Jnxyga1wgPDnvhCGCsY+r7
Wu5YxAR824RewiyZKhtDfXctzhx/pRWPvADAMG3IhqxiswPnXcfKIDe7eVexLDxl
qvv6XhyApRTmMpepSA1Vve9Ey2r72ICkdLn9cL8UckY+ng6XVIODmEC+PflaBKAR
PqVgixpjMhaFjmujINo7ri/iKPvQg587Zv9SwZPXtmSUkww1Wvk4uvV2V70Ukt5u
hEtPRP49d+I/hvZrXgCPugwB0NnCCJHnS1vfvxx2uMEjpImYMfCVPpZ8VJ1YgvIF
QGpUoDR7AVyK9//oeywUB4HyhVG+DhuCSGa4NEW7DdWH/zKEh00hi9RlqhOSwc1J
7kjdF6ts94FQ+g4AaCqF
=aIbj
-----END PGP SIGNATURE-----

Message #25 received at 803942-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 803942-close@bugs.debian.org

Subject: Bug#803942: fixed in libxml2 2.8.0+dfsg1-7+wheezy5

Date: Sun, 27 Dec 2015 21:47:46 +0000

Source: libxml2
Source-Version: 2.8.0+dfsg1-7+wheezy5

We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 803942@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libxml2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 19 Dec 2015 15:25:28 +0100
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-utils-dbg libxml2-dev libxml2-dbg libxml2-doc python-libxml2 python-libxml2-dbg
Architecture: source amd64 all
Version: 2.8.0+dfsg1-7+wheezy5
Distribution: wheezy-security
Urgency: high
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 libxml2    - GNOME XML library
 libxml2-dbg - Debugging symbols for the GNOME XML library
 libxml2-dev - Development files for the GNOME XML library
 libxml2-doc - Documentation for the GNOME XML library
 libxml2-utils - XML utilities
 libxml2-utils-dbg - XML utilities (debug extension)
 python-libxml2 - Python bindings for the GNOME XML library
 python-libxml2-dbg - Python bindings for the GNOME XML library (debug extension)
Closes: 782782 782985 783010 802827 803942 806384
Changes: 
 libxml2 (2.8.0+dfsg1-7+wheezy5) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add patches to address CVE-2015-7941.
     CVE-2015-7941: Denial of service via out-of-bounds read. (Closes: #783010)
   * Add CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch.
     CVE-2015-1819: Enforce the reader to run in constant memory.
     Thanks to Mike Gabriel for the patch backport. (Closes: #782782)
   * Add patches to address CVE-2015-8317.
     CVE-2015-8317: Out-of-bounds heap read when parsing file with unfinished
     xml declaration.
   * Add patches to address CVE-2015-7942.
     CVE-2015-7942: heap-based buffer overflow in
     xmlParseConditionalSections(). (Closes: #802827)
   * Add Fix-parsing-short-unclosed-comment-uninitialized-acc.patch patch.
     Parsing an unclosed comment can result in `Conditional jump or move
     depends on uninitialised value(s)` and unsafe memory access.
     (Closes: #782985)
   * Add CVE-2015-8035-Fix-XZ-compression-support-loop.patch patch.
     CVE-2015-8035: DoS when parsing specially crafted XML document if XZ
     support is enabled. (Closes: #803942)
   * Add Avoid-extra-processing-of-MarkupDecl-when-EOF.patch patch.
     CVE-2015-8241: Buffer overread with XML parser in xmlNextChar.
     (Closes: #806384)
   * Add Avoid-processing-entities-after-encoding-conversion-.patch patch.
     CVE-2015-7498: Heap-based buffer overflow in xmlParseXmlDecl.
   * Add CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch patch.
     CVE-2015-7497: Heap-based buffer overflow in xmlDictComputeFastQKey.
   * Add CVE-2015-5312-Another-entity-expansion-issue.patch patch.
     CVE-2015-5312: CPU exhaustion when processing specially crafted XML
     input.
   * Add patches to address CVE-2015-7499.
     CVE-2015-7499: Heap-based buffer overflow in xmlGROW.
     Add a specific parser error (XML_ERR_USER_STOP), backported from
     e50ba8164eee06461c73cd8abb9b46aa0be81869 upstream (commit to address
     CVE-2013-2877, the "Try to stop parsing as quickly as possible" was not
     backported).
   * Add CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch patch.
     CVE-2015-7500: Heap buffer overflow in xmlParseMisc.
Checksums-Sha1: 
 288964c2971b07359e0d1da50497c032157c4fc6 2500 libxml2_2.8.0+dfsg1-7+wheezy5.dsc
 a0fcbc474df4bfaa2a1c6711615ba5a7d79a1208 52569 libxml2_2.8.0+dfsg1-7+wheezy5.debian.tar.gz
 f0b48ad89ecf03785bd5e0a4426e240c866debe8 906394 libxml2_2.8.0+dfsg1-7+wheezy5_amd64.deb
 586bb37db8a93138431c3f82e70edb6a9ca34be0 97750 libxml2-utils_2.8.0+dfsg1-7+wheezy5_amd64.deb
 9fe4a33411ce00a2f154b8c738f3c66a991f4726 128438 libxml2-utils-dbg_2.8.0+dfsg1-7+wheezy5_amd64.deb
 be65e2f8d70d3617162bec08930bfeb7ddd0661a 904114 libxml2-dev_2.8.0+dfsg1-7+wheezy5_amd64.deb
 9eff034a330f6ea6c4b406533e66bc6590baf4af 1403666 libxml2-dbg_2.8.0+dfsg1-7+wheezy5_amd64.deb
 1b4cf22fda8d5155bad1f18fa0531dc19654b780 1398210 libxml2-doc_2.8.0+dfsg1-7+wheezy5_all.deb
 af3bb078f593e1957c5e48642a5fa88f09a714e0 347140 python-libxml2_2.8.0+dfsg1-7+wheezy5_amd64.deb
 36341f7a5caddf119711ff4c13b06e476959794a 729548 python-libxml2-dbg_2.8.0+dfsg1-7+wheezy5_amd64.deb
Checksums-Sha256: 
 454b8a84b9c34a9ebd61c003756211fa6dcf6080f2cb415217bb339bad6fbb4f 2500 libxml2_2.8.0+dfsg1-7+wheezy5.dsc
 599affacd35df3b12f2860990469d59235c4c8446051b578de0f9666126eca5b 52569 libxml2_2.8.0+dfsg1-7+wheezy5.debian.tar.gz
 d407b28f5397676ef7122b6196e087bf806d613ca43a68494c80e743235f30f7 906394 libxml2_2.8.0+dfsg1-7+wheezy5_amd64.deb
 ce33a35a137f09d1f9d77fb1fd6dce3ac4a19c3f16bee087eb3e768bf880ab3b 97750 libxml2-utils_2.8.0+dfsg1-7+wheezy5_amd64.deb
 c3623fa4a037571ec2b8b726bfcb06aeccfe6dee953a64ea6b8b2b93d1cd1d92 128438 libxml2-utils-dbg_2.8.0+dfsg1-7+wheezy5_amd64.deb
 3cf0d5b5ea97818a470abb2ca7b9b258c445a469d937518cd2a82421a4244de3 904114 libxml2-dev_2.8.0+dfsg1-7+wheezy5_amd64.deb
 3e24c0b57c5b327c6e192d94f5a5972c4f42f1552ff7730b5b1583b9ad216326 1403666 libxml2-dbg_2.8.0+dfsg1-7+wheezy5_amd64.deb
 ec9a9a8123261fbb49a46e3e824690f67145a5521a8bd7a2767fcc1ed3e7256c 1398210 libxml2-doc_2.8.0+dfsg1-7+wheezy5_all.deb
 2a9a75641a2573b238a7ff821e88eb829552d5dd5d499e7c21b6a7be264031f4 347140 python-libxml2_2.8.0+dfsg1-7+wheezy5_amd64.deb
 5a08fe8a0e138c3bf7a0e14c1ddef5f7597b256060fef505e8b81b35ccfe609a 729548 python-libxml2-dbg_2.8.0+dfsg1-7+wheezy5_amd64.deb
Files: 
 5ca9fbed5febc8572bc0b8deb83a53aa 2500 libs optional libxml2_2.8.0+dfsg1-7+wheezy5.dsc
 21a4180463465e1222033008edc782ed 52569 libs optional libxml2_2.8.0+dfsg1-7+wheezy5.debian.tar.gz
 2092576dba6892701056668969758669 906394 libs standard libxml2_2.8.0+dfsg1-7+wheezy5_amd64.deb
 3c7fa309df5585c539ba4c83c8e096d6 97750 text optional libxml2-utils_2.8.0+dfsg1-7+wheezy5_amd64.deb
 0aadd85a7532b2ffd00b2bb80161f94e 128438 debug extra libxml2-utils-dbg_2.8.0+dfsg1-7+wheezy5_amd64.deb
 a86b1a8606b96128e275986140571034 904114 libdevel optional libxml2-dev_2.8.0+dfsg1-7+wheezy5_amd64.deb
 30520c11a1f24c3cc36dd974dfd4b317 1403666 debug extra libxml2-dbg_2.8.0+dfsg1-7+wheezy5_amd64.deb
 70c4278129396532ca6a3fe0636b952c 1398210 doc optional libxml2-doc_2.8.0+dfsg1-7+wheezy5_all.deb
 54fc8284a5987313e5825bf0dc102002 347140 python optional python-libxml2_2.8.0+dfsg1-7+wheezy5_amd64.deb
 0063c9820135120a8870133e3f55d44c 729548 debug extra python-libxml2-dbg_2.8.0+dfsg1-7+wheezy5_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWdcXjAAoJEAVMuPMTQ89En4AP/3RogvRIvGLby1mnADH5qn8B
imI71JA1BYnwFdjo1CSIRt5P5K1VAUY9hBmYObBn01Kh7+BjP5Lq+TBzNd1jaDxP
XCa1UwkHjHBlMS+MMU0cipSVPr7ogAzfRrzRzEMF/wvQeikU3QVt/2o+zCnsBIW+
ibqEh48ElpBL4Z7C1oaqjVK/oETnF2KhdgOnyhu/RCTQ3RaxjvLZbLnCKP4bS0uL
js1DSiK8jyvX3dRxAMyNo7qR0XgSlTWhqm5yPL3NPazLouEl14FtoMT0Wpls4O7Q
qhKvqJZ5PW9tFljk+J5MdW+dfCOjWtRfqAN9UeUdez+UeLoGhl3bMOBrvlaJ/Fkq
QXOkenqYYhfhJXniTYUyHlTcJhPDnTKLVi6vcAm0VR3OMtFUQ1PdbyfHH4/YbrzD
eSagPMPJHhN3+WOWcgfqIlbsdQv6Qxq1X415dx8CFxNTVGQ0iBt+VqRgSTFQZ2iF
ewbpKSPcWu/eOfwvQpH762UX13dxRuDI2NHDfqyRqQK3Z7Ty+d3ySSjbAK2y+rzD
WPDob6ivOWc5xzkahPR/hdcNOQegQlR+CTdDZNYnh4am0EX7x3ufzlpPspGtqSm9
s5tTLka9EAjZT/zYNM+gP+GSZxc3d72+yz5N3r9MkBELjfWoXL0Oc5YnYTsorB0I
WdU1WCL6XUnuvspnwmsb
=3ALJ
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.