Vulnerability CVE-2016-3705: Information

Description

The (1) xmlParserEntityCheck and (2) xmlParseAttValueComplex functions in parser.c in libxml2 2.9.3 do not properly keep track of the recursion depth, which allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via a crafted XML document containing a large number of nested entity references.

Severity: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2016-3705
Published: May 17, 2016
Modified: Feb. 13, 2023
Error type identifier: CWE-20

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
libxml2sisyphus2.9.3.0.5.6511-alt12.12.5-alt1ALT-PU-2016-1221-1160389Fixed
libxml2p102.9.3.0.5.6511-alt12.9.12-alt1.p10.1ALT-PU-2016-1221-1160389Fixed
libxml2p92.9.3.0.5.6511-alt12.9.10-alt6.p9.1ALT-PU-2016-1221-1160389Fixed
libxml2p82.9.4.0.12.e905-alt12.9.4.0.12.e905-alt1ALT-PU-2017-1252-1179256Fixed
libxml2c10f12.9.3.0.5.6511-alt12.9.12-alt1.p10.1ALT-PU-2016-1221-1160389Fixed
libxml2c9f22.9.3.0.5.6511-alt12.9.12-alt1.c9f2.1ALT-PU-2016-1221-1160389Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
openSUSE-SU-2016:1298
    20160503 CVE-2016-3627 CVE-2016-3705: libxml2: stack overflow in xml validator (parser)
      https://bugzilla.gnome.org/show_bug.cgi?id=765207
        DSA-3593
          USN-2994-1
            https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05157239
              RHSA-2016:1292
                http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
                  http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
                    http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
                      89854
                        openSUSE-SU-2016:1446
                          https://kc.mcafee.com/corporate/index?page=content&id=SB10170
                            https://www.tenable.com/security/tns-2016-18
                              GLSA-201701-37
                                RHSA-2016:2957

                                    1. Configuration 1

                                      cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
                                      cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
                                      cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*
                                      cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

                                      Configuration 2

                                      cpe:2.3:a:xmlsoft:libxml2:2.9.3:*:*:*:*:*:*:*

                                      Configuration 3

                                      cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

                                      Configuration 4

                                      cpe:2.3:a:hp:icewall_file_manager:3.0:*:*:*:*:*:*:*
                                      cpe:2.3:a:hp:icewall_federation_agent:3.0:*:*:*:*:*:*:*

                                      Configuration 5

                                      cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*
                                  VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
                                  Version: v24.4.2
                                  Back to top