Security update for libxml2

SUSE Security Update: Security update for libxml2
Announcement ID: SUSE-SU-2013:1625-1
Rating: important
References: #739894 #748561 #764538 #769184 #793334 #805233 #829077
Affected Products:
  • SUSE Linux Enterprise Server 10 SP3 LTSS

  • An update that fixes 8 vulnerabilities is now available.

    Description:


    This is a LTSS rollup update for the libxml2 library that
    fixes various security issues.

    *

    CVE-2013-2877: parser.c in libxml2 allowed remote
    attackers to cause a denial of service (out-of-bounds read)
    via a document that ends abruptly, related to the lack of
    certain checks for the XML_PARSER_EOF state.

    *

    CVE-2013-0338: libxml2 allowed context-dependent
    attackers to cause a denial of service (CPU and memory
    consumption) via an XML file containing an entity
    declaration with long replacement text and many references
    to this entity, aka "internal entity expansion" with linear
    complexity.

    *

    CVE-2012-5134: Heap-based buffer underflow in the
    xmlParseAttValueComplex function in parser.c in libxml2
    allowed remote attackers to cause a denial of service or
    possibly execute arbitrary code via crafted entities in an
    XML document.

    *

    CVE-2012-2807: Multiple integer overflows in libxml2
    on 64-bit Linux platforms allowed remote attackers to cause
    a denial of service or possibly have unspecified other
    impact via unknown vectors.

    *

    CVE-2011-3102: Off-by-one error in libxml2 allowed
    remote attackers to cause a denial of service
    (out-of-bounds write) or possibly have unspecified other
    impact via unknown vectors.

    *

    CVE-2012-0841: libxml2 computed hash values without
    restricting the ability to trigger hash collisions
    predictably, which allows context-dependent attackers to
    cause a denial of service (CPU consumption) via crafted XML
    data.

    *

    CVE-2011-3919: A heap-based buffer overflow during
    decoding of entity references with overly long names has
    been fixed.

    Security Issue references:

    * CVE-2013-0338
    >
    * CVE-2013-0339
    >
    * CVE-2012-5134
    >
    * CVE-2012-2807
    >
    * CVE-2011-3102
    >
    * CVE-2012-0841
    >
    * CVE-2011-3919
    >
    * CVE-2013-2877
    >

    Package List:

    • SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64):
    • libxml2-2.6.23-15.39.1
    • libxml2-devel-2.6.23-15.39.1
    • libxml2-python-2.6.23-15.39.1
    • SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64):
    • libxml2-32bit-2.6.23-15.39.1
    • libxml2-devel-32bit-2.6.23-15.39.1

    References:

    • http://support.novell.com/security/cve/CVE-2011-3102.html
    • http://support.novell.com/security/cve/CVE-2011-3919.html
    • http://support.novell.com/security/cve/CVE-2012-0841.html
    • http://support.novell.com/security/cve/CVE-2012-2807.html
    • http://support.novell.com/security/cve/CVE-2012-5134.html
    • http://support.novell.com/security/cve/CVE-2013-0338.html
    • http://support.novell.com/security/cve/CVE-2013-0339.html
    • http://support.novell.com/security/cve/CVE-2013-2877.html
    • https://bugzilla.novell.com/739894
    • https://bugzilla.novell.com/748561
    • https://bugzilla.novell.com/764538
    • https://bugzilla.novell.com/769184
    • https://bugzilla.novell.com/793334
    • https://bugzilla.novell.com/805233
    • https://bugzilla.novell.com/829077
    • http://download.suse.com/patch/finder/?keywords=a3fdb1e2e30b1877238605841d41d573