Security update for libxml2 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:1746-1 Final 1 1 2017-07-01T08:06:28Z current 2017-07-01T08:06:28Z 2017-07-01T08:06:28Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libxml2 This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-0663: Fixed a heap buffer overflow in xmlAddID (bsc#1044337) * CVE-2017-5969: Fixed a NULL pointer deref in xmlDumpElementContent (bsc#1024989) This update was imported from the SUSE:SLE-12-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-07/msg00000.html E-Mail link for openSUSE-SU-2017:1746-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 libxml2-2.9.4-5.9.1 libxml2-2-2.9.4-5.9.1 libxml2-2-32bit-2.9.4-5.9.1 libxml2-devel-2.9.4-5.9.1 libxml2-devel-32bit-2.9.4-5.9.1 libxml2-doc-2.9.4-5.9.1 libxml2-tools-2.9.4-5.9.1 python-libxml2-2.9.4-5.9.1 libxml2-2.9.4-5.9.1 as a component of openSUSE Leap 42.2 libxml2-2-2.9.4-5.9.1 as a component of openSUSE Leap 42.2 libxml2-2-32bit-2.9.4-5.9.1 as a component of openSUSE Leap 42.2 libxml2-devel-2.9.4-5.9.1 as a component of openSUSE Leap 42.2 libxml2-devel-32bit-2.9.4-5.9.1 as a component of openSUSE Leap 42.2 libxml2-doc-2.9.4-5.9.1 as a component of openSUSE Leap 42.2 libxml2-tools-2.9.4-5.9.1 as a component of openSUSE Leap 42.2 python-libxml2-2.9.4-5.9.1 as a component of openSUSE Leap 42.2 A remote code execution vulnerability in libxml2 could enable an attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses this library. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37104170. CVE-2017-0663 openSUSE Leap 42.2:libxml2-2-2.9.4-5.9.1 openSUSE Leap 42.2:libxml2-2-32bit-2.9.4-5.9.1 openSUSE Leap 42.2:libxml2-2.9.4-5.9.1 openSUSE Leap 42.2:libxml2-devel-2.9.4-5.9.1 openSUSE Leap 42.2:libxml2-devel-32bit-2.9.4-5.9.1 openSUSE Leap 42.2:libxml2-doc-2.9.4-5.9.1 openSUSE Leap 42.2:libxml2-tools-2.9.4-5.9.1 openSUSE Leap 42.2:python-libxml2-2.9.4-5.9.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-07/msg00000.html https://www.suse.com/security/cve/CVE-2017-0663.html CVE-2017-0663 https://bugzilla.suse.com/1044337 SUSE Bug 1044337 https://bugzilla.suse.com/1049467 SUSE Bug 1049467 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 ** DISPUTED ** libxml2 2.9.4, when used in recover mode, allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted XML document. NOTE: The maintainer states "I would disagree of a CVE with the Recover parsing option which should only be used for manual recovery at least for XML parser." CVE-2017-5969 openSUSE Leap 42.2:libxml2-2-2.9.4-5.9.1 openSUSE Leap 42.2:libxml2-2-32bit-2.9.4-5.9.1 openSUSE Leap 42.2:libxml2-2.9.4-5.9.1 openSUSE Leap 42.2:libxml2-devel-2.9.4-5.9.1 openSUSE Leap 42.2:libxml2-devel-32bit-2.9.4-5.9.1 openSUSE Leap 42.2:libxml2-doc-2.9.4-5.9.1 openSUSE Leap 42.2:libxml2-tools-2.9.4-5.9.1 openSUSE Leap 42.2:python-libxml2-2.9.4-5.9.1 low 2.6 AV:N/AC:H/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-07/msg00000.html https://www.suse.com/security/cve/CVE-2017-5969.html CVE-2017-5969 https://bugzilla.suse.com/1024989 SUSE Bug 1024989 https://bugzilla.suse.com/1049467 SUSE Bug 1049467 https://bugzilla.suse.com/1123919 SUSE Bug 1123919