On Mon, 14 Dec 2009 17:48:10 +0100, Mike Hommey wrote: > tag 560946 wontfix > thanks > > On Mon, Dec 14, 2009 at 11:31:18AM -0500, Michael Gilbert wrote: > > retitle 560946 xulrunner: embeds expat > > severity 560946 important > > thanks > > > > On Mon, 14 Dec 2009 09:15:12 +0100, Mike Hommey wrote: > > > On Sat, Dec 12, 2009 at 10:56:59PM -0500, Michael Gilbert wrote: > > > > package: xulrunner > > > > severity: serious > > > > tags: security > > > > > > > > Hi, > > > > > > > > The following CVE (Common Vulnerabilities & Exposures) ids were > > > > published for expat. I have determined that this package embeds a > > > > vulnerable copy of xmlparse.c and xmltok_impl.c. However, since this is > > > > a mass bug filing (due to so many packages embedding expat), I have > > > > not had time to determine whether the vulnerable code is actually > > > > present in any of the binary packages derived from this source package. > > > > Please determine whether this is the case. If the binary packages are > > > > not affected, please feel free to close the bug with a message > > > > containing the details of what you did to check. > > > > > > > > CVE-2009-3560[0]: > > > > | The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, > > > > | as used in the XML-Twig module for Perl, allows context-dependent > > > > | attackers to cause a denial of service (application crash) via an XML > > > > | document with malformed UTF-8 sequences that trigger a buffer > > > > | over-read, related to the doProlog function in lib/xmlparse.c, a > > > > | different vulnerability than CVE-2009-2625 and CVE-2009-3720. > > > > > > From what I understand from the vulnerability, the an specially crafted > > > big5 encoded document can trigger a bad conversion to utf-8 which in > > > turn can trigger this bug, due to the malformed utf-8. > > > > > > > CVE-2009-3720[1]: > > > > | The updatePosition function in lib/xmltok_impl.c in libexpat in Expat > > > > | 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, > > > > | allows context-dependent attackers to cause a denial of service > > > > | (application crash) via an XML document with crafted UTF-8 sequences > > > > | that trigger a buffer over-read, a different vulnerability than > > > > | CVE-2009-2625. > > > > > > This one is about a buffer overrun from malformed utf-8 at the end of > > > the buffer. > > > > > > AFAIK, none of these bugs should be affecting the mozilla code base, as > > > it is doing its own utf-8 conversions and sanitizes it well before it > > > comes to expat. > > > > sounds reasonable to me. so to harden for future issues, i would still > > recommend updating xulrunner to use the system expat. thanks. > > As I said in another message, this is simply impossible, as it is > heavily modified. > > On the other hand, on the long run, it might disappear, as mozilla will > be switching to a new html5 parser (which AFAIK is not based on expat).
ok, good enough. i've got too many bugs i'm dealing with right now to remember all of these things... mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
