libxml2: Denial of Service -- Remote/Unauthenticated

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3102
                          libxml2 security update
                             10 September 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libxml2
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-24977 CVE-2020-7595 CVE-2019-20388
                   CVE-2019-19956 CVE-2018-14567 CVE-2018-14404
                   CVE-2017-18258 CVE-2017-8872 

Reference:         ESB-2020.2475
                   ESB-2020.1826
                   ESB-2020.1479
                   ESB-2020.1145

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2020/09/msg00000.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2369-1               debian-lts@lists.debian.org
https://www.debian.org/lts/security/                     Markus Koschany
September 09, 2020                           https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : libxml2
Version        : 2.9.4+dfsg1-2.2+deb9u3
CVE ID         : CVE-2017-8872 CVE-2017-18258 CVE-2018-14404
                 CVE-2018-14567 CVE-2019-19956 CVE-2019-20388
                 CVE-2020-7595 CVE-2020-24977
Debian Bug     : 895245 862450 949583 969529 949582

Several security vulnerabilities were corrected in libxml2, the GNOME
XML library.

CVE-2017-8872

    Global buffer-overflow in the htmlParseTryOrFinish function.

CVE-2017-18258

    The xz_head function in libxml2 allows remote attackers to cause a
    denial of service (memory consumption) via a crafted LZMA file,
    because the decoder functionality does not restrict memory usage to
    what is required for a legitimate file.

CVE-2018-14404

    A NULL pointer dereference vulnerability exists in the
    xpath.c:xmlXPathCompOpEval() function of libxml2 when parsing an
    invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case.
    Applications processing untrusted XSL format inputs may be
    vulnerable to a denial of service attack.

CVE-2018-14567

    If the option --with-lzma is used, allows remote attackers to cause
    a denial of service (infinite loop) via a crafted XML file.

CVE-2019-19956

    The xmlParseBalancedChunkMemoryRecover function has a memory leak
    related to newDoc->oldNs.

CVE-2019-20388

    A memory leak was found in the xmlSchemaValidateStream function of
    libxml2. Applications that use this library may be vulnerable to
    memory not being freed leading to a denial of service.

CVE-2020-7595

    Infinite loop in xmlStringLenDecodeEntities can cause a denial of
    service.

CVE-2020-24977

    Out-of-bounds read restricted to xmllint --htmlout.

For Debian 9 stretch, these problems have been fixed in version
2.9.4+dfsg1-2.2+deb9u3.

We recommend that you upgrade your libxml2 packages.

For the detailed security status of libxml2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libxml2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl9ZWi1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeRxRQ/+NeFhVvWFiqIJ+jXEIHP6wV8eS6MMEcSreOxF68nzcNQzXXdJBYigPZra
BR2Zb4z5Ut7UhnCySEVii3B+N+6qnq/mGhHINW9nSih2BmpcRe81N/QOUjoDuXY7
I/MqvyEXAdrrpKBeVDPu/r4ZPupjGhZJGEe2DAkNCB/Gx2dxuB1wbmu3Bii0bi8h
31LeYsaIYsdxFs0VevJvVWB8FukSL4fM3FLvOaiTkPwnKLQUyeDmAtGoPmXVI3DA
t1OvnYCUItFi97zKANAz5wx/W04qxoPnQP+usnQH6x16a4QxtzbxN8bkj6oywFv9
9ZMBAcc+IPVW1C4SCk6CTNtT/GpxSN8f2vGhBeI+IYRmFLL/nulTiZI15u6bEG5e
aktGROyiuRANaxEIZEbhKv6zGcXzuBZOT4MbSf4y4OC7w6no4NKj6ZvZWpMEChZ5
05aOsTZICYMIqd+tuE9cfj/5bKXd078dBJ4O+3RBu5LLPWi3yVG4+bLukm6uG7y4
MFgMY2dMp1aV9nRgYa50GJZHps5ZsLn/qu4hgITlP1shY6kEHgV99Eh5RNLpwbBV
sCnOiLF242eqhxqbhuDvE0j2Ci5rkC05ZPouD8E/KptU4WfcmQP0k6N7DRNylUZv
RBoYf69Soagkn7QRDBMPGfRb0DUUPT/HuCxBdDGTy8ReofDM1ck=
=P6Ab
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX1mTbeNLKJtyKPYoAQiNdhAAo/MjDj+vllQ9ctwLUVqiO3kiwlTXO9bz
MWEkK7U2eXwtIGeg0k/vaic38rjNxtezt6cfCc5itBMHaUcXBpSziyqhR/lETCYx
vDFZd/xitnwIC1DOLgbZhSrBCqb7Wb//5RXDTCUPtcc+Xm8dGVVEMxBnafCW+bdz
QzTm4MrmH9ytWfBLWYaEEUU/mM86QXvK8LhJltgzdRsFynlxyBbXRxqIN1wJp+h3
SG82CvFrbKCxjIR0nONJThELgb7H2mP61gKW6eQg27uDCGrdW07IovV1C7SQLGU6
qDsmibUzj6BsmWIIqugmT3CtkClRbxIvW7UM1yFKAPbUhYfeAWAZ6T/7oY/PNtvL
gQB+zB3ONl4MjRGq5iKsjYL1Cb4FR7ecmtL3bUPNcUZiDOOT91bGOlm74v4DZqZO
c5m3MAfSMYWDzFLvWJMCM5b/bnEFPlg7wELxFyqhAjhKjN+IcPa7IbLUW8rfcEau
14lBfgYa9KHDY25a4o6T6khSEgiaMzHQ2nSQrXv/IwZM2LCgc922+/Gqb1xkvvAC
2k/E78tP2mbge2QEBBY9I91aTF19Mqcpsn3zkAEbj1ZH3H4p7OJ0QjrxwIVsY81x
I9A1KiPP9zBQCLx9POzaphhmHdDzojDaImsyAaSCqZFXWw3OoqgEPO2xjWC9lo4E
MDRICe2Z7qU=
=5XAZ
-----END PGP SIGNATURE-----