Bug#498768: marked as done (libxml2: does not correctly handle long entity names (CVE-2008-3529))

Debian Bug Tracking System Fri, 19 Sep 2008 16:20:16 -0700

Your message dated Fri, 19 Sep 2008 21:17:56 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#498768: fixed in libxml2 2.6.32.dfsg-4
has caused the Debian Bug report #498768,
regarding libxml2: does not correctly handle long entity names (CVE-2008-3529)
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
498768: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=498768
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems

--- Begin Message ---

Package: libxml2
Version: 2.6.32.dfsg-3
Severity: grave
Tags: security
Justification: user security hole

ubuntu just released a fix for a problem in libxml2 [1].  the issue appears
to currently be reserved [2], but since ubuntu has released a fix, other
distributions need to follow suit soon to limit the window of opportunity 
for attacks.  the description of the problem is

    It was discovered that libxml2 did not correctly handle long entity 
    names.   If a user were tricked into processing a specially crafted XML 
    document, a remote attacker could execute arbitrary code with user 
    privileges or cause the application linked against libxml2 to crash, 
    leading to a denial of service.

this likely affects all releases (stable, testing, and unstable).

thanks for the hard work.

[1] http://lwn.net/Articles/298282/
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3529

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 
'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-etchnhalf.1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libxml2 depends on:
ii  libc6                  2.7-13            GNU C Library: Shared libraries
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

Versions of packages libxml2 recommends:
ii  xml-core                      0.11       XML infrastructure and XML catalog

libxml2 suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: libxml2
Source-Version: 2.6.32.dfsg-4

We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive:

libxml2-dbg_2.6.32.dfsg-4_amd64.deb
  to pool/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-4_amd64.deb
libxml2-dev_2.6.32.dfsg-4_amd64.deb
  to pool/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-4_amd64.deb
libxml2-doc_2.6.32.dfsg-4_all.deb
  to pool/main/libx/libxml2/libxml2-doc_2.6.32.dfsg-4_all.deb
libxml2-utils_2.6.32.dfsg-4_amd64.deb
  to pool/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-4_amd64.deb
libxml2_2.6.32.dfsg-4.diff.gz
  to pool/main/libx/libxml2/libxml2_2.6.32.dfsg-4.diff.gz
libxml2_2.6.32.dfsg-4.dsc
  to pool/main/libx/libxml2/libxml2_2.6.32.dfsg-4.dsc
libxml2_2.6.32.dfsg-4_amd64.deb
  to pool/main/libx/libxml2/libxml2_2.6.32.dfsg-4_amd64.deb
python-libxml2_2.6.32.dfsg-4_amd64.deb
  to pool/main/libx/libxml2/python-libxml2_2.6.32.dfsg-4_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Hommey <[EMAIL PROTECTED]> (supplier of updated libxml2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 19 Sep 2008 21:26:19 +0200
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-dev libxml2-dbg libxml2-doc python-libxml2
Architecture: source all amd64
Version: 2.6.32.dfsg-4
Distribution: unstable
Urgency: high
Maintainer: Debian XML/SGML Group <[EMAIL PROTECTED]>
Changed-By: Mike Hommey <[EMAIL PROTECTED]>
Description: 
 libxml2    - GNOME XML library
 libxml2-dbg - Debugging symbols for the GNOME XML library
 libxml2-dev - Development files for the GNOME XML library
 libxml2-doc - Documentation for the GNOME XML library
 libxml2-utils - XML utilities
 python-libxml2 - Python bindings for the GNOME XML library
Closes: 498768
Changes: 
 libxml2 (2.6.32.dfsg-4) unstable; urgency=high
 .
   * Fix regressions due to previous security fixes. Fixes: CVE-2008-3529.
     Closes: #498768.
Checksums-Sha1: 
 eaa9ea2045305beae7fd8eb285fb9265c7a036b8 1316 libxml2_2.6.32.dfsg-4.dsc
 0a9256644d814adf4ab673441d3a7d5eabe1f2a0 81344 libxml2_2.6.32.dfsg-4.diff.gz
 2cce8f0057fbbc26877fbe2bd498e86048042643 1341978 
libxml2-doc_2.6.32.dfsg-4_all.deb
 a95033c715dff23f94f3978881d7e6e48456f1ea 859946 libxml2_2.6.32.dfsg-4_amd64.deb
 43ebe9193e4961e6a09a3a375016365622493d43 37402 
libxml2-utils_2.6.32.dfsg-4_amd64.deb
 13d088684628e029fe03064daf4a5de56aa52bb9 774870 
libxml2-dev_2.6.32.dfsg-4_amd64.deb
 1f9d72e0a170ae8d96c667d8bf64937fc6fec083 988610 
libxml2-dbg_2.6.32.dfsg-4_amd64.deb
 cba69f0f9e036207a528b0c4faa958117578297d 295346 
python-libxml2_2.6.32.dfsg-4_amd64.deb
Checksums-Sha256: 
 912511d3de7d810707f785d0ec5085ed7c3a954e93a83e0dd7d9cd9e1678f748 1316 
libxml2_2.6.32.dfsg-4.dsc
 6ab29c7289a7433c671c86bc0af9d19eb5719ea579d97f61b34b6d10fcc79f38 81344 
libxml2_2.6.32.dfsg-4.diff.gz
 b5760c3f06ef1d12ff644544bb8acfe65b26237303acf052861b72d0cffb60a6 1341978 
libxml2-doc_2.6.32.dfsg-4_all.deb
 63381999b14c3fd408bf16776ddcb7edc4bba41bc00ca31312a66d524461fde1 859946 
libxml2_2.6.32.dfsg-4_amd64.deb
 65c33a1782ee2877fa9d2228b27a26ea88857f94ff64b76ae7516e237f04c575 37402 
libxml2-utils_2.6.32.dfsg-4_amd64.deb
 781a1d9cbf2d864f496001ed113a07b9867ab014efb4f6e13fbaeb0024528491 774870 
libxml2-dev_2.6.32.dfsg-4_amd64.deb
 d4e17c67558e87626950d49510760ad3e134457367fb160cf0f563564aa2adf0 988610 
libxml2-dbg_2.6.32.dfsg-4_amd64.deb
 f9798e5fad09cdb2216ad03d983c8ff85cc885f8c842ca6da0b991015437b901 295346 
python-libxml2_2.6.32.dfsg-4_amd64.deb
Files: 
 64016cf25d9d841f7bc7a85382e7036b 1316 libs optional libxml2_2.6.32.dfsg-4.dsc
 79ff739e2e7f98fb9524eaf143d35530 81344 libs optional 
libxml2_2.6.32.dfsg-4.diff.gz
 829888da253c4ce128eb70fcef9094ae 1341978 doc optional 
libxml2-doc_2.6.32.dfsg-4_all.deb
 92ca46d1e7a47b1206bef14ca61a04c3 859946 libs optional 
libxml2_2.6.32.dfsg-4_amd64.deb
 0370e904723b3a36d096cdfa9791323e 37402 text optional 
libxml2-utils_2.6.32.dfsg-4_amd64.deb
 6e69bf924e4993cf1f0cb0eb1917650c 774870 libdevel optional 
libxml2-dev_2.6.32.dfsg-4_amd64.deb
 4f2409e67361de0f44be20e45ec57707 988610 libdevel extra 
libxml2-dbg_2.6.32.dfsg-4_amd64.deb
 61c2ba8c54c83ba7ce2f0bb2b6e797fd 295346 python optional 
python-libxml2_2.6.32.dfsg-4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFI1Adu3kvaLFT9KlgRAgdSAKCQcpUmLTtwp7/t8QXwJgeey7dnmgCfYJ8B
vCgkXmfFlBYObl4REEGT/JM=
=FLXP
-----END PGP SIGNATURE-----

--- End Message ---

Bug#498768: marked as done (libxml2: does not correctly handle long entity names (CVE-2008-3529))

Reply via email to