Summary: | dev-libs/libxml2 <2.7.2-r1 Integer overflow/infinite loop (CVE-2008-4225, CVE-2008-4226) | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> | ||||||||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||||||||
Status: | RESOLVED FIXED | ||||||||||||||
Severity: | normal | CC: | gnome | ||||||||||||
Priority: | High | ||||||||||||||
Version: | unspecified | ||||||||||||||
Hardware: | All | ||||||||||||||
OS: | Linux | ||||||||||||||
Whiteboard: | A2 [glsa] | ||||||||||||||
Package list: | Runtime testing required: | --- | |||||||||||||
Attachments: |
|
Description
Robert Buchholz (RETIRED)
2008-11-07 13:26:19 UTC
Created attachment 170985 [details, diff]
libxml2-CVE-2008-4225.patch
Patches are provided by Drew Yao and not approved by upstream yet
Created attachment 170987 [details, diff]
libxml2-CVE-2008-4226.patch
Waiting a bit then for upstream response on the patches before providing a preebuild. Please let us know if there is any response on that, or feel free to remind us for a preebuild 4-7 days before confidential end date And sample compressed XML files would be nice for testing. Attached or sent via e-mail, as appropriate Mart, I'll mail it to you. Created attachment 172041 [details]
Straight-forward preebuild
The first patch is a no-go for me, as even my standard amd64 system doesn't have SIZE_T_MAX available:
SAX2.c:2459: error: 'SIZE_T_MAX' undeclared (first use in this function)
Nevertheless here's the obvious ebuild that patches those two patches in, so it can be seen it fails... Note that I intend to rename the patches to include the version number (${P} instead of ${PN}) in the version that goes into portage tree once the bugs are disclosed and there's working patches, but don't think I should hassle the arch teams with renaming the patches as saved off of the attachments here for that. The end result will have comment in the ebuild stating what they do as well, once a good description is available from publicly viewable CVE records.
Any updates, especially for the platform compatibility, from vendor-sec? Though it shouldn't be hard to fix it ourselves too to compile, but...
This is now public, Daniel Veillard provided more portable patches (which he probably applied upstream). Created attachment 172099 [details, diff]
libxml2-2.7.2-CVE-2008-4225.patch
Created attachment 172101 [details, diff]
libxml2-2.7.2-CVE-2008-4226.patch
libxml2-2.7.2-r1 is in the tree with the patch that was committed upstream, which is the both combined, plus some extra safeguards for possible future found problems in parser.c (if I read that right). Target keywords for dev-libs/libxml2-2.7.2-r1 - everyone: alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparch x86 Sparc stable, all tests run successfully. Stable for HPPA. ppc stable amd64/x86 stable alpha/arm/ia64 stable ppc64 done GLSA 200812-06 |