SB2018102435 - Null pointer dereference in libxml2 (Alpine package)
Published: October 24, 2018
Security Bulletin ID
SB2018102435
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Null pointer dereference (CVE-ID: CVE-2018-14404)
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists in the xmlXPathCompOpEval() function, as defined in the path.c source code file due to improper parsing of invalid XPath expressions in the XPATH_OP_AND and XPATH_OP_OR cases. A remote attacker can send a specially crafted request that submits malicious input to an application that is using the affected library, trigger a NULL pointer dereference and cause the application to crash.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=1647bdc21ffc22aacee5ea142d372445d1fd5b03
- https://git.alpinelinux.org/aports/commit/?id=5e57be93778177ca048236091d2814a4ad205903
- https://git.alpinelinux.org/aports/commit/?id=76958c600547909509a0352cfbfd9d329ff49da9
- https://git.alpinelinux.org/aports/commit/?id=f70c7aa335da7bafa60d0834ba1b57b9fd5c732c
- https://git.alpinelinux.org/aports/commit/?id=4bc223137c3c80eb753c3caaa60b3a368b80af0f
- https://git.alpinelinux.org/aports/commit/?id=81df780b6d24c97fe63fde06d2cf77d76dc47bb1
- https://git.alpinelinux.org/aports/commit/?id=0434d7dc126aeb836678e3b545a2fe8748a4b269
- https://git.alpinelinux.org/aports/commit/?id=1f4fa90580a1d7f0000a1bf14f337b446f28d317
- https://git.alpinelinux.org/aports/commit/?id=878af9b6555b9b812151e55fd3294c89cf0f53ba
- https://git.alpinelinux.org/aports/commit/?id=9ba0323ae03ecb1319c9174e281260c37544fa1d
- https://git.alpinelinux.org/aports/commit/?id=a6c278e2f3d21e7ffc9b25ad0cd3845c3caafcf9