** WHITE information - Unlimited distribution allowed **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
EGI CSIRT ADVISORY [EGI-ADV-20120206]
Title: MODERATE RISK - Multiple Vulnerabilities in the libxml (CVE-2012-3919 etc.) [EGI-ADV-20120206]
Date: Feb. 06, 2012
Last update: Feb. 06, 2012
The libxml2 library is a development toolbox providing the implementation of various XML standards and is
widely used by many applications. Multiple vulnerabilities were found in libxml2 package. A remote attacker
could provide a specially-crafted XML file that, when opened in an application linked against libxml2,
would cause the application to crash or, potentially, execute arbitrary code with the privileges of the
user running the application (CVE-2011-3919, CVE-2011-0216, CVE-2011-1944).
Libxml2 shipped with RH4, 5 and 6 are affected. Patches from the Linux vendors are available (see reference).
At the moment we are not aware of any public exploit. The detail of some vulnerabilities such as CVE-2011-3919
might be made public in the future [http://googlechromereleases.blogspot.com/2012/01/stable-channel-update.html]
There is no known mitigation solution. Please update system with patches from Linux vendors.
These vulnerabilities exist. While no serious exploit is available yet, there is the potential for a remote command
execution and privilege escalation. There is the possibility that this may escalate to become a 'High' or 'Critical'
risk issue if such an exploit were to be developed, particularly if it lead to 'root' escalation.
Hence it is *recommended* that sites update their systems as soon as is practical.