Synopsis: Important: mingw32-libxml2 security update
Issue Date: 2013-01-31
CVE Numbers: CVE-2010-4008
CVE-2010-4494
CVE-2011-1944
CVE-2011-0216
CVE-2011-2821
CVE-2011-2834
CVE-2011-3905
CVE-2011-3919
CVE-2012-0841
CVE-2011-3102
CVE-2012-5134
—
IMPORTANT NOTE: The mingw32 packages in Scientific Linux 6 will no longer be
updated proactively and will be deprecated with the release of Scientific Linux
6.4. These packages were provided to support other capabilities in Scientific
Linux and were not intended for direct use. You are advised to not use these
packages with immediate effect.
A heap-based buffer overflow flaw was found in the way libxml2 decoded entity
references with long names. A remote attacker could provide a specially-crafted
XML file that, when opened in an application linked against libxml2, would
cause the application to crash or, potentially, execute arbitrary code with the
privileges of the user running the application. (CVE-2011-3919)
A heap-based buffer underflow flaw was found in the way libxml2 decoded certain
entities. A remote attacker could provide a specially-crafted XML file that,
when opened in an application linked against libxml2, would cause the
application to crash or, potentially, execute arbitrary code with the
privileges of the user running the application. (CVE-2012-5134)
It was found that the hashing routine used by libxml2 arrays was susceptible to
predictable hash collisions. Sending a specially-crafted message to an XML
service could result in longer processing time, which could lead to a denial of
service. To mitigate this issue, randomization has been added to the hashing
function to reduce the chance of an attacker successfully causing intentional
collisions. (CVE-2012-0841)
Multiple flaws were found in the way libxml2 parsed certain XPath (XML Path
Language) expressions. If an attacker were able to supply a specially-crafted
XML file to an application using libxml2, as well as an XPath expression for
that application to run against the crafted file, it could cause the
application to crash. (CVE-2010-4008, CVE-2010-4494, CVE-2011-2821,
CVE-2011-2834)
Two heap-based buffer overflow flaws were found in the way libxml2 decoded
certain XML files. A remote attacker could provide a specially-crafted XML file
that, when opened in an application linked against libxml2, would cause the
application to crash or, potentially, execute arbitrary code with the
privileges of the user running the application. (CVE-2011-0216, CVE-2011-3102)
An integer overflow flaw, leading to a heap-based buffer overflow, was found in
the way libxml2 parsed certain XPath expressions. If an attacker were able to
supply a specially-crafted XML file to an application using libxml2, as well as
an XPath expression for that application to run against the crafted file, it
could cause the application to crash or, possibly, execute arbitrary code.
(CVE-2011-1944)
An out-of-bounds memory read flaw was found in libxml2. A remote attacker could
provide a specially-crafted XML file that, when opened in an application linked
against libxml2, would cause the application to crash. (CVE-2011-3905)
—
SL6
x86_64
mingw32-libxml2-2.7.6-6.el6_3.noarch.rpm
mingw32-libxml2-debuginfo-2.7.6-6.el6_3.noarch.rpm
mingw32-libxml2-static-2.7.6-6.el6_3.noarch.rpm
– Scientific Linux Development Team
