Security update for libxml2
SUSE Patch
security@suse.de
SUSE Security Team
SUSE-SU-2017:1454-1
Final
1
1
2017-05-30T20:28:34Z
current
2017-05-30T20:28:34Z
2017-05-30T20:28:34Z
cve-database/bin/generate-cvrf.pl
2017-02-24T01:00:00Z
Security update for libxml2
This update for libxml2 fixes the following issues:
- CVE-2017-9047, CVE-2017-9048: The function xmlSnprintfElementContent in valid.c was vulnerable to a stack buffer overflow (bsc#1039063, bsc#1039064)
- CVE-2017-9049: The function xmlDictComputeFastKey in dict.c was vulnerable to a heap-based buffer over-read. (bsc#1039066)
- CVE-2017-9050: The function xmlDictAddString was vulnerable to a heap-based buffer over-read (bsc#1039661)
- CVE-2016-1839: heap-based buffer overflow (xmlDictAddString func) (bnc#1039069)
The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2017-891,SUSE-SLE-DESKTOP-12-SP2-2017-891,SUSE-SLE-RPI-12-SP2-2017-891,SUSE-SLE-SDK-12-SP2-2017-891,SUSE-SLE-SERVER-12-SP2-2017-891
Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0)
https://www.suse.com/support/update/announcement/2017/suse-su-20171454-1/
Link for SUSE-SU-2017:1454-1
https://lists.suse.com/pipermail/sle-security-updates/2017-May/002931.html
E-Mail link for SUSE-SU-2017:1454-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1039063
SUSE Bug 1039063
https://bugzilla.suse.com/1039064
SUSE Bug 1039064
https://bugzilla.suse.com/1039066
SUSE Bug 1039066
https://bugzilla.suse.com/1039069
SUSE Bug 1039069
https://bugzilla.suse.com/1039661
SUSE Bug 1039661
https://bugzilla.suse.com/981114
SUSE Bug 981114
https://www.suse.com/security/cve/CVE-2016-1839/
SUSE CVE CVE-2016-1839 page
https://www.suse.com/security/cve/CVE-2017-9047/
SUSE CVE CVE-2017-9047 page
https://www.suse.com/security/cve/CVE-2017-9048/
SUSE CVE CVE-2017-9048 page
https://www.suse.com/security/cve/CVE-2017-9049/
SUSE CVE CVE-2017-9049 page
https://www.suse.com/security/cve/CVE-2017-9050/
SUSE CVE CVE-2017-9050 page
SUSE Linux Enterprise Desktop 12 SP2
SUSE Linux Enterprise Server 12 SP2
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
SUSE Linux Enterprise Server for SAP Applications 12 SP2
SUSE Linux Enterprise Software Development Kit 12 SP2
libxml2-2-2.9.4-36.1
libxml2-2-32bit-2.9.4-36.1
libxml2-tools-2.9.4-36.1
python-libxml2-2.9.4-36.1
libxml2-doc-2.9.4-36.1
libxml2-devel-2.9.4-36.1
libxml2-2-2.9.4-36.1 as a component of SUSE Linux Enterprise Desktop 12 SP2
libxml2-2-32bit-2.9.4-36.1 as a component of SUSE Linux Enterprise Desktop 12 SP2
libxml2-tools-2.9.4-36.1 as a component of SUSE Linux Enterprise Desktop 12 SP2
python-libxml2-2.9.4-36.1 as a component of SUSE Linux Enterprise Desktop 12 SP2
libxml2-2-2.9.4-36.1 as a component of SUSE Linux Enterprise Server 12 SP2
libxml2-2-32bit-2.9.4-36.1 as a component of SUSE Linux Enterprise Server 12 SP2
libxml2-doc-2.9.4-36.1 as a component of SUSE Linux Enterprise Server 12 SP2
libxml2-tools-2.9.4-36.1 as a component of SUSE Linux Enterprise Server 12 SP2
python-libxml2-2.9.4-36.1 as a component of SUSE Linux Enterprise Server 12 SP2
libxml2-2-2.9.4-36.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
libxml2-doc-2.9.4-36.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
libxml2-tools-2.9.4-36.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
python-libxml2-2.9.4-36.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
libxml2-2-2.9.4-36.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2
libxml2-2-32bit-2.9.4-36.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2
libxml2-doc-2.9.4-36.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2
libxml2-tools-2.9.4-36.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2
python-libxml2-2.9.4-36.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2
libxml2-devel-2.9.4-36.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2
The xmlDictAddString function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document.
CVE-2016-1839
SUSE Linux Enterprise Desktop 12 SP2:libxml2-2-2.9.4-36.1
SUSE Linux Enterprise Desktop 12 SP2:libxml2-2-32bit-2.9.4-36.1
SUSE Linux Enterprise Desktop 12 SP2:libxml2-tools-2.9.4-36.1
SUSE Linux Enterprise Desktop 12 SP2:python-libxml2-2.9.4-36.1
SUSE Linux Enterprise Server 12 SP2:libxml2-2-2.9.4-36.1
SUSE Linux Enterprise Server 12 SP2:libxml2-2-32bit-2.9.4-36.1
SUSE Linux Enterprise Server 12 SP2:libxml2-doc-2.9.4-36.1
SUSE Linux Enterprise Server 12 SP2:libxml2-tools-2.9.4-36.1
SUSE Linux Enterprise Server 12 SP2:python-libxml2-2.9.4-36.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libxml2-2-2.9.4-36.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libxml2-doc-2.9.4-36.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libxml2-tools-2.9.4-36.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:python-libxml2-2.9.4-36.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:libxml2-2-2.9.4-36.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:libxml2-2-32bit-2.9.4-36.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:libxml2-doc-2.9.4-36.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:libxml2-tools-2.9.4-36.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:python-libxml2-2.9.4-36.1
SUSE Linux Enterprise Software Development Kit 12 SP2:libxml2-devel-2.9.4-36.1
moderate
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2017/suse-su-20171454-1/
https://www.suse.com/security/cve/CVE-2016-1839.html
CVE-2016-1839
https://bugzilla.suse.com/1039069
SUSE Bug 1039069
https://bugzilla.suse.com/1039661
SUSE Bug 1039661
https://bugzilla.suse.com/1069433
SUSE Bug 1069433
https://bugzilla.suse.com/1069690
SUSE Bug 1069690
https://bugzilla.suse.com/1123919
SUSE Bug 1123919
https://bugzilla.suse.com/963963
SUSE Bug 963963
https://bugzilla.suse.com/981114
SUSE Bug 981114
A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content->type is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to buf (if it actually fits) whereupon (ii) content->name is written to the buffer. However, the check for whether the content->name actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about "size" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash.
CVE-2017-9047
SUSE Linux Enterprise Desktop 12 SP2:libxml2-2-2.9.4-36.1
SUSE Linux Enterprise Desktop 12 SP2:libxml2-2-32bit-2.9.4-36.1
SUSE Linux Enterprise Desktop 12 SP2:libxml2-tools-2.9.4-36.1
SUSE Linux Enterprise Desktop 12 SP2:python-libxml2-2.9.4-36.1
SUSE Linux Enterprise Server 12 SP2:libxml2-2-2.9.4-36.1
SUSE Linux Enterprise Server 12 SP2:libxml2-2-32bit-2.9.4-36.1
SUSE Linux Enterprise Server 12 SP2:libxml2-doc-2.9.4-36.1
SUSE Linux Enterprise Server 12 SP2:libxml2-tools-2.9.4-36.1
SUSE Linux Enterprise Server 12 SP2:python-libxml2-2.9.4-36.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libxml2-2-2.9.4-36.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libxml2-doc-2.9.4-36.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libxml2-tools-2.9.4-36.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:python-libxml2-2.9.4-36.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:libxml2-2-2.9.4-36.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:libxml2-2-32bit-2.9.4-36.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:libxml2-doc-2.9.4-36.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:libxml2-tools-2.9.4-36.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:python-libxml2-2.9.4-36.1
SUSE Linux Enterprise Software Development Kit 12 SP2:libxml2-devel-2.9.4-36.1
moderate
5
AV:N/AC:L/Au:N/C:N/I:N/A:P
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2017/suse-su-20171454-1/
https://www.suse.com/security/cve/CVE-2017-9047.html
CVE-2017-9047
https://bugzilla.suse.com/1039063
SUSE Bug 1039063
https://bugzilla.suse.com/1039066
SUSE Bug 1039066
https://bugzilla.suse.com/1039657
SUSE Bug 1039657
https://bugzilla.suse.com/1123919
SUSE Bug 1123919
libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 < size. This vulnerability causes programs that use libxml2, such as PHP, to crash.
CVE-2017-9048
SUSE Linux Enterprise Desktop 12 SP2:libxml2-2-2.9.4-36.1
SUSE Linux Enterprise Desktop 12 SP2:libxml2-2-32bit-2.9.4-36.1
SUSE Linux Enterprise Desktop 12 SP2:libxml2-tools-2.9.4-36.1
SUSE Linux Enterprise Desktop 12 SP2:python-libxml2-2.9.4-36.1
SUSE Linux Enterprise Server 12 SP2:libxml2-2-2.9.4-36.1
SUSE Linux Enterprise Server 12 SP2:libxml2-2-32bit-2.9.4-36.1
SUSE Linux Enterprise Server 12 SP2:libxml2-doc-2.9.4-36.1
SUSE Linux Enterprise Server 12 SP2:libxml2-tools-2.9.4-36.1
SUSE Linux Enterprise Server 12 SP2:python-libxml2-2.9.4-36.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libxml2-2-2.9.4-36.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libxml2-doc-2.9.4-36.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libxml2-tools-2.9.4-36.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:python-libxml2-2.9.4-36.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:libxml2-2-2.9.4-36.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:libxml2-2-32bit-2.9.4-36.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:libxml2-doc-2.9.4-36.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:libxml2-tools-2.9.4-36.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:python-libxml2-2.9.4-36.1
SUSE Linux Enterprise Software Development Kit 12 SP2:libxml2-devel-2.9.4-36.1
moderate
5
AV:N/AC:L/Au:N/C:N/I:N/A:P
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2017/suse-su-20171454-1/
https://www.suse.com/security/cve/CVE-2017-9048.html
CVE-2017-9048
https://bugzilla.suse.com/1039064
SUSE Bug 1039064
https://bugzilla.suse.com/1039066
SUSE Bug 1039066
https://bugzilla.suse.com/1039658
SUSE Bug 1039658
libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398.
CVE-2017-9049
SUSE Linux Enterprise Desktop 12 SP2:libxml2-2-2.9.4-36.1
SUSE Linux Enterprise Desktop 12 SP2:libxml2-2-32bit-2.9.4-36.1
SUSE Linux Enterprise Desktop 12 SP2:libxml2-tools-2.9.4-36.1
SUSE Linux Enterprise Desktop 12 SP2:python-libxml2-2.9.4-36.1
SUSE Linux Enterprise Server 12 SP2:libxml2-2-2.9.4-36.1
SUSE Linux Enterprise Server 12 SP2:libxml2-2-32bit-2.9.4-36.1
SUSE Linux Enterprise Server 12 SP2:libxml2-doc-2.9.4-36.1
SUSE Linux Enterprise Server 12 SP2:libxml2-tools-2.9.4-36.1
SUSE Linux Enterprise Server 12 SP2:python-libxml2-2.9.4-36.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libxml2-2-2.9.4-36.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libxml2-doc-2.9.4-36.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libxml2-tools-2.9.4-36.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:python-libxml2-2.9.4-36.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:libxml2-2-2.9.4-36.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:libxml2-2-32bit-2.9.4-36.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:libxml2-doc-2.9.4-36.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:libxml2-tools-2.9.4-36.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:python-libxml2-2.9.4-36.1
SUSE Linux Enterprise Software Development Kit 12 SP2:libxml2-devel-2.9.4-36.1
moderate
5
AV:N/AC:L/Au:N/C:N/I:N/A:P
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2017/suse-su-20171454-1/
https://www.suse.com/security/cve/CVE-2017-9049.html
CVE-2017-9049
https://bugzilla.suse.com/1039063
SUSE Bug 1039063
https://bugzilla.suse.com/1039064
SUSE Bug 1039064
https://bugzilla.suse.com/1039066
SUSE Bug 1039066
https://bugzilla.suse.com/1039659
SUSE Bug 1039659
https://bugzilla.suse.com/1039661
SUSE Bug 1039661
https://bugzilla.suse.com/1069690
SUSE Bug 1069690
https://bugzilla.suse.com/1123919
SUSE Bug 1123919
libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.
CVE-2017-9050
SUSE Linux Enterprise Desktop 12 SP2:libxml2-2-2.9.4-36.1
SUSE Linux Enterprise Desktop 12 SP2:libxml2-2-32bit-2.9.4-36.1
SUSE Linux Enterprise Desktop 12 SP2:libxml2-tools-2.9.4-36.1
SUSE Linux Enterprise Desktop 12 SP2:python-libxml2-2.9.4-36.1
SUSE Linux Enterprise Server 12 SP2:libxml2-2-2.9.4-36.1
SUSE Linux Enterprise Server 12 SP2:libxml2-2-32bit-2.9.4-36.1
SUSE Linux Enterprise Server 12 SP2:libxml2-doc-2.9.4-36.1
SUSE Linux Enterprise Server 12 SP2:libxml2-tools-2.9.4-36.1
SUSE Linux Enterprise Server 12 SP2:python-libxml2-2.9.4-36.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libxml2-2-2.9.4-36.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libxml2-doc-2.9.4-36.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libxml2-tools-2.9.4-36.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:python-libxml2-2.9.4-36.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:libxml2-2-2.9.4-36.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:libxml2-2-32bit-2.9.4-36.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:libxml2-doc-2.9.4-36.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:libxml2-tools-2.9.4-36.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:python-libxml2-2.9.4-36.1
SUSE Linux Enterprise Software Development Kit 12 SP2:libxml2-devel-2.9.4-36.1
moderate
5
AV:N/AC:L/Au:N/C:N/I:N/A:P
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2017/suse-su-20171454-1/
https://www.suse.com/security/cve/CVE-2017-9050.html
CVE-2017-9050
https://bugzilla.suse.com/1039066
SUSE Bug 1039066
https://bugzilla.suse.com/1039069
SUSE Bug 1039069
https://bugzilla.suse.com/1039661
SUSE Bug 1039661
https://bugzilla.suse.com/1069433
SUSE Bug 1069433
https://bugzilla.suse.com/1069690
SUSE Bug 1069690
https://bugzilla.suse.com/1123919
SUSE Bug 1123919