logo

Database

Improper resource allocation - Buffer overflow In libxml2

Description

Heap-based buffer overflow in nokogiri Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3. A remote attacker could provide a specially crafted XML or HTML file that, when processed by an application using libxml2, would cause that application to use an excessive amount of CPU, leak potentially sensitive information, or crash the application.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2015-74992. NVD-2015-74993. OSV-DEBIAN-2015-74994. OSV-2015-74995. GHSA-jxjr-5h69-qw3w6. GCVE-2015-74997. SECURITY-TRACKER-CVE-2015-74998. security.gentoo.org

References

1. https://bugzilla.redhat.com/show_bug.cgi?id=12819252. https://git.gnome.org/browse/libxml2/commit/?id=28cd9cb747a94483f4aea7f0968d202c20bb4cfc3. https://git.gnome.org/browse/libxml2/commit/?id=35bcb1d758ed70aa7b257c9c3b3ff55e54e3d0da4. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-7499.yml5. https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM6. https://web.archive.org/web/20210724022841/http://www.securityfocus.com/bid/795097. https://web.archive.org/web/20211205133229/https://securitytracker.com/id/10342438. http://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html9. http://lists.opensuse.org/opensuse-updates/2016-01/msg00031.html10. http://rhn.redhat.com/errata/RHSA-2015-2549.html11. http://rhn.redhat.com/errata/RHSA-2015-2550.html12. http://www.debian.org/security/2015/dsa-343013. http://www.ubuntu.com/usn/USN-2834-114. http://xmlsoft.org/news.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.