EGI SVG Advisories

** WHITE information - Unlimited distribution allowed      **
** see https://go.egi.eu/tlp for distribution restrictions **

EGI CSIRT ADVISORY [EGI-ADV-20120206]

Title:       MODERATE RISK - Multiple Vulnerabilities in the libxml (CVE-2012-3919 etc.) [EGI-ADV-20120206]
Date:        Feb. 06, 2012
Last update: Feb. 06, 2012
URL:         https://advisories.egi.eu/CSIRT_Alerts/libxml2-2012-02-06


Introduction
============

The libxml2 library is a development toolbox providing the implementation of
various XML standards and is widely used by many applications. Multiple
vulnerabilities were found in libxml2 package. A remote attacker could provide
a specially-crafted XML file that, when opened in an application linked against
libxml2, would cause the application to crash or, potentially, execute
arbitrary code with the privileges of the user running the application
(CVE-2011-3919, CVE-2011-0216, CVE-2011-1944).

Libxml2 shipped with RH4, 5 and 6 are affected. Patches from the Linux vendors
are available (see reference).


Details
=======

At the moment we are not aware of any public exploit. The detail of some
vulnerabilities such as CVE-2011-3919 might be made public in the future
[http://googlechromereleases.blogspot.com/2012/01/stable-channel-update.html]


Mitigation
==========

There is no known mitigation solution. Please update system with patches from
Linux vendors.

Recommendations
===============

These vulnerabilities exist. While no serious exploit is available yet, there
is the potential for a remote command execution and privilege escalation. There
is the possibility that this may escalate to become a 'High' or 'Critical' risk
issue if such an exploit were to be developed, particularly if it lead to
'root' escalation.

Hence it is *recommended* that sites update their systems as soon as is practical.


References
==========

RHEL4 update:
https://rhn.redhat.com/errata/RHSA-2012-0016.html
RHEL5 update:
https://rhn.redhat.com/errata/RHSA-2012-0017.html
RHEL6 update:
https://rhn.redhat.com/errata/RHSA-2012-0018.html