Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 237806 - dev-libs/libxml2 <2.7.0 xmlParseAttValueComplex() heap-based buffer overflow (CVE-2008-3529)
Summary: dev-libs/libxml2 <2.7.0 xmlParseAttValueComplex() heap-based buffer overflow ...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-09-16 02:18 UTC by Robert Buchholz (RETIRED)
Modified: 2008-12-02 17:46 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-09-16 02:18:57 UTC
CVE-2008-3529 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3529):
  Heap-based buffer overflow in the xmlParseAttValueComplex function in
  parser.c in libxml2 before 2.7.0 allows context-dependent attackers
  to cause a denial of service (crash) or possibly execute arbitrary
  code via a long XML entity name.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-09-16 02:20:17 UTC
We need to patch this, and a fix for #234099 would be appreciated too. A reproducer is available on request.
Comment 2 Rémi Cardona (RETIRED) gentoo-dev 2008-09-16 07:52:56 UTC
Thing is, no-one has fixed librsvg. Or at least, I didn't find any patches for it during my quick search yesterday.

So I really don't know what exactly we can do, except to start hacking on librsvg...

Thoughts?
Comment 3 Mart Raudsepp gentoo-dev 2008-09-16 12:22:39 UTC
librsvg is not the only thing that breaks. Anything can break on an ABI break of a struct that wasn't made private properly, we just only know about librsvg, strigi and a few more (some of which might be due to using librsvg).
I was not successful with convincing upstream that ABI breaks are bad, and should be treated like in glib and gtk+ - not done. So I need to patch this in am ABI compatible way and include this one here. I hope I can work on that later today after I'm done with some work work.
Comment 4 Mart Raudsepp gentoo-dev 2008-09-25 01:33:58 UTC
libxml2-2.7.0 restored ABI before release and it's fine afterall, as noted in bug 234099. libxml2-2.7.1 is in the tree now, and also addresses the security bug covered here, although note that with a different patch than in the referenced URL.
I won't add arches myself, because bug 234099 already does so. security@, please add them yourself if you deem that necessary.
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2008-10-01 21:26:00 UTC
GLSA request filed.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-12-02 17:46:30 UTC
GLSA 200812-06