Your message dated Sun, 16 Aug 2009 16:47:50 +0000
with message-id <e1mcita-00036l...@ries.debian.org>
and subject line Bug#540865: fixed in libxml2 2.7.3.dfsg-2.1
has caused the Debian Bug report #540865,
regarding libxml2: CVE-2009-2414, CVE-2009-2416 pointer-user-after-free and
stack overflow because of function recursion
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
540865: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=540865
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libxml2
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for libxml2.
CVE-2009-2416[0]:
| Pointer use-after-free flaws were found in libxml by parsing Notation
| and Enumeration attribute types. A remote attacker could provide
| a specially-crafted XML file, which once opened by a local, unsuspecting
| user would lead to denial of service (application crash).
CVE-2009-2414[1]:
| A stack overflow flaw was found in libxml by parsing root XML document
| element DTD definition. Providing a specially-crafted XML file would
| lead to excessive stack growth and denial of service (application crash),
| when opened by a victim.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2416
http://security-tracker.debian.net/tracker/CVE-2009-2416
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2414
http://security-tracker.debian.net/tracker/CVE-2009-2414
--
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
--- parser.c.orig 2009-08-03 15:33:12.000000000 +0200
+++ parser.c 2009-08-03 15:36:26.000000000 +0200
@@ -4778,10 +4779,14 @@ xmlParseNotationType(xmlParserCtxtPtr ct
if (name == NULL) {
xmlFatalErrMsg(ctxt, XML_ERR_NAME_REQUIRED,
"Name expected in NOTATION declaration\n");
- return(ret);
+ xmlFreeEnumeration(ret);
+ return(NULL);
}
cur = xmlCreateEnumeration(name);
- if (cur == NULL) return(ret);
+ if (cur == NULL) {
+ xmlFreeEnumeration(ret);
+ return(NULL);
+ }
if (last == NULL) ret = last = cur;
else {
last->next = cur;
@@ -4791,9 +4796,8 @@ xmlParseNotationType(xmlParserCtxtPtr ct
} while (RAW == '|');
if (RAW != ')') {
xmlFatalErr(ctxt, XML_ERR_NOTATION_NOT_FINISHED, NULL);
- if ((last != NULL) && (last != ret))
- xmlFreeEnumeration(last);
- return(ret);
+ xmlFreeEnumeration(ret);
+ return(NULL);
}
NEXT;
return(ret);
@@ -4834,7 +4838,10 @@ xmlParseEnumerationType(xmlParserCtxtPtr
}
cur = xmlCreateEnumeration(name);
xmlFree(name);
- if (cur == NULL) return(ret);
+ if (cur == NULL) {
+ xmlFreeEnumeration(ret);
+ return(NULL);
+ }
if (last == NULL) ret = last = cur;
else {
last->next = cur;
@@ -5232,6 +5239,12 @@ xmlParseElementChildrenContentDecl (xmlP
const xmlChar *elem;
xmlChar type = 0;
+ if (ctxt->depth > 128) {
+ xmlFatalErrMsgInt(ctxt, XML_ERR_ELEMCONTENT_NOT_FINISHED,
+ "xmlParseElementChildrenContentDecl : depth %d too deep\n",
+ ctxt->depth);
+ return(NULL);
+ }
SKIP_BLANKS;
GROW;
if (RAW == '(') {
@@ -5240,7 +5253,9 @@ xmlParseElementChildrenContentDecl (xmlP
/* Recurse on first child */
NEXT;
SKIP_BLANKS;
+ ctxt->depth++;
cur = ret = xmlParseElementChildrenContentDecl(ctxt, inputid);
+ ctxt->depth--;
SKIP_BLANKS;
GROW;
} else {
@@ -5370,7 +5385,9 @@ xmlParseElementChildrenContentDecl (xmlP
/* Recurse on second child */
NEXT;
SKIP_BLANKS;
+ ctxt->depth++;
last = xmlParseElementChildrenContentDecl(ctxt, inputid);
+ ctxt->depth--;
SKIP_BLANKS;
} else {
elem = xmlParseName(ctxt);
pgpKox1kevXAE.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: libxml2
Source-Version: 2.7.3.dfsg-2.1
We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive:
libxml2-dbg_2.7.3.dfsg-2.1_amd64.deb
to pool/main/libx/libxml2/libxml2-dbg_2.7.3.dfsg-2.1_amd64.deb
libxml2-dev_2.7.3.dfsg-2.1_amd64.deb
to pool/main/libx/libxml2/libxml2-dev_2.7.3.dfsg-2.1_amd64.deb
libxml2-doc_2.7.3.dfsg-2.1_all.deb
to pool/main/libx/libxml2/libxml2-doc_2.7.3.dfsg-2.1_all.deb
libxml2-utils_2.7.3.dfsg-2.1_amd64.deb
to pool/main/libx/libxml2/libxml2-utils_2.7.3.dfsg-2.1_amd64.deb
libxml2_2.7.3.dfsg-2.1.diff.gz
to pool/main/libx/libxml2/libxml2_2.7.3.dfsg-2.1.diff.gz
libxml2_2.7.3.dfsg-2.1.dsc
to pool/main/libx/libxml2/libxml2_2.7.3.dfsg-2.1.dsc
libxml2_2.7.3.dfsg-2.1_amd64.deb
to pool/main/libx/libxml2/libxml2_2.7.3.dfsg-2.1_amd64.deb
python-libxml2_2.7.3.dfsg-2.1_amd64.deb
to pool/main/libx/libxml2/python-libxml2_2.7.3.dfsg-2.1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 540...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <n...@debian.org> (supplier of updated libxml2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 16 Aug 2009 17:45:17 +0200
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-dev libxml2-dbg libxml2-doc python-libxml2
Architecture: source all amd64
Version: 2.7.3.dfsg-2.1
Distribution: unstable
Urgency: high
Maintainer: Debian XML/SGML Group <debian-xml-sgml-p...@lists.alioth.debian.org>
Changed-By: Nico Golde <n...@debian.org>
Description:
libxml2 - GNOME XML library
libxml2-dbg - Debugging symbols for the GNOME XML library
libxml2-dev - Development files for the GNOME XML library
libxml2-doc - Documentation for the GNOME XML library
libxml2-utils - XML utilities
python-libxml2 - Python bindings for the GNOME XML library
Closes: 540865
Changes:
libxml2 (2.7.3.dfsg-2.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team (Closes: #540865).
* Fix multiple use-after-free flaws when parsing notation and
enumeration attribute types (CVE-2009-2416).
* Fix stack overflow when parsing root XML document element DTD
definition (CVE-2009-2414).
Checksums-Sha1:
5920251adb136635ee9860f2935b5e0a2ed39802 1479 libxml2_2.7.3.dfsg-2.1.dsc
9f3c3f24da35db0b5a7173ad96b3d696b1c7b6ed 78832 libxml2_2.7.3.dfsg-2.1.diff.gz
93807770bf46fb7527396ace8c7fe7e066eb53e1 1358762
libxml2-doc_2.7.3.dfsg-2.1_all.deb
0676c6e9cce6891f2251d1f17fddf6f3bfc8292f 864564
libxml2_2.7.3.dfsg-2.1_amd64.deb
2ad88d150e5dbbf2779f38ed2c35dbc9ec5ca452 86684
libxml2-utils_2.7.3.dfsg-2.1_amd64.deb
ed8974201cb64b93aa27be4c302bcb5032862784 824240
libxml2-dev_2.7.3.dfsg-2.1_amd64.deb
0e9896b831cbad8eec0b23f4f66405f49d75d7d4 1048096
libxml2-dbg_2.7.3.dfsg-2.1_amd64.deb
fe41e89bb84e287da1b72eefb71fcc3938852f32 338268
python-libxml2_2.7.3.dfsg-2.1_amd64.deb
Checksums-Sha256:
90039351897a55019cd78da2d60d8789e8442b380a26fee51330a8872eb2603f 1479
libxml2_2.7.3.dfsg-2.1.dsc
d4f57991d8cf13b6d9459d8eece07dfbd66f486eedce3046fb0934c76c66d0c4 78832
libxml2_2.7.3.dfsg-2.1.diff.gz
b41e5f0afd66b29fddb840becaebb1aefe44d3a6048b062c250435fab3f33472 1358762
libxml2-doc_2.7.3.dfsg-2.1_all.deb
1c22f6f755e16f9c3291d4895efcd05f9da26804c01c4e283e3625a9887b9109 864564
libxml2_2.7.3.dfsg-2.1_amd64.deb
e8d4a732cd0bb2b68e1cf47ee00141ebe8af1c71dad5bac658cdb36cd8c62295 86684
libxml2-utils_2.7.3.dfsg-2.1_amd64.deb
f948940f72c4b76f689add1edf7eafcd907ec85fc1e6c23d24144c9626cb4c94 824240
libxml2-dev_2.7.3.dfsg-2.1_amd64.deb
15058452156f88d78e0a8fd15dd19204496f079c6d6e608c420665062c17fbaa 1048096
libxml2-dbg_2.7.3.dfsg-2.1_amd64.deb
005d23fa6d9c9826dc057f435ec4d84517afd01b2eb486b9d4a3b88aa7428511 338268
python-libxml2_2.7.3.dfsg-2.1_amd64.deb
Files:
3864059f2c6a5c49b3eb50a989d2183f 1479 libs optional libxml2_2.7.3.dfsg-2.1.dsc
1656f56a382abafcd9213aba6e75b9fc 78832 libs optional
libxml2_2.7.3.dfsg-2.1.diff.gz
d453563a929c53def6670de2d4c79a6d 1358762 doc optional
libxml2-doc_2.7.3.dfsg-2.1_all.deb
6948b82a71ace65f36edf6f22ccd128f 864564 libs optional
libxml2_2.7.3.dfsg-2.1_amd64.deb
0c22ff240636e41928380f5ca932db81 86684 text optional
libxml2-utils_2.7.3.dfsg-2.1_amd64.deb
ae91c1ceb56392e0c8faa6bad7bf58de 824240 libdevel optional
libxml2-dev_2.7.3.dfsg-2.1_amd64.deb
cf2f04cedc3153807e0a484e7513ca65 1048096 debug extra
libxml2-dbg_2.7.3.dfsg-2.1_amd64.deb
e883f0dbb195e174fa132e8f7cbba07e 338268 python optional
python-libxml2_2.7.3.dfsg-2.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkqIMg8ACgkQHYflSXNkfP8kEQCgr091mbDT3y7VIgHYxK3WolRi
FH4AoLn5+2huX8f8GiEYsynklfNXuVRu
=+9vH
-----END PGP SIGNATURE-----
--- End Message ---
