USN-4784-1: Xerces-C++ vulnerabilities

Releases

• Ubuntu 18.04 ESM
• Ubuntu 16.04 ESM

Packages

• xerces-c - Validating XML parser written in a portable subset of C++

Details

It was discovered that Xerces-C++ XML Parser mishandles certain kinds of
external DTD references, resulting in a user-after-free. An attacker could
use this vulnerability to cause a denial of service (crash) or possibly
execute arbitrary code. This issue affected only Ubuntu 16.04 ESM.
(CVE-2016-2099)

It was discovered that Xerces-C++ XML Parser fails to successfully parse a
DTD that is too deeply nested. An unauthenticated attacker could use this
vulnerability to cause a denial of service. This issue affected only Ubuntu
16.04 ESM. (CVE-2016-4463)

It was discovered that Xerces-C++ mishandles certain kinds of external DTD
references, resulting in dereference of a NULL pointer. An attacker could
use this vulnerability to cause a denial of service. (CVE-2017-12627)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04

• libxerces-c3.2 - 3.2.0+debian-2ubuntu0.1~esm1
  Available with Ubuntu Pro

Ubuntu 16.04

• libxerces-c-dev - 3.1.3+debian-1ubuntu0.1~esm1
  Available with Ubuntu Pro
• libxerces-c3.1 - 3.1.3+debian-1ubuntu0.1~esm1
  Available with Ubuntu Pro
• libxerces-c-samples - 3.1.3+debian-1ubuntu0.1~esm1
  Available with Ubuntu Pro
• libxerces-c-doc - 3.1.3+debian-1ubuntu0.1~esm1
  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References

• CVE-2016-2099
• CVE-2016-4463
• CVE-2017-12627