Amazon Linux Security Advisory for libxml2: AL2012-2016-153

Package updates are available for Amazon Linux that fix the following vulnerabilities: CVE-2016-4449: 1338701: CVE-2016-4449 libxml2: Inappropriate fetch of entities content XML external entity (XXE) vulnerability in the xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.4, when not in validating mode, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors. CVE-2016-4448: Format string vulnerability in libxml2 before 2.9.4 allows attackers to have unspecified impact via format string specifiers in unknown vectors. 1338700: CVE-2016-4448 libxml2: Format string vulnerability CVE-2016-4447: The xmlParseElementDecl function in parser.c in libxml2 before 2.9.4 allows context-dependent attackers to cause a denial of service (heap-based buffer underread and application crash) via a crafted file, involving xmlParseName. 1338686: CVE-2016-4447 libxml2: Heap-based buffer underreads due to xmlParseName CVE-2016-3705: Missing incrementation of recursion depth counter were found in the xmlParserEntityCheck() and xmlParseAttValueComplex() functions used for parsing XML data. An attacker could launch a Denial of Service attack by passing specially crafted XML data to an application, forcing it to crash due to stack exhaustion. 1332443: CVE-2016-3705 libxml2: stack overflow before detecting invalid XML file CVE-2016-3627: Missing recursive loop detection checks were found in the xmlParserEntityCheck() and xmlStringGetNodeList() functions of libxml2, causing application using the library to crash by stack exhaustion while building the associated data. An attacker able to send XML data to be parsed in recovery mode could launch a Denial of Service on the application. 1319829: CVE-2016-3627 libxml2: stack exhaustion while parsing xml files in recovery mode CVE-2016-1840: libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, and CVE-2016-1839. 1338706: CVE-2016-1840 libxml2: Heap-buffer-overflow in xmlFAParserPosCharGroup CVE-2016-1839: 1338703: CVE-2016-1839 libxml2: Heap-based buffer overread in xmlDictAddString libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, and CVE-2016-1840. CVE-2016-1838: 1338705: CVE-2016-1838 libxml2: Heap-based buffer overread in xmlPArserPrintFileContextInternal libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836, CVE-2016-1837, CVE-2016-1839, and CVE-2016-1840. CVE-2016-1837: libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836, CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840. 1338696: CVE-2016-1837 libxml2: Heap use-after-free in htmlPArsePubidLiteral

Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.

Administrators are advised to apply the appropriate software updates.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

AL2012-2016-153