Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 345555 (CVE-2010-4008) - <dev-libs/libxml2-2.7.8: Double Free and Denial of Service Vulnerabilities (CVE-2010-{4008,4494})
Summary: <dev-libs/libxml2-2.7.8: Double Free and Denial of Service Vulnerabilities (C...
Status: RESOLVED FIXED
Alias: CVE-2010-4008
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://blog.bkis.com/en/libxml2-vulne...
Whiteboard: A2 [glsa]
Keywords:
: 351954 353208 (view as bug list)
Depends on: 352961
Blocks:
  Show dependency tree
 
Reported: 2010-11-15 04:06 UTC by Tim Sammut (RETIRED)
Modified: 2012-09-11 00:14 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2010-11-15 04:06:27 UTC
From $URL:

XPATH is a language querying content from XML documents. The vulnerability lies in the module processing this query language. Specifically, libxml2 does not well process a malformed XPATH, causing crash.

To exploit this vulnerability, hacker may send user a link containing malicious XPATH. When user opens this link, the malicious code will be executed, attacking user’s system.

The Red Hat bug (https://bugzilla.redhat.com/show_bug.cgi?id=645341) lists two upstream commits as fixing the issue:

http://git.gnome.org/browse/libxml2/commit/?id=91d19754d46acd4a639a8b9e31f50f31c78f8c9c
http://git.gnome.org/browse/libxml2/commit/?id=ea90b894146030c214a7df6d8375310174f134b9

In any case, 2.7.8 has been released and is fixed.
Comment 1 Chris Mayo 2010-12-20 20:43:21 UTC
If you do use 2.7.8 do add the patch from:
http://git.gnome.org/browse/libxml2/commit/?id=00819877651b87842ed878898ba17dba489820f0

http://mail.gnome.org/archives/xml/2010-November/msg00016.html

else a lot of complaints like:
/usr/lib/libxml2.so.2: no version information available
Comment 2 Pacho Ramos gentoo-dev 2010-12-20 21:59:38 UTC
(In reply to comment #1)
> else a lot of complaints like:
> /usr/lib/libxml2.so.2: no version information available
> 

Yes, I tried to bump libxml2 some days ago but these messages prevented me from committing it :-S, hopefully any other gnome team member will know where could be the problem :-/
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-01-01 16:36:22 UTC
Another libxml2 vulnerability has been announced. CVE-2010-4494 is for a Double Free vulnerability in libxml2 through 2.7.8. Upstream fixes at:

http://git.gnome.org/browse/libxml2/commit/?id=df83c17e5a2646bd923f75e5e507bc80d73c9722

and 

http://git.gnome.org/browse/libxml2/commit/?id=fec31bcd452e77c10579467ca87a785b41115de6
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-01-17 23:57:08 UTC
*** Bug 351954 has been marked as a duplicate of this bug. ***
Comment 5 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-01-30 10:06:59 UTC
*** Bug 353208 has been marked as a duplicate of this bug. ***
Comment 6 Pacho Ramos gentoo-dev 2011-02-11 17:31:06 UTC
Bumped
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2011-02-12 18:59:38 UTC
(In reply to comment #6)
> Bumped
> 

Awesome, thank you.

Arches, please test and mark stable:
=dev-libs/libxml2-2.7.8
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2011-02-13 00:56:44 UTC
x86 stable
Comment 9 Markos Chandras (RETIRED) gentoo-dev 2011-02-13 11:09:46 UTC
amd64 done
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2011-02-13 18:48:12 UTC
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2011-02-14 20:37:03 UTC
Stable for HPPA, despite:

  ebuild.minorsyn               1
   dev-libs/libxml2/libxml2-2.7.8.ebuild: Unquoted Variable on line: 100
Comment 12 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-02-16 09:52:39 UTC
ppc/ppc64 stable, last arch done
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2011-02-17 17:32:08 UTC
Thanks, everyone. GLSA request filed.
Comment 14 Sylvia 2011-06-08 20:19:48 UTC
this bug perhaps needs to be closed, fixed, in tree
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2011-10-26 20:50:52 UTC
This issue was resolved and addressed in
 GLSA 201110-26 at http://security.gentoo.org/glsa/glsa-201110-26.xml
by GLSA coordinator Tim Sammut (underling).
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2012-09-11 00:13:30 UTC
CVE-2010-4008 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4008):
  libxml2 before 2.7.8, as used in Google Chrome before 7.0.517.44, Apple
  Safari 5.0.2 and earlier, and other products, reads from invalid memory
  locations during processing of malformed XPath expressions, which allows
  context-dependent attackers to cause a denial of service (application crash)
  via a crafted XML document.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2012-09-11 00:14:53 UTC
CVE-2010-4494 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4494):
  Double free vulnerability in libxml2 2.7.8 and other versions, as used in
  Google Chrome before 8.0.552.215 and other products, allows remote attackers
  to cause a denial of service or possibly have unspecified other impact via
  vectors related to XPath handling.