Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 280615 (CVE-2009-3720) - <dev-libs/expat-2.0.1-r2 Bug 1990430 UTF-8 parser crash?) (CVE-2009-3720)
Summary: <dev-libs/expat-2.0.1-r2 Bug 1990430 UTF-8 parser crash?) (CVE-2009-3720)
Status: RESOLVED FIXED
Alias: CVE-2009-3720
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://mail.python.org/pipermail/expa...
Whiteboard: A3 [glsa]
Keywords:
Depends on: 248427 249625 250049 250929 250930 251103 251107 251108 251431 251433 251504 251505 251539 251546 251575 251875 253512 253515 253517 255514 255909
Blocks:
  Show dependency tree
 
Reported: 2009-08-06 22:52 UTC by Robert Buchholz (RETIRED)
Modified: 2019-12-09 07:49 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
expat-2.0.1-fix_bug_1990430.patch (expat-2.0.1-fix_bug_1990430.patch,428 bytes, patch)
2009-08-21 10:43 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
pythontest1.xml (pythontest1.xml,3 bytes, application/xml)
2009-08-21 10:44 UTC, Robert Buchholz (RETIRED)
no flags Details
pythontest2.xml (pythontest2.xml,25 bytes, application/xml)
2009-08-21 10:44 UTC, Robert Buchholz (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-08-06 22:52:10 UTC
CVE-2009-2625 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2625):
  Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in
  JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20,
  and in other products, allows remote attackers to cause a denial of
  service (infinite loop and application hang) via malformed XML input,
  as demonstrated by the Codenomicon XML fuzzing framework.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-08-06 22:55:10 UTC
Vendor Statements
Python: We are working on a fix.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-08-21 10:42:59 UTC
This is actually a vulnerability in expat and not in Python's expat module as the CERT-FI advisory implicated.

Arfrever fixed this in expat-2.0.1-r2 in Gentoo.

The expat upstream patch is here:
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.15&r2=1.13
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?view=log

Python ships a copy of expat, they also applied the fix and test cases:
http://svn.python.org/view?view=rev&revision=74429
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-08-21 10:43:40 UTC
Created attachment 201849 [details, diff]
expat-2.0.1-fix_bug_1990430.patch
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-08-21 10:44:15 UTC
Created attachment 201851 [details]
pythontest1.xml

Crash reproducer from Python's unit test
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2009-08-21 10:44:30 UTC
Created attachment 201852 [details]
pythontest2.xml

Crash reproducer from Python's unit test
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2009-08-21 10:46:10 UTC
Arches, please test and mark stable:
=dev-libs/expat-2.0.1-r2
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 7 Diego Elio Pettenò (RETIRED) gentoo-dev 2009-08-21 10:54:58 UTC
What's security approach to the handling of bundled copies in software? I can provide an updated list on ~arch but it's going to take a bit.
Comment 8 Diego Elio Pettenò (RETIRED) gentoo-dev 2009-08-21 11:11:59 UTC
bug #248427 → sys-apps/einit
bug #249625 → media-libs/wxsvg
bug #250929 → dev-lisp/cl-albert
bug #250930 → dev-python/4suite
bug #251103 → games-emulation/advancescan (fixed in 1.14)
bug #251107 → games-emulation/xmame (fixed in 0.106 without revbump)
bug #251108 → games-fps/alephone (fixed in 20081226)
bug #251431 → net-im/mcabber (forked copy)
bug #251433 → net-libs/libtlen (forked? copy)
bug #251539 → app-text/acroread (proprietary prebuilt)
bug #251546 → app-emulation/vmware-server-console (proprietary prebuilt)
bug #253512 → games-strategy/scorched3d
bug #253514 → dev-games/simgear
bug #253515 → dev-tcltk/tclxml-expat (fixed in 2.4-r1)
bug #253517 → games-sport/torcs
bug #255909 → net-im/centerim (forked copy)
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2009-08-21 11:17:46 UTC
gdb expat-elements-example     # from expat tarball

(gdb) run < pythontest1.xml
...
Program received signal SIGSEGV, Segmentation fault.
0x00007f9dcc0c8590 in big2_updatePosition (enc=0x7f9dcc2d69e0, ptr=0x1ed6000 <Address 0x1ed6000 out of bounds>, end=0x1eb5b53 "", pos=0x1eb5318) at lib/xmltok_impl.c:1748
(gdb) bt full
#0  0x00007f9dcc0c8590 in big2_updatePosition (enc=0x7f9dcc2d69e0, ptr=0x1ed6000 <Address 0x1ed6000 out of bounds>, end=0x1eb5b53 "", pos=0x1eb5318)
    at lib/xmltok_impl.c:1748
No locals.
#1  0x00007f9dcc0b2831 in XML_GetCurrentLineNumber (parser=0x1eb5010) at lib/xmlparse.c:1793
No locals.
#2  0x0000000000400bd1 in main (argc=1, argv=0x7fff2f873508) at elements.c:56
        len = 3
        buf = "\000\r\n", '\0' <repeats 5189 times>, "�(\207/�\177\000\000 ,\207/�\177\000\000�\002.�\235\177", '\0' <repeats 75 times>, "p\026\000\000\000\000\000ho\026\000\000\000\000\000ho\026", '\0' <repeats 13 times>, "\005\000\000\000\000\000\000\000\000p6\000\000\000\000\000\000�6\000\000\000\000\000\230�6\000\000\000\000\000\230\0027\000\000\000\000\000\000p\026\000\000\000\000\000\003", '\0' <repeats 63 times>, "�)\207/�\177\000\000P,\207/�\177\000\0006\003.�\235\177", '\0' <repeats 75 times>, "p\002\000\000\000\000\0004n\002\000\000\000\000\0004n\002", '\0' <repeats 13 times>, "\005\000\000\000\000\000\000\000"...
        parser = (XML_Parser) 0x1eb5010
        done = 1
        depth = 0

(gdb) run < pythontest2.xml
Program received signal SIGSEGV, Segmentation fault.
normal_updatePosition (enc=0x7f5d35c81500, ptr=0x1c86000 <Address 0x1c86000 out of bounds>, end=0x1c65b5e "\205='1.0'?>\r\n", pos=0x1c65318) at lib/xmltok_impl.c:1748
(gdb) bt full
#0  normal_updatePosition (enc=0x7f5d35c81500, ptr=0x1c86000 <Address 0x1c86000 out of bounds>, end=0x1c65b5e "\205='1.0'?>\r\n", pos=0x1c65318) at lib/xmltok_impl.c:1748
No locals.
#1  0x00007f5d35a5e831 in XML_GetCurrentLineNumber (parser=0x1c65010) at lib/xmlparse.c:1793
No locals.
#2  0x0000000000400bd1 in main (argc=1, argv=0x7fff647d5eb8) at elements.c:56
        len = 25
        buf = "<?xml version�\205='1.0'?>\r\n", '\0' <repeats 5167 times>, "\220R}d�\177\000\000�U}d�\177\000\000���5]\177", '\0' <repeats 75 times>, "p\026\000\000\000\000\000ho\026\000\000\000\000\000ho\026", '\0' <repeats 13 times>, "\005\000\000\000\000\000\000\000\000p6\000\000\000\000\000\000�6\000\000\000\000\000\230�6\000\000\000\000\000\230\0027\000\000\000\000\000\000p\026\000\000\000\000\000\003", '\0' <repeats 63 times>, "\200S}d�\177\000\000\000V}d�\177\000\0006��5]\177", '\0' <repeats 75 times>, "p\002\000\000\000\000\0004n\002\000\000\000\000"...
        parser = (XML_Parser) 0x1c65010
        done = 1
        depth = 0
Comment 10 Diego Elio Pettenò (RETIRED) gentoo-dev 2009-08-21 11:25:05 UTC
bug #250049 → dev-tex/mpm
bug #255514 → dev-util/android-sdk (proprietary prebuilt)
bug #251504 → games-simulation/secondlife (proprietary prebuilt)
bug #251875 → dev-ada/gps-bin (proprietary prebuilt)
bug #251505 → games-puzzle/drod-bin (proprietary prebuilt)
bug #251575 → net-voip/wengophone-bin (proprietary prebuilt)

then more, like net-misc/nxnode www-apps/swish-e and scratchbox.
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2009-08-21 14:32:43 UTC
Stable for HPPA, with none of the packages in comment #8 and comment #10 keyworded.
Comment 12 nixnut (RETIRED) gentoo-dev 2009-08-23 09:05:03 UTC
ppc stable
Comment 13 Brent Baude (RETIRED) gentoo-dev 2009-08-24 14:49:41 UTC
ppc64 done
Comment 14 Christian Faulhammer (RETIRED) gentoo-dev 2009-08-24 18:36:28 UTC
einit masked for removal
mpm just masked
Comment 15 Christian Faulhammer (RETIRED) gentoo-dev 2009-08-25 11:56:54 UTC
x86 stable
Comment 16 Tony Vroon (RETIRED) gentoo-dev 2009-08-25 12:09:48 UTC
+  25 Aug 2009; <chainsaw@gentoo.org> expat-2.0.1-r2.ebuild:
+  Marked stable on AMD64 as requested by Robert Buchholz <rbu@gentoo.org> in
+  security bug #280615. Tested on a Core2 Duo: 100%: Checks: 50, Failed: 0
Comment 17 Tobias Klausmann (RETIRED) gentoo-dev 2009-08-25 15:22:59 UTC
Stable on alpha.
Comment 18 Raúl Porcel (RETIRED) gentoo-dev 2009-08-25 16:23:05 UTC
arm/ia64/m68k/s390/sh/sparc stable
Comment 19 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-13 23:36:27 UTC
CVE-2009-3720 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3720):
  The updatePosition function in lib/xmltok_impl.c in libexpat in Expat
  2.0.1, as used in Python, PyXML, w3c-libwww, and other software,
  allows context-dependent attackers to cause a denial of service
  (application crash) via an XML document with crafted UTF-8 sequences
  that trigger a buffer over-read, a different vulnerability than
  CVE-2009-2625.

Comment 20 Gilles Dartiguelongue (RETIRED) gentoo-dev 2009-11-13 23:45:08 UTC
shouldn't that go in another bug (with mostly the same list of depends) ? This one is only waiting for a glsa if I'm not mistaken.
Comment 21 Robert Buchholz (RETIRED) gentoo-dev 2009-11-16 14:49:48 UTC
Gilles, thanks for noticing. Stefan should have elaborated on this. The CVE identifier we used was originally only worded for the Apache libraries. The accompanying advisory of CERT-FI also mentioned expat as vulnerable. However, the vulnerabilities bundled in their advisory are not related, and a new CVE identifier has been assigned only for the expat issue.
Comment 22 Martini peres 2012-03-05 12:08:31 UTC
This comment has been removed because it contained spam. -- idl0r
Comment 23 GLSAMaker/CVETool Bot gentoo-dev 2012-09-24 11:04:27 UTC
This issue was resolved and addressed in
 GLSA 201209-06 at http://security.gentoo.org/glsa/glsa-201209-06.xml
by GLSA coordinator Sean Amoss (ackle).