Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 245960 (CVE-2008-4225) - dev-libs/libxml2 <2.7.2-r1 Integer overflow/infinite loop (CVE-2008-4225, CVE-2008-4226)
Summary: dev-libs/libxml2 <2.7.2-r1 Integer overflow/infinite loop (CVE-2008-4225, CVE...
Status: RESOLVED FIXED
Alias: CVE-2008-4225
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-11-07 13:26 UTC by Robert Buchholz (RETIRED)
Modified: 2008-12-02 17:46 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
libxml2-CVE-2008-4225.patch (libxml2-CVE-2008-4225.patch,821 bytes, patch)
2008-11-07 13:33 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
libxml2-CVE-2008-4226.patch (libxml2-CVE-2008-4226.patch,706 bytes, patch)
2008-11-07 13:34 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
Straight-forward preebuild (libxml2-2.7.2-r1.ebuild,3.57 KB, text/plain)
2008-11-17 04:12 UTC, Mart Raudsepp
no flags Details
libxml2-2.7.2-CVE-2008-4225.patch (libxml2-2.7.2-CVE-2008-4225.patch,799 bytes, patch)
2008-11-17 18:19 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
libxml2-2.7.2-CVE-2008-4226.patch (libxml2-2.7.2-CVE-2008-4226.patch,1.17 KB, patch)
2008-11-17 18:19 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-11-07 13:26:19 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Drew Yao of Apple Product Security reported two issues in libxml

CVE-2008-4225:
A maliciously crafted xml file could cause the application to go into an infinite loop, leading to a denial of service. It requires a very  
large xml file to trigger the bug, but it's very common to parse  
compressed xml files, and the file compresses well.

CVE-2008-4226:
A maliciously crafted xml file could cause an integer overflow leading to memory corruption and potential arbitrary code execution. It requires a very  
large xml file to trigger the bug, but it's very common to parse  
compressed xml files, and the file compresses well.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-11-07 13:33:53 UTC
Created attachment 170985 [details, diff]
libxml2-CVE-2008-4225.patch

Patches are provided by Drew Yao and not approved by upstream yet
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-11-07 13:34:06 UTC
Created attachment 170987 [details, diff]
libxml2-CVE-2008-4226.patch
Comment 3 Mart Raudsepp gentoo-dev 2008-11-08 18:14:11 UTC
Waiting a bit then for upstream response on the patches before providing a preebuild. Please let us know if there is any response on that, or feel free to remind us for a preebuild 4-7 days before confidential end date
Comment 4 Mart Raudsepp gentoo-dev 2008-11-08 18:15:41 UTC
And sample compressed XML files would be nice for testing. Attached or sent via e-mail, as appropriate
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-11-08 20:53:19 UTC
Mart, I'll mail it to you.
Comment 6 Mart Raudsepp gentoo-dev 2008-11-17 04:12:55 UTC
Created attachment 172041 [details]
Straight-forward preebuild

The first patch is a no-go for me, as even my standard amd64 system doesn't have SIZE_T_MAX available:

SAX2.c:2459: error: 'SIZE_T_MAX' undeclared (first use in this function)

Nevertheless here's the obvious ebuild that patches those two patches in, so it can be seen it fails... Note that I intend to rename the patches to include the version number (${P} instead of ${PN}) in the version that goes into portage tree once the bugs are disclosed and there's working patches, but don't think I should hassle the arch teams with renaming the patches as saved off of the attachments here for that. The end result will have comment in the ebuild stating what they do as well, once a good description is available from publicly viewable CVE records.

Any updates, especially for the platform compatibility, from vendor-sec? Though it shouldn't be hard to fix it ourselves too to compile, but...
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-11-17 18:18:42 UTC
This is now public, Daniel Veillard provided more portable patches (which he probably applied upstream).
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-11-17 18:19:18 UTC
Created attachment 172099 [details, diff]
libxml2-2.7.2-CVE-2008-4225.patch
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-11-17 18:19:37 UTC
Created attachment 172101 [details, diff]
libxml2-2.7.2-CVE-2008-4226.patch
Comment 10 Mart Raudsepp gentoo-dev 2008-11-18 01:27:05 UTC
libxml2-2.7.2-r1 is in the tree with the patch that was committed upstream, which is the both combined, plus some extra safeguards for possible future found problems in parser.c (if I read that right).

Target keywords for dev-libs/libxml2-2.7.2-r1 - everyone:
alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparch x86
Comment 11 Ferris McCormick (RETIRED) gentoo-dev 2008-11-18 13:38:15 UTC
Sparc stable, all tests run successfully.
Comment 12 Jeroen Roovers gentoo-dev 2008-11-18 15:04:16 UTC
Stable for HPPA.
Comment 13 Tobias Scherbaum (RETIRED) gentoo-dev 2008-11-18 17:47:03 UTC
ppc stable
Comment 14 Markus Meier gentoo-dev 2008-11-19 22:23:43 UTC
amd64/x86 stable
Comment 15 Raúl Porcel (RETIRED) gentoo-dev 2008-11-20 10:12:29 UTC
alpha/arm/ia64 stable
Comment 16 Brent Baude (RETIRED) gentoo-dev 2008-11-24 17:01:35 UTC
ppc64 done
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2008-12-02 17:46:50 UTC
GLSA 200812-06