First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 202628
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
libxml2-CVE-2007-6284.patch libxml2-CVE-2007-6284.patch patch Robert Buchholz 2007-12-17 23:28 0000 1.63 KB Details | Diff
libxml2-2.6.30-r1.ebuild Patched ebuild text/plain Daniel Gryniewicz 2007-12-18 04:20 0000 3.10 KB Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 202628 depends on: Show dependency tree
Bug 202628 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-12-17 23:25 0000 
There exists a denial of service problem in libxml's UTF-8
decoding functions. The xmlCurrentChar() function does not check
UTF-8 correctness and certain multibyte combinations can cause
the library to enter an infinite loop and hang, consuming
system resources. It is strongly recommended to upgrade if
your application accepts arbitrary xml user input.

Credits:
The issue was originally discovered at Google by Brad Fitzpatrick
and further investigated by Peter Valchev and Will Drewry.
Patch and debugging by Daniel Veillard (libxml).

------- Comment #1 From Robert Buchholz 2007-12-17 23:28:17 0000 ------- 
Created an attachment (id=138787) [edit]
libxml2-CVE-2007-6284.patch

------- Comment #2 From Robert Buchholz 2007-12-17 23:33:20 0000 ------- 
Leonardo and Daniel, please prepare an updated ebuild with the patch and attach
it to this bug if you want prestable testing. Please do not commit anything to
CVS yet!

I am not sure whether we have daemons in the tree that accept XML input via
libxml2. That would make this bug rather serious - for GNOME it seems to me,
this merely will crash a user's application.

------- Comment #3 From Daniel Gryniewicz 2007-12-18 04:20:24 0000 ------- 
Created an attachment (id=138790) [edit]
Patched ebuild

Trivial bump.  It works with my testing.  I did re-name the patch to
libxml2-2.6.30-CVE-2007-6284.patch, to make it fit better to gentoo's naming
scheme, but that's it.

------- Comment #4 From Robert Buchholz 2007-12-18 09:13:47 0000 ------- 
Arch Security Liaisons, please test the attached ebuild and report it stable on
this bug.
Target keywords : "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc
x86"

CC'ing current Liaisons:
  alpha : ferdy
  amd64 : welp
   hppa : jer
    ppc : dertobi123
  ppc64 : corsair
  sparc : fmccor
    x86 : opfer

------- Comment #5 From Christian Faulhammer 2007-12-18 10:41:46 0000 ------- 
all fine on x86, test suite succeeds and I built some rdeps without problems
(plus they still work)e

------- Comment #6 From Ferris McCormick 2007-12-18 16:15:14 0000 ------- 
Sparc is good; all tests run as they should.

------- Comment #7 From Jeroen Roovers 2007-12-18 18:52:49 0000 ------- 
HPPA is OK too.

------- Comment #8 From Markus Rothe 2007-12-18 20:10:53 0000 ------- 
looks good on ppc64

------- Comment #9 From Fernando J. Pereda (RETIRED) 2007-12-19 19:48:37 0000 ------- 
Adding Raúl for alpha, sorry for the delay.

------- Comment #10 From Raúl Porcel 2007-12-19 20:19:29 0000 ------- 
Works fine on alpha/ia64

------- Comment #11 From Peter Weller 2007-12-22 10:59:55 0000 ------- 
Looks good to me, too

------- Comment #12 From Robert Buchholz 2007-12-22 13:19:41 0000 ------- 
Adding Brent for PPC.

------- Comment #13 From Brent Baude 2008-01-04 15:24:23 0000 ------- 
Looks good for ppc too

------- Comment #14 From Robert Buchholz 2008-01-04 17:31:01 0000 ------- 
All security supported arches ok'ed this.

Daniel, please commit to stable as soon as the disclosure date is up (currently
Jan. 11)

------- Comment #15 From Robert Buchholz 2008-01-11 11:00:24 0000 ------- 
This will be public in one hour, please commit after then. Thanks!

------- Comment #16 From Robert Buchholz 2008-01-11 12:54:08 0000 ------- 
Public now.

------- Comment #17 From Daniel Gryniewicz 2008-01-11 17:10:27 0000 ------- 
Okay, committed to stable.  For the record: how do I get repoman to let me
commit directly to stable?

------- Comment #18 From Peter Weller 2008-01-11 21:16:42 0000 ------- 
--force, if I recall correctly.

------- Comment #19 From Robert Buchholz 2008-01-12 01:15:07 0000 ------- 
Thanks, request filed.

------- Comment #20 From Craig (Security Padawan) 2008-01-16 15:43:00 0000 ------- 
Couldn't this affect apache2? I remember something that libxml2 was needed to
build it?! AFAIK some proxy modules need libxml2.so. As I'm at work right now,
I don't have time for an excessive search.

------- Comment #21 From Markus Rothe 2008-01-16 16:38:28 0000 ------- 
(In reply to comment #20)
> Couldn't this affect apache2?

Every package that _links_ to libxml is save, as they now use the new version.
Please take a look at the technique of "dynamic linking" (i.e. libraries).

------- Comment #22 From Raúl Porcel 2008-01-16 16:51:45 0000 ------- 
Removing liaisons, nothing to do here

------- Comment #23 From Pierre-Yves Rofes 2008-01-30 23:07:50 0000 ------- 
GLSA 200801-20
First Last Prev Next    No search results available      Search page      Enter new bug