SB2016032304 - Input validation error in expat (Alpine package)
Published: March 23, 2016
Security Bulletin ID
SB2016032304
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Input validation error (CVE-ID: CVE-2015-1283)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=61684c5b8c0524c2a4a18513bf15e976df5d0e87
- https://git.alpinelinux.org/aports/commit/?id=ce27c1073e8cbc046ffcdd7fe6d64b2ccb1a0c4b
- https://git.alpinelinux.org/aports/commit/?id=20d133e03f75eba249c9b491f214d3b7bb6fa2b5
- https://git.alpinelinux.org/aports/commit/?id=e9c02563843de1f486cae7cc96da90eb9113169b