Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 202628 (CVE-2007-6284) - dev-libs/libxml2 < 2.6.30-r1 xmlCurrentChar() UTF-8 DoS (CVE-2007-6284)
Summary: dev-libs/libxml2 < 2.6.30-r1 xmlCurrentChar() UTF-8 DoS (CVE-2007-6284)
Status: RESOLVED FIXED
Alias: CVE-2007-6284
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://mail.gnome.org/archives/xml/20...
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-12-17 23:25 UTC by Robert Buchholz (RETIRED)
Modified: 2008-01-30 23:07 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
libxml2-CVE-2007-6284.patch (libxml2-CVE-2007-6284.patch,1.63 KB, patch)
2007-12-17 23:28 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
Patched ebuild (libxml2-2.6.30-r1.ebuild,3.10 KB, text/plain)
2007-12-18 04:20 UTC, Daniel Gryniewicz (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-12-17 23:25:47 UTC
There exists a denial of service problem in libxml's UTF-8
decoding functions. The xmlCurrentChar() function does not check
UTF-8 correctness and certain multibyte combinations can cause
the library to enter an infinite loop and hang, consuming
system resources. It is strongly recommended to upgrade if
your application accepts arbitrary xml user input.

Credits:
The issue was originally discovered at Google by Brad Fitzpatrick
and further investigated by Peter Valchev and Will Drewry.
Patch and debugging by Daniel Veillard (libxml).
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-12-17 23:28:17 UTC
Created attachment 138787 [details, diff]
libxml2-CVE-2007-6284.patch
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2007-12-17 23:33:20 UTC
Leonardo and Daniel, please prepare an updated ebuild with the patch and attach it to this bug if you want prestable testing. Please do not commit anything to CVS yet!

I am not sure whether we have daemons in the tree that accept XML input via libxml2. That would make this bug rather serious - for GNOME it seems to me, this merely will crash a user's application.
Comment 3 Daniel Gryniewicz (RETIRED) gentoo-dev 2007-12-18 04:20:24 UTC
Created attachment 138790 [details]
Patched ebuild

Trivial bump.  It works with my testing.  I did re-name the patch to libxml2-2.6.30-CVE-2007-6284.patch, to make it fit better to gentoo's naming scheme, but that's it.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2007-12-18 09:13:47 UTC
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86"

CC'ing current Liaisons:
  alpha : ferdy
  amd64 : welp
   hppa : jer
    ppc : dertobi123
  ppc64 : corsair
  sparc : fmccor
    x86 : opfer
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2007-12-18 10:41:46 UTC
all fine on x86, test suite succeeds and I built some rdeps without problems (plus they still work)e
Comment 6 Ferris McCormick (RETIRED) gentoo-dev 2007-12-18 16:15:14 UTC
Sparc is good; all tests run as they should.
Comment 7 Jeroen Roovers gentoo-dev 2007-12-18 18:52:49 UTC
HPPA is OK too.
Comment 8 Markus Rothe (RETIRED) gentoo-dev 2007-12-18 20:10:53 UTC
looks good on ppc64
Comment 9 Fernando J. Pereda (RETIRED) gentoo-dev 2007-12-19 19:48:37 UTC
Adding Raúl for alpha, sorry for the delay.
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2007-12-19 20:19:29 UTC
Works fine on alpha/ia64
Comment 11 Peter Weller (RETIRED) gentoo-dev 2007-12-22 10:59:55 UTC
Looks good to me, too
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2007-12-22 13:19:41 UTC
Adding Brent for PPC.
Comment 13 Brent Baude (RETIRED) gentoo-dev 2008-01-04 15:24:23 UTC
Looks good for ppc too
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2008-01-04 17:31:01 UTC
All security supported arches ok'ed this.

Daniel, please commit to stable as soon as the disclosure date is up (currently Jan. 11)
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2008-01-11 11:00:24 UTC
This will be public in one hour, please commit after then. Thanks!
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2008-01-11 12:54:08 UTC
Public now.
Comment 17 Daniel Gryniewicz (RETIRED) gentoo-dev 2008-01-11 17:10:27 UTC
Okay, committed to stable.  For the record: how do I get repoman to let me commit directly to stable?
Comment 18 Peter Weller (RETIRED) gentoo-dev 2008-01-11 21:16:42 UTC
--force, if I recall correctly.
Comment 19 Robert Buchholz (RETIRED) gentoo-dev 2008-01-12 01:15:07 UTC
Thanks, request filed.
Comment 20 Stefan Behte (RETIRED) gentoo-dev Security 2008-01-16 15:43:00 UTC
Couldn't this affect apache2? I remember something that libxml2 was needed to build it?! AFAIK some proxy modules need libxml2.so. As I'm at work right now, I don't have time for an excessive search.
Comment 21 Markus Rothe (RETIRED) gentoo-dev 2008-01-16 16:38:28 UTC
(In reply to comment #20)
> Couldn't this affect apache2?

Every package that _links_ to libxml is save, as they now use the new version. Please take a look at the technique of "dynamic linking" (i.e. libraries).
Comment 22 Raúl Porcel (RETIRED) gentoo-dev 2008-01-16 16:51:45 UTC
Removing liaisons, nothing to do here
Comment 23 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-01-30 23:07:50 UTC
GLSA 200801-20