CVE-2009-2625 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2625): Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
Vendor Statements Python: We are working on a fix.
This is actually a vulnerability in expat and not in Python's expat module as the CERT-FI advisory implicated. Arfrever fixed this in expat-2.0.1-r2 in Gentoo. The expat upstream patch is here: http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.15&r2=1.13 http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?view=log Python ships a copy of expat, they also applied the fix and test cases: http://svn.python.org/view?view=rev&revision=74429
Created attachment 201849 [details, diff] expat-2.0.1-fix_bug_1990430.patch
Created attachment 201851 [details] pythontest1.xml Crash reproducer from Python's unit test
Created attachment 201852 [details] pythontest2.xml Crash reproducer from Python's unit test
Arches, please test and mark stable: =dev-libs/expat-2.0.1-r2 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
What's security approach to the handling of bundled copies in software? I can provide an updated list on ~arch but it's going to take a bit.
bug #248427 → sys-apps/einit bug #249625 → media-libs/wxsvg bug #250929 → dev-lisp/cl-albert bug #250930 → dev-python/4suite bug #251103 → games-emulation/advancescan (fixed in 1.14) bug #251107 → games-emulation/xmame (fixed in 0.106 without revbump) bug #251108 → games-fps/alephone (fixed in 20081226) bug #251431 → net-im/mcabber (forked copy) bug #251433 → net-libs/libtlen (forked? copy) bug #251539 → app-text/acroread (proprietary prebuilt) bug #251546 → app-emulation/vmware-server-console (proprietary prebuilt) bug #253512 → games-strategy/scorched3d bug #253514 → dev-games/simgear bug #253515 → dev-tcltk/tclxml-expat (fixed in 2.4-r1) bug #253517 → games-sport/torcs bug #255909 → net-im/centerim (forked copy)
gdb expat-elements-example # from expat tarball (gdb) run < pythontest1.xml ... Program received signal SIGSEGV, Segmentation fault. 0x00007f9dcc0c8590 in big2_updatePosition (enc=0x7f9dcc2d69e0, ptr=0x1ed6000 <Address 0x1ed6000 out of bounds>, end=0x1eb5b53 "", pos=0x1eb5318) at lib/xmltok_impl.c:1748 (gdb) bt full #0 0x00007f9dcc0c8590 in big2_updatePosition (enc=0x7f9dcc2d69e0, ptr=0x1ed6000 <Address 0x1ed6000 out of bounds>, end=0x1eb5b53 "", pos=0x1eb5318) at lib/xmltok_impl.c:1748 No locals. #1 0x00007f9dcc0b2831 in XML_GetCurrentLineNumber (parser=0x1eb5010) at lib/xmlparse.c:1793 No locals. #2 0x0000000000400bd1 in main (argc=1, argv=0x7fff2f873508) at elements.c:56 len = 3 buf = "\000\r\n", '\0' <repeats 5189 times>, "�(\207/�\177\000\000 ,\207/�\177\000\000�\002.�\235\177", '\0' <repeats 75 times>, "p\026\000\000\000\000\000ho\026\000\000\000\000\000ho\026", '\0' <repeats 13 times>, "\005\000\000\000\000\000\000\000\000p6\000\000\000\000\000\000�6\000\000\000\000\000\230�6\000\000\000\000\000\230\0027\000\000\000\000\000\000p\026\000\000\000\000\000\003", '\0' <repeats 63 times>, "�)\207/�\177\000\000P,\207/�\177\000\0006\003.�\235\177", '\0' <repeats 75 times>, "p\002\000\000\000\000\0004n\002\000\000\000\000\0004n\002", '\0' <repeats 13 times>, "\005\000\000\000\000\000\000\000"... parser = (XML_Parser) 0x1eb5010 done = 1 depth = 0 (gdb) run < pythontest2.xml Program received signal SIGSEGV, Segmentation fault. normal_updatePosition (enc=0x7f5d35c81500, ptr=0x1c86000 <Address 0x1c86000 out of bounds>, end=0x1c65b5e "\205='1.0'?>\r\n", pos=0x1c65318) at lib/xmltok_impl.c:1748 (gdb) bt full #0 normal_updatePosition (enc=0x7f5d35c81500, ptr=0x1c86000 <Address 0x1c86000 out of bounds>, end=0x1c65b5e "\205='1.0'?>\r\n", pos=0x1c65318) at lib/xmltok_impl.c:1748 No locals. #1 0x00007f5d35a5e831 in XML_GetCurrentLineNumber (parser=0x1c65010) at lib/xmlparse.c:1793 No locals. #2 0x0000000000400bd1 in main (argc=1, argv=0x7fff647d5eb8) at elements.c:56 len = 25 buf = "<?xml version�\205='1.0'?>\r\n", '\0' <repeats 5167 times>, "\220R}d�\177\000\000�U}d�\177\000\000���5]\177", '\0' <repeats 75 times>, "p\026\000\000\000\000\000ho\026\000\000\000\000\000ho\026", '\0' <repeats 13 times>, "\005\000\000\000\000\000\000\000\000p6\000\000\000\000\000\000�6\000\000\000\000\000\230�6\000\000\000\000\000\230\0027\000\000\000\000\000\000p\026\000\000\000\000\000\003", '\0' <repeats 63 times>, "\200S}d�\177\000\000\000V}d�\177\000\0006��5]\177", '\0' <repeats 75 times>, "p\002\000\000\000\000\0004n\002\000\000\000\000"... parser = (XML_Parser) 0x1c65010 done = 1 depth = 0
bug #250049 → dev-tex/mpm bug #255514 → dev-util/android-sdk (proprietary prebuilt) bug #251504 → games-simulation/secondlife (proprietary prebuilt) bug #251875 → dev-ada/gps-bin (proprietary prebuilt) bug #251505 → games-puzzle/drod-bin (proprietary prebuilt) bug #251575 → net-voip/wengophone-bin (proprietary prebuilt) then more, like net-misc/nxnode www-apps/swish-e and scratchbox.
Stable for HPPA, with none of the packages in comment #8 and comment #10 keyworded.
ppc stable
ppc64 done
einit masked for removal mpm just masked
x86 stable
+ 25 Aug 2009; <chainsaw@gentoo.org> expat-2.0.1-r2.ebuild: + Marked stable on AMD64 as requested by Robert Buchholz <rbu@gentoo.org> in + security bug #280615. Tested on a Core2 Duo: 100%: Checks: 50, Failed: 0
Stable on alpha.
arm/ia64/m68k/s390/sh/sparc stable
CVE-2009-3720 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3720): The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625.
shouldn't that go in another bug (with mostly the same list of depends) ? This one is only waiting for a glsa if I'm not mistaken.
Gilles, thanks for noticing. Stefan should have elaborated on this. The CVE identifier we used was originally only worded for the Apache libraries. The accompanying advisory of CERT-FI also mentioned expat as vulnerable. However, the vulnerabilities bundled in their advisory are not related, and a new CVE identifier has been assigned only for the expat issue.
This comment has been removed because it contained spam. -- idl0r
This issue was resolved and addressed in GLSA 201209-06 at http://security.gentoo.org/glsa/glsa-201209-06.xml by GLSA coordinator Sean Amoss (ackle).