openSUSE Security Update : libxml2 (openSUSE-2016-583)

2016-05-16T00:00:00
ID OPENSUSE-2016-583.NASL
Type nessus
Reporter Tenable
Modified 2016-10-13T00:00:00

Description

This update for libxml2 fixes two security issues :

  • libxml2 limits the number of recursions an XML document can contain so to protect against the 'Billion Laughs' denial-of-service attack. Unfortunately, the underlying counter was not incremented properly in all necessary locations. Therefore, specially crafted XML documents could exhaust all available stack space and crash the XML parser without running into the recursion limit. This vulnerability has been fixed. (bsc#975947)

  • When running in recovery mode, certain invalid XML documents would trigger an infinite recursion in libxml2 that ran until all stack space was exhausted. This vulnerability could have been used to facilitate a denial-of-sevice attack. (CVE-2016-3627, bsc#972335)

This update was imported from the SUSE:SLE-12:Update update project.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2016-583.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(91147);
  script_version("$Revision: 2.3 $");
  script_cvs_date("$Date: 2016/10/13 14:37:11 $");

  script_cve_id("CVE-2016-3627");

  script_name(english:"openSUSE Security Update : libxml2 (openSUSE-2016-583)");
  script_summary(english:"Check for the openSUSE-2016-583 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This update for libxml2 fixes two security issues :

  - libxml2 limits the number of recursions an XML document
    can contain so to protect against the 'Billion Laughs'
    denial-of-service attack. Unfortunately, the underlying
    counter was not incremented properly in all necessary
    locations. Therefore, specially crafted XML documents
    could exhaust all available stack space and crash the
    XML parser without running into the recursion limit.
    This vulnerability has been fixed. (bsc#975947)

  - When running in recovery mode, certain invalid XML
    documents would trigger an infinite recursion in libxml2
    that ran until all stack space was exhausted. This
    vulnerability could have been used to facilitate a
    denial-of-sevice attack. (CVE-2016-3627, bsc#972335)

This update was imported from the SUSE:SLE-12:Update update project."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=972335"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=975947"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected libxml2 packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libxml2-2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libxml2-2-32bit");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libxml2-2-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libxml2-2-debuginfo-32bit");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libxml2-debugsource");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libxml2-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libxml2-devel-32bit");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libxml2-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libxml2-tools-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-libxml2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-libxml2-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-libxml2-debugsource");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.1");

  script_set_attribute(attribute:"patch_publication_date", value:"2016/05/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/05/16");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016 Tenable Network Security, Inc.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE42\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.1", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE42.1", reference:"libxml2-2-2.9.1-16.1") ) flag++;
if ( rpm_check(release:"SUSE42.1", reference:"libxml2-2-debuginfo-2.9.1-16.1") ) flag++;
if ( rpm_check(release:"SUSE42.1", reference:"libxml2-debugsource-2.9.1-16.1") ) flag++;
if ( rpm_check(release:"SUSE42.1", reference:"libxml2-devel-2.9.1-16.1") ) flag++;
if ( rpm_check(release:"SUSE42.1", reference:"libxml2-tools-2.9.1-16.1") ) flag++;
if ( rpm_check(release:"SUSE42.1", reference:"libxml2-tools-debuginfo-2.9.1-16.1") ) flag++;
if ( rpm_check(release:"SUSE42.1", reference:"python-libxml2-2.9.1-16.1") ) flag++;
if ( rpm_check(release:"SUSE42.1", reference:"python-libxml2-debuginfo-2.9.1-16.1") ) flag++;
if ( rpm_check(release:"SUSE42.1", reference:"python-libxml2-debugsource-2.9.1-16.1") ) flag++;
if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"libxml2-2-32bit-2.9.1-16.1") ) flag++;
if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"libxml2-2-debuginfo-32bit-2.9.1-16.1") ) flag++;
if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"libxml2-devel-32bit-2.9.1-16.1") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libxml2-2 / libxml2-2-32bit / libxml2-2-debuginfo / etc");
}