CVE-2017-9047

Priority
Medium
Description
A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801.
The function xmlSnprintfElementContent in valid.c is supposed to
recursively dump the element content definition into a char buffer 'buf' of
size 'size'. The variable len is assigned strlen(buf). If the content->type
is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to
buf (if it actually fits) whereupon (ii) content->name is written to the
buffer. However, the check for whether the content->name actually fits also
uses 'len' rather than the updated buffer length strlen(buf). This allows
us to write about "size" many bytes beyond the allocated memory. This
vulnerability causes programs that use libxml2, such as PHP, to crash.
References
Bugs
Package
Upstream:released (2.9.4+dfsg1-3.1)
Ubuntu 17.10 (Artful Aardvark):not-affected (2.9.4+dfsg1-3.1)
Ubuntu 12.04 ESM (Precise Pangolin):released (2.7.8.dfsg-5.1ubuntu4.18)
Ubuntu 14.04 LTS (Trusty Tahr):released (2.9.1+dfsg1-3ubuntu4.10)
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (2.9.3+dfsg1-1ubuntu0.3)
Ubuntu 17.04 (Zesty Zapus):released (2.9.4+dfsg1-2.2ubuntu0.1)
Patches:
Upstream:https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74
More Information

Updated: 2017-10-10 21:14:16 UTC (commit 13488)