CVE-2015-8317

Publication date 23 November 2015

Last updated 24 July 2024


Ubuntu priority

The xmlParseXMLDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive information via an (1) unterminated encoding value or (2) incomplete XML declaration in XML data, which triggers an out-of-bounds heap read.

Read the notes from the security team

Status

Package Ubuntu Release Status
libxml2 15.10 wily
Not affected
15.04 vivid
Fixed 2.9.2+dfsg1-3ubuntu0.2
14.04 LTS trusty
Fixed 2.9.1+dfsg1-3ubuntu4.6
12.04 LTS precise
Fixed 2.7.8.dfsg-5.1ubuntu4.13

Notes


mdeslaur

already fixed by the following patches in wily+: 0011-Do-not-process-encoding-values-if-the-declaration-if.patch 0012-Fail-parsing-early-on-if-encoding-conversion-failed.patch

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
libxml2

References

Related Ubuntu Security Notices (USN)

    • USN-2834-1
    • libxml2 vulnerabilities
    • 14 December 2015

Other references