Buffer overflow in Google Chrome and Libxml2 - CVE-2013-2877
Published: July 10, 2013 / Updated: August 11, 2020
Vulnerability identifier: #VU42721
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2013-2877
CWE-ID: CWE-119
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Google
Gnome Development Team
Gnome Development Team
Affected software:
Google Chrome
Libxml2
Google Chrome
Libxml2
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
parser.c in libxml2 before 2.9.0, as used in Google Chrome before 28.0.1500.71 and other products, allows remote attackers to cause a denial of service (out-of-bounds read) via a document that ends abruptly, related to the lack of certain checks for the XML_PARSER_EOF state.
How to mitigate CVE-2013-2877
Install update from vendor's website.
Sources
- ftp://xmlsoft.org/libxml2/libxml2-2.9.0.tar.gz
- http://git.chromium.org/gitweb/?p=chromium/chromium.git;a=commit;h=e5d7f7e5dc21d3ae7be3cbb949ac4d8701e06de1
- http://googlechromereleases.blogspot.com/2013/07/stable-channel-update.html
- http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00002.html
- http://lists.opensuse.org/opensuse-updates/2013-07/msg00063.html
- http://lists.opensuse.org/opensuse-updates/2013-07/msg00077.html
- http://seclists.org/fulldisclosure/2014/Dec/23
- http://secunia.com/advisories/54172
- http://secunia.com/advisories/55568
- http://www.debian.org/security/2013/dsa-2724
- http://www.debian.org/security/2013/dsa-2779
- http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
- http://www.securityfocus.com/archive/1/534161/100/0/threaded
- http://www.securityfocus.com/bid/61050
- http://www.ubuntu.com/usn/USN-1904-1
- http://www.ubuntu.com/usn/USN-1904-2
- http://www.vmware.com/security/advisories/VMSA-2014-0012.html
- https://code.google.com/p/chromium/issues/detail?id=229019