Vulnerability Description
The xmlParseXMLDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive information via an (1) unterminated encoding value or (2) incomplete XML declaration in XML data, which triggers an out-of-bounds heap read.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian | Debian Linux | 7.0 |
| Canonical | Ubuntu Linux | 12.04 |
| Xmlsoft | Libxml2 | <= 2.9.2 |
| Redhat | Enterprise Linux Desktop | 6.0 |
| Redhat | Enterprise Linux Hpc Node | 6.0 |
| Redhat | Enterprise Linux Server | 6.0 |
| Redhat | Enterprise Linux Workstation | 6.0 |
| Hp | Icewall Federation Agent | 3.0 |
| Hp | Icewall File Manager | 3.0 |
Related Weaknesses (CWE)
References
- http://lists.apple.com/archives/security-announce/2016/Jul/msg00000.html
- http://lists.apple.com/archives/security-announce/2016/Jul/msg00001.html
- http://lists.apple.com/archives/security-announce/2016/Jul/msg00002.html
- http://lists.apple.com/archives/security-announce/2016/Jul/msg00003.html
- http://lists.apple.com/archives/security-announce/2016/Jul/msg00005.html
- http://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html
- http://lists.opensuse.org/opensuse-updates/2016-01/msg00031.html
- http://marc.info/?l=bugtraq&m=145382616617563&w=2Third Party Advisory
- http://rhn.redhat.com/errata/RHSA-2015-2549.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2016-1089.html
- http://www.debian.org/security/2015/dsa-3430Third Party Advisory
- http://www.openwall.com/lists/oss-security/2015/11/21/1
- http://www.openwall.com/lists/oss-security/2015/11/22/3
- http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.h
FAQ
What is CVE-2015-8317?
CVE-2015-8317 is a vulnerability with a CVSS score of 5.0 (MEDIUM). The xmlParseXMLDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive information via an (1) unterminated encoding value or (2) incomplete XML declara...
How severe is CVE-2015-8317?
CVE-2015-8317 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-8317?
Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Canonical Ubuntu Linux, Xmlsoft Libxml2, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Hpc Node.