========================================================================== Ubuntu Security Notice USN-1334-1 January 19, 2012 libxml2 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.10 - Ubuntu 10.04 LTS - Ubuntu 8.04 LTS Summary: Applications using libxml2 could be made to crash or run programs as your login if they opened a specially crafted file. Software Description: - libxml2: GNOME XML library Details: It was discovered that libxml2 contained an off by one error. If a user or application linked against libxml2 were tricked into opening a specially crafted XML file, an attacker could cause the application to crash or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2011-0216) It was discovered that libxml2 is vulnerable to double-free conditions when parsing certain XML documents. This could allow a remote attacker to cause a denial of service. (CVE-2011-2821, CVE-2011-2834) It was discovered that libxml2 did not properly detect end of file when parsing certain XML documents. An attacker could exploit this to crash applications linked against libxml2. (CVE-2011-3905) It was discovered that libxml2 did not properly decode entity references with long names. If a user or application linked against libxml2 were tricked into opening a specially crafted XML file, an attacker could cause the application to crash or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2011-3919) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.10: libxml2 2.7.8.dfsg-4ubuntu0.1 Ubuntu 11.04: libxml2 2.7.8.dfsg-2ubuntu0.2 Ubuntu 10.10: libxml2 2.7.7.dfsg-4ubuntu0.3 Ubuntu 10.04 LTS: libxml2 2.7.6.dfsg-1ubuntu1.3 Ubuntu 8.04 LTS: libxml2 2.6.31.dfsg-2ubuntu1.7 After a standard system update you need to reboot your computer to make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1334-1 CVE-2011-0216, CVE-2011-2821, CVE-2011-2834, CVE-2011-3905, CVE-2011-3919 Package Information: https://launchpad.net/ubuntu/+source/libxml2/2.7.8.dfsg-4ubuntu0.1 https://launchpad.net/ubuntu/+source/libxml2/2.7.8.dfsg-2ubuntu0.2 https://launchpad.net/ubuntu/+source/libxml2/2.7.7.dfsg-4ubuntu0.3 https://launchpad.net/ubuntu/+source/libxml2/2.7.6.dfsg-1ubuntu1.3 https://launchpad.net/ubuntu/+source/libxml2/2.6.31.dfsg-2ubuntu1.7