** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** Jukka Taimisto and Rauli Kaksonen from the CROSS project at Codenomicon reported the following vulnerabilities: * Multiple pointer use-after-free flaws CVE-2009-2416 * Stack oveeflow when parsing recursive XML structures CVE-2009-2414
Deadline is rather short and impact is limited to DoS. Let's just track this issue until it is public and bump in the tree. Agreed?
Created attachment 200443 [details, diff] libxml2-2.6.26-CVE-2009-2414,CVE-2009-2416.patch
Patch needs rebasing to apply on 2.7: Hunk #1 FAILED at 4779. Hunk #2 FAILED at 4796. Hunk #3 FAILED at 4838. Hunk #4 succeeded at 5801 (offset 562 lines). Hunk #5 succeeded at 5815 (offset 562 lines). Hunk #6 succeeded at 5949 (offset 564 lines). I'll see what I can do tomorrow.
Created attachment 200447 [details, diff] libxml2-2.7.3-CVE-2009-2414,CVE-2009-2416.patch rebased patch
Created attachment 200448 [details] libxml2-2.7.3-r2.ebuild new ebuild applying the patch, compiles & runs tests fine on my amd64.
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" CC'ing current Liaisons: alpha : armin76, klausman amd64 : keytoaster, tester hppa : jer ppc : josejx, ranger ppc64 : josejx, ranger sparc : fmccor x86 : fauli, maekke
compiles and tests fine on x86, testing reverse dependencies, will report if there are any failures.
HPPA is OK.
this is now public via: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2414 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2416 please commit with KEYWORDS="x86 hppa"
upstream: http://git.gnome.org/cgit/libxml2/commit/?id=489f9671e71cc44a97b23111b3126ac8a1e21a59
+*libxml2-2.7.3-r2 (11 Aug 2009) + + 11 Aug 2009; Gilles Dartiguelongue <eva@gentoo.org> + +libxml2-2.7.3-r2.ebuild, + +files/libxml2-2.7.3-CVE-2009-2414-CVE-2009-2416.patch: + Version bump. Fix CVE 2009-2414 and CVE 2009-2416, bug #280617. Took the upstream patch. It's mostly the same but probably a bit safer so we need amd64 and hppa to retest if possible.
damn sorry about the marking fixed.
Arches, please test and mark stable: =dev-libs/libxml2-2.7.3-r2 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Stable for HPPA.
CVE-2009-2416 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2416): Multiple use-after-free vulnerabilities in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allow context-dependent attackers to cause a denial of service (application crash) via crafted (1) Notation or (2) Enumeration attribute types in an XML file, as demonstrated by the Codenomicon XML fuzzing framework.
Hum sounds like we also need to take care of dev-libs/libxml
(In reply to comment #16) > Hum sounds like we also need to take care of dev-libs/libxml It is maintainer-needed, a stabilisation of the current one is found in bug 280470.
x86 stable
Ok, I have submitted libxml-1.8.17-r4 which fixes CAN-2004-0110 , CAN-2004-0989 , CVE-2009-2414 and CVE-2009-2416 . Can this package be managed in this bug or a new one is needed?
let's handle libxml-1 on bug 281446.
alpha/arm/ia64/m68k/s390/sh/sparc stable
amd64 stable
ppc stable
ppc64 done
GLSA request filed.
CVE-2009-2414 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2414): Stack consumption vulnerability in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allows context-dependent attackers to cause a denial of service (application crash) via a large depth of element declarations in a DTD, related to a function recursion, as demonstrated by the Codenomicon XML fuzzing framework.
GLSA 201009-07, thanks everyone.