vulnerability bulletin CVE-2012-2807

libxml2: integer overflows

Synthesis of the vulnerability

An attacker can send malformed XML data to an application linked to libxml2, in order to stop it, and possibly to execute code.
Impacted products: Debian, Fedora, libxml2, MBS, MES, Mandriva Linux, openSUSE, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES, ESX, ESXi, VMware vSphere Hypervisor.
Severity: 2/4.
Creation date: 31/07/2012.
Identifiers: 129930, 835863, BID-54718, CERTA-2013-AVI-208, CVE-2012-2807, DSA 2521-1, ESX410-201301001, ESX410-201301401-SG, ESX410-201301402-SG, ESX410-201301403-SG, ESX410-201301405-SG, ESXi410-201301001, ESXi410-201301401-SG, ESXi500-201303101-SG, FEDORA-2012-13820, FEDORA-2012-13824, MDVSA-2012:126, MDVSA-2013:056, openSUSE-SU-2012:0975-1, RHSA-2012:1288-01, SUSE-SU-2012:1095-1, SUSE-SU-2012:1095-2, VIGILANCE-VUL-11808, VMSA-2012-0018.2, VMSA-2013-0001, VMSA-2013-0001.3, VMSA-2013-0003, VMSA-2013-0004, VMSA-2013-0004.1.

Description of the vulnerability

The libxml2 library implements an XML parser.

However, on a 64 bit processor, an attacker can generate several integer overflows (in files globals.c, entities.c and parser.c), leading to memory corruptions.

An attacker can therefore send malformed XML data to an application linked to libxml2, in order to stop it, and possibly to execute code.
Complete Vigil@nce bulletin.... (free access)

Share this bulletin

          

Computer vulnerabilities tracking service

Vigil@nce provides an application vulnerability watch. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.