Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 66309

Summary: dev-libs/libxml2, an overflow when parsing remote resources (<2.6.6)
Product: Gentoo Security Reporter: Marc V <simesno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: normal CC: marc.vila
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.fedora.us/show_bug.cgi?id=1324
Whiteboard:
Package list:
Runtime testing required: ---

Description Marc V 2004-10-04 06:58:02 UTC 
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines.  These routines can overflow a buffer if passed a very
long URL.  If an attacker is able to find an application using libxml2
that parses remote resources and allows them to influence the URL, then
this flaw could be used to execute arbitrary code.  The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CAN-2004-0110 to this issue.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.




patch available: https://bugzilla.fedora.us/attachment.cgi?id=566&action=view
Comment 1 Marc Vila 2004-10-04 07:03:45 UTC 
sorry, i reported with my old account

bug shouldnt affect ~x86 users, since the bug only affects versions prior to 2.6.6, and ~x86 version is 2.6.12
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-10-04 07:20:10 UTC 
Was GLSA 200403-01

*** This bug has been marked as a duplicate of 42735 ***