Bug#560942: CVE-2009-3560 and CVE-2009-3720 denial-of-services

Tue, 26 Jan 2010 11:50:23 -0800 

Package: xmlrpc-c
Version: 1.06.27-1
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu karmic ubuntu-patch

In Ubuntu, we've applied the attached patch to achieve the following:

  * SECURITY UPDATE: fix DoS via malformed XML
    - debian/patches/CVE-2009-3720.patch: update expat/xmltok/xmltok_impl.c
      to not access beyond end of input string
    - CVE-2009-3720
  * SECURITY UPDATE: fix DoS via malformed UTF-8 sequences
    - debian/patches/CVE-2009-3560.patch: update expat/xmlparse/xmlparse.c to
      properly recognize the end of a token
    - CVE-2009-3560

We thought you might be interested in doing the same. Please note that the
patches do include the regressions fixes.

Jamie


-- System Information:
Debian Release: squeeze/sid
  APT prefers karmic-updates
  APT policy: (500, 'karmic-updates'), (500, 'karmic-security'), (500, 'karmic')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.31-17-generic (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -u xmlrpc-c-1.06.27/debian/changelog xmlrpc-c-1.06.27/debian/changelog
diff -u xmlrpc-c-1.06.27/debian/patches/series xmlrpc-c-1.06.27/debian/patches/series
--- xmlrpc-c-1.06.27/debian/patches/series
+++ xmlrpc-c-1.06.27/debian/patches/series
@@ -3,0 +4,2 @@
+CVE-2009-3720.patch
+CVE-2009-3560.patch
only in patch2:
unchanged:
--- xmlrpc-c-1.06.27.orig/debian/patches/CVE-2009-3560.patch
+++ xmlrpc-c-1.06.27/debian/patches/CVE-2009-3560.patch
@@ -0,0 +1,19 @@
+Description: DoS via XML document with malformed UTF-8 sequences
+ (CVE_2009_3560)
+Origin: http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.166
+  http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?view=log#rev1.166
+  http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?view=log#rev1.165
+
+diff -Nur xmlrpc-c-1.06.27/lib/expat/xmlparse/xmlparse.c xmlrpc-c-1.06.27.new/lib/expat/xmlparse/xmlparse.c
+--- xmlrpc-c-1.06.27/lib/expat/xmlparse/xmlparse.c	2007-01-10 19:08:53.000000000 -0600
++++ xmlrpc-c-1.06.27.new/lib/expat/xmlparse/xmlparse.c	2010-01-26 12:56:33.885170530 -0600
+@@ -2330,6 +2330,9 @@
+         return XML_ERROR_UNCLOSED_TOKEN;
+       case XML_TOK_PARTIAL_CHAR:
+         return XML_ERROR_PARTIAL_CHAR;
++      case -XML_TOK_PROLOG_S:
++        tok = -tok;
++        break;
+       case XML_TOK_NONE:
+ #ifdef XML_DTD
+         if (enc != encoding)
only in patch2:
unchanged:
--- xmlrpc-c-1.06.27.orig/debian/patches/CVE-2009-3720.patch
+++ xmlrpc-c-1.06.27/debian/patches/CVE-2009-3720.patch
@@ -0,0 +1,15 @@
+Description: DoS via malformed XML (CVE-2009-3720)
+Origin: http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.15&r2=1.13
+
+diff -Nur xmlrpc-c-1.06.27/lib/expat/xmltok/xmltok_impl.c xmlrpc-c-1.06.27.new/lib/expat/xmltok/xmltok_impl.c
+--- xmlrpc-c-1.06.27/lib/expat/xmltok/xmltok_impl.c	2006-07-11 21:00:38.000000000 -0500
++++ xmlrpc-c-1.06.27.new/lib/expat/xmltok/xmltok_impl.c	2010-01-26 12:55:26.395172892 -0600
+@@ -1737,7 +1737,7 @@
+ 			    const char *end,
+ 			    POSITION *pos)
+ {
+-  while (ptr != end) {
++  while (ptr < end) {
+     switch (BYTE_TYPE(enc, ptr)) {
+ #define LEAD_CASE(n) \
+     case BT_LEAD ## n: \

Reply via email to