ALAS-2020-1415

Amazon Linux 1 Security Advisory: ALAS-2020-1415
Advisory Release Date: 2020-08-10 22:59 Pacific
Advisory Updated Date: 2020-08-12 17:52 Pacific

Severity: Important

References: CVE-2015-8035 CVE-2016-5131 CVE-2017-15412 CVE-2017-18258 CVE-2018-14404 CVE-2018-14567
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application. A null pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 when parsing invalid XPath expression. Applications processing untrusted XSL format inputs with the use of libxml2 library may be vulnerable to denial of service attack due to crash of the application. (CVE-2018-14404)

Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. A use-after-free flaw was found in the libxml2 library. An attacker could use this flaw to cause an application linked against libxml2 to crash when parsing a specially crafted XML file. (CVE-2017-15412)

The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data. A denial of service flaw was found in libxml2. A remote attacker could provide a specially crafted XML or HTML file that, when processed by an application using libxml2, would cause that application to crash. (CVE-2015-8035)

libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251. (CVE-2018-14567)

The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file. (CVE-2017-18258)

Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. (CVE-2016-5131)

Affected Packages:

libxml2

Issue Correction:
Run yum update libxml2 to update your system.

New Packages:

i686:
    libxml2-2.9.1-6.4.40.amzn1.i686
    libxml2-python26-2.9.1-6.4.40.amzn1.i686
    libxml2-devel-2.9.1-6.4.40.amzn1.i686
    libxml2-static-2.9.1-6.4.40.amzn1.i686
    libxml2-python27-2.9.1-6.4.40.amzn1.i686
    libxml2-debuginfo-2.9.1-6.4.40.amzn1.i686

src:
    libxml2-2.9.1-6.4.40.amzn1.src

x86_64:
    libxml2-python26-2.9.1-6.4.40.amzn1.x86_64
    libxml2-static-2.9.1-6.4.40.amzn1.x86_64
    libxml2-debuginfo-2.9.1-6.4.40.amzn1.x86_64
    libxml2-2.9.1-6.4.40.amzn1.x86_64
    libxml2-devel-2.9.1-6.4.40.amzn1.x86_64
    libxml2-python27-2.9.1-6.4.40.amzn1.x86_64

Additional References

Red Hat: CVE-2015-8035, CVE-2016-5131, CVE-2017-15412, CVE-2017-18258, CVE-2018-14404, CVE-2018-14567

Mitre: CVE-2015-8035, CVE-2016-5131, CVE-2017-15412, CVE-2017-18258, CVE-2018-14404, CVE-2018-14567