Date Published: 2023-01-02
QID 354638: Amazon Linux Security Advisory for libxml2 : AL2012-2022-370
Package updates are available for Amazon Linux that fix the following vulnerabilities:
A flaw was found in the libxml2 library in functions used to manipulate the xmlBuf and the xmlBuffer types. A substantial input causes values to calculate buffer sizes to overflow, resulting in an out-of-bounds write. 2082158: CVE-2022-29824 libxml2: integer overflows in xmlBuf and xmlBuffer lead to out-of-bounds write CVE-2022-23308:
valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes. 2056913: CVE-2022-23308 libxml2: Use-after-free of ID and IDREF attributes CVE-2021-3541:
A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service. 1950515: CVE-2021-3541 libxml2: Exponential entity expansion attack bypasses all existing protection mechanisms CVE-2021-3537:
1956522: CVE-2021-3537 libxml2: NULL pointer dereference when post-validating mixed content parsed in recovery mode A NULL pointer dereference flaw was found in libxml2, where it did not propagate errors while parsing XML mixed content. This flaw causes the application to crash if an untrusted XML document is parsed in recovery mode and post validated. The highest threat from this vulnerability is to system availability. CVE-2021-3518:
There's a flaw in libxml2. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability. 1954242: CVE-2021-3518 libxml2: Use-after-free in xmlXIncludeDoProcess() in xinclude.c CVE-2021-3517:
There is a flaw in the xml entity encoding functionality of libxml2. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application. 1954232: CVE-2021-3517 libxml2: Heap-based buffer overflow in xmlEncodeEntitiesInternal() in entities.c CVE-2021-3516:
1954225: CVE-2021-3516 libxml2: Use-after-free in xmlEncodeEntitiesInternal() in entities.c There's a flaw in libxml2's xmllint. An attacker who is able to submit a crafted file to be processed by xmllint could trigger a use-after-free. The greatest impact of this flaw is to confidentiality, integrity, and availability.
Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
CVEs related to QID 354638
|AL2012-2022-370||Amazon Linux Bare Metal||docs.aws.amazon.com/AWSEC2/latest/UserGuide/install-updates.html|