安全公告详情

NS-SA-2024-0055

2024-09-03 09:34:43

简介

important: libxml2/compat-libtiff3 security update

严重级别

important

主题

An update for libxml2/compat-libtiff3 is now available for NewStart CGSL MAIN 6.02.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

libxml2:
compat-libtiff3:


Security Fix(es):
libxml2: A flaw was found in libxml2. Parsing a XML document with the XML_PARSE_HUGE option enabled can result in an integer overflow because safety checks were missing in some functions. Also, the xmlParseEntityValue function didn't have any length limitation.(CVE-2022-40303)
libxml2: A flaw was found in libxml2. When a reference cycle is detected in the XML entity cleanup function the XML entity data can be stored in a dictionary. In this case, the dictionary becomes corrupted resulting in logic errors, including memory errors like double free.(CVE-2022-40304)
libxml2: A Cross-site scripting (XSS) vulnerability was found in libxml2. A specially crafted input, when serialized and re-parsed by the libxml2 library, will result in a document with element attributes that did not exist in the original document.(CVE-2016-3709)
libxml2: A flaw was found in libxml2. This issue occurs when hashing empty strings which aren't null-terminated, xmlDictComputeFastKey could produce inconsistent results, which may lead to various logic or memory errors, including double free errors.(CVE-2023-29469)
libxml2: A NULL pointer dereference vulnerability was found in libxml2. This issue occurs when parsing (invalid) XML schemas.(CVE-2023-28484)
libxml2: bugfix
compat-libtiff3: A heap use-after-free vulnerability was found in LibTIFF's tiffcrop utility in the loadImage() function. This flaw allows an attacker to pass a crafted TIFF image file to the tiffcrop utility, which causes an out-of-bounds write access, resulting in an application crash, eventually leading to a denial of service.(CVE-2023-26965)
compat-libtiff3: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 6.02.F2B12.

影响组件

  • libxml2
  • compat-libtiff3

影响产品

  • CGSL MAIN 6.02

更新包

{"fix":[{"product":"CGSL MAIN 6.02","pkgs":[{"binary":["libxml2-devel-2.9.7-16.el8_8.1.x86_64.rpm","python3-libxml2-2.9.7-16.el8_8.1.x86_64.rpm","libxml2-2.9.7-16.el8_8.1.x86_64.rpm"],"source":"libxml2-2.9.7-16.el8_8.1.src.rpm"},{"binary":["compat-libtiff3-3.9.4-13.el8.cgslv6_2.1.g475fbdd.x86_64.rpm"],"source":"compat-libtiff3-3.9.4-13.el8.cgslv6_2.1.g475fbdd.src.rpm"}]}]}
CGSL MAIN 6.02
  • libxml2-2.9.7-16.el8_8.1.src.rpm
    • libxml2-devel-2.9.7-16.el8_8.1.x86_64.rpm
    • python3-libxml2-2.9.7-16.el8_8.1.x86_64.rpm
    • libxml2-2.9.7-16.el8_8.1.x86_64.rpm
  • compat-libtiff3-3.9.4-13.el8.cgslv6_2.1.g475fbdd.src.rpm
    • compat-libtiff3-3.9.4-13.el8.cgslv6_2.1.g475fbdd.x86_64.rpm

CVE

参考

© 2004-2023 广东中兴新支点技术有限公司 版权所有 (www.gd-linux.com) 粤ICP备15061780号-2

全国服务热线:400-033-0108