Summary: | <dev-libs/libxml2-2.7.3-r2 Multiple DoS vulnerabilities (CVE-2009-{2414,2416}) | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> | ||||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | normal | CC: | gnome | ||||||||
Priority: | High | ||||||||||
Version: | unspecified | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2414 | ||||||||||
Whiteboard: | A3 [glsa] | ||||||||||
Package list: | Runtime testing required: | --- | |||||||||
Attachments: |
|
Description
Robert Buchholz (RETIRED)
2009-08-06 23:03:58 UTC
Deadline is rather short and impact is limited to DoS. Let's just track this issue until it is public and bump in the tree. Agreed? Created attachment 200443 [details, diff]
libxml2-2.6.26-CVE-2009-2414,CVE-2009-2416.patch
Patch needs rebasing to apply on 2.7: Hunk #1 FAILED at 4779. Hunk #2 FAILED at 4796. Hunk #3 FAILED at 4838. Hunk #4 succeeded at 5801 (offset 562 lines). Hunk #5 succeeded at 5815 (offset 562 lines). Hunk #6 succeeded at 5949 (offset 564 lines). I'll see what I can do tomorrow. Created attachment 200447 [details, diff]
libxml2-2.7.3-CVE-2009-2414,CVE-2009-2416.patch
rebased patch
Created attachment 200448 [details]
libxml2-2.7.3-r2.ebuild
new ebuild applying the patch, compiles & runs tests fine on my amd64.
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" CC'ing current Liaisons: alpha : armin76, klausman amd64 : keytoaster, tester hppa : jer ppc : josejx, ranger ppc64 : josejx, ranger sparc : fmccor x86 : fauli, maekke compiles and tests fine on x86, testing reverse dependencies, will report if there are any failures. HPPA is OK. this is now public via: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2414 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2416 please commit with KEYWORDS="x86 hppa" +*libxml2-2.7.3-r2 (11 Aug 2009) + + 11 Aug 2009; Gilles Dartiguelongue <eva@gentoo.org> + +libxml2-2.7.3-r2.ebuild, + +files/libxml2-2.7.3-CVE-2009-2414-CVE-2009-2416.patch: + Version bump. Fix CVE 2009-2414 and CVE 2009-2416, bug #280617. Took the upstream patch. It's mostly the same but probably a bit safer so we need amd64 and hppa to retest if possible. damn sorry about the marking fixed. Arches, please test and mark stable: =dev-libs/libxml2-2.7.3-r2 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" Stable for HPPA. CVE-2009-2416 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2416): Multiple use-after-free vulnerabilities in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allow context-dependent attackers to cause a denial of service (application crash) via crafted (1) Notation or (2) Enumeration attribute types in an XML file, as demonstrated by the Codenomicon XML fuzzing framework. Hum sounds like we also need to take care of dev-libs/libxml (In reply to comment #16) > Hum sounds like we also need to take care of dev-libs/libxml It is maintainer-needed, a stabilisation of the current one is found in bug 280470. x86 stable Ok, I have submitted libxml-1.8.17-r4 which fixes CAN-2004-0110 , CAN-2004-0989 , CVE-2009-2414 and CVE-2009-2416 . Can this package be managed in this bug or a new one is needed? let's handle libxml-1 on bug 281446. alpha/arm/ia64/m68k/s390/sh/sparc stable amd64 stable ppc stable ppc64 done GLSA request filed. CVE-2009-2414 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2414): Stack consumption vulnerability in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allows context-dependent attackers to cause a denial of service (application crash) via a large depth of element declarations in a DTD, related to a function recursion, as demonstrated by the Codenomicon XML fuzzing framework. GLSA 201009-07, thanks everyone. |