Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 234099 (CVE-2008-3281) - dev-libs/libxml2 <2.7.0 xmlStringLenDecodeEntities() Denial of Service (CVE-2008-3281)
Summary: dev-libs/libxml2 <2.7.0 xmlStringLenDecodeEntities() Denial of Service (CVE-2...
Status: RESOLVED FIXED
Alias: CVE-2008-3281
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://bugzilla.gnome.org/show_bug.cg...
Whiteboard: A3 [glsa]
Keywords:
Depends on: 235529 239346
Blocks:
  Show dependency tree
 
Reported: 2008-08-06 15:51 UTC by Robert Buchholz (RETIRED)
Modified: 2008-12-02 17:46 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
libxml2-2.6.32-CVE-2008-3281.patch (libxml2-2.6.32-CVE-2008-3281.patch,1.63 KB, patch)
2008-08-06 15:53 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
libxml2-2.6.32-r1.ebuild (libxml2-2.6.32-r1.ebuild,3.57 KB, text/plain)
2008-08-06 22:55 UTC, Gilles Dartiguelongue
no flags Details
libxml2-2.6.32-CVE-2008-3281.patch (libxml2-2.6.32-CVE-2008-3281.patch,8.22 KB, patch)
2008-08-14 12:54 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-08-06 15:51:46 UTC
** Please note that this issue is CONFIDENTIAL and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Josh Bressers writes:
Andreas Solberg discovered a denial of service flaw in libxml2.  This flaw
leads to recursive evaluation of entities, the result being an exhaustion
of memory and CPU usage.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-08-06 15:53:02 UTC
Created attachment 162368 [details, diff]
libxml2-2.6.32-CVE-2008-3281.patch
Comment 2 Gilles Dartiguelongue gentoo-dev 2008-08-06 22:55:19 UTC
Created attachment 162398 [details]
libxml2-2.6.32-r1.ebuild

don't know what the +/- 3 trick vs +/- 1 is, but builds fine and doesn't seem to cause problems to apps linked to it.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-08-06 23:20:56 UTC
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

CC'ing current Liaisons:
   alpha : yoswink, armin76
   amd64 : keytoaster, tester
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
   sparc : fmccor
     x86 : maekke, armin76
Comment 4 Jeroen Roovers gentoo-dev 2008-08-07 04:33:16 UTC
HPPA is OK.
Comment 5 Markus Rothe (RETIRED) gentoo-dev 2008-08-07 05:27:13 UTC
looks good on ppc64
Comment 6 Ferris McCormick (RETIRED) gentoo-dev 2008-08-07 11:38:46 UTC
Looks good on sparc for stable, does fine with
USE=test FEATURES=test

(One test expected 11 failures but got 10; I'm not going to worry about that.)
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2008-08-07 17:54:23 UTC
alpha/ia64 looks okay
Comment 8 Markus Meier gentoo-dev 2008-08-07 20:53:19 UTC
looks good on amd64/x86.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-08-14 12:54:34 UTC
Created attachment 162889 [details, diff]
libxml2-2.6.32-CVE-2008-3281.patch

The prior patch is incomplete, upstream proposes this new version.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2008-08-14 13:19:42 UTC
Furthermore, the embargo deadline has been extended to Aug. 20.

Arch liaisons, please test once more with the new patch, and same ebuild.
Comment 11 Ferris McCormick (RETIRED) gentoo-dev 2008-08-14 14:47:46 UTC
Tests are all good on sparc.
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2008-08-15 18:53:36 UTC
(In reply to comment #10)
> Furthermore, the embargo deadline has been extended to Aug. 20.
> 
> Arch liaisons, please test once more with the new patch, and same ebuild.
> 

still looks good for ppc
Comment 13 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2008-08-16 03:04:35 UTC
Still looks ok for alpha
Comment 14 Markus Rothe (RETIRED) gentoo-dev 2008-08-16 06:10:05 UTC
looks good on ppc64, too.
Comment 15 Raúl Porcel (RETIRED) gentoo-dev 2008-08-16 11:05:48 UTC
Still looks good on ia64/x86
Comment 16 Jeroen Roovers gentoo-dev 2008-08-16 16:02:10 UTC
HPPA is still OK.
Comment 17 Tobias Heinlein (RETIRED) gentoo-dev 2008-08-18 19:25:59 UTC
Fine on amd64.
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2008-08-21 00:23:42 UTC
now public, please commit.
Comment 19 Mart Raudsepp gentoo-dev 2008-08-22 16:08:42 UTC
Ebuild is in tree now. CCing remaining architectures
Comment 20 Mart Raudsepp gentoo-dev 2008-08-23 12:54:14 UTC
This actually breaks gnome-base/gdm greeter (these should be themes in XML files) loading and renders gdm completely broken... Works with 2.6.32-r0, breaks with 2.6.32-r1 that I committed
Comment 21 Mart Raudsepp gentoo-dev 2008-08-23 13:52:16 UTC
Adding the bug for the gdm issue as a dependency
Comment 22 Mart Raudsepp gentoo-dev 2008-08-23 15:04:54 UTC
I have package.masked libxml-2.6.32-r1, that includes the security patch, until the gdm issue is sorted out.
gdm not working is a worse DoS than a chance of the other possible DoS that the patch is supposed to fix.
Comment 23 Christian Hoffmann (RETIRED) gentoo-dev 2008-08-23 15:15:21 UTC
Back to [upstream] waiting for a better working fix then...
Comment 24 Ian Abbott 2008-08-23 19:01:00 UTC
Shouldn't the fix have included a SONAME change due to the addition of members to structures passed between the library and its callers?
Comment 25 Christian Hoffmann (RETIRED) gentoo-dev 2008-08-25 10:47:57 UTC
(In reply to comment #24)
> Shouldn't the fix have included a SONAME change due to the addition of members
> to structures passed between the library and its callers?
Probably yes, but apparently noone thought of this / has seen this.

Some updates (from oss-sec), Nico Golde pointed to [1] which says that rebuilding the affected packages (only librsvg known until now) should solve this. Not that nice for a security update though...

He also pointed to [2] which has a different patch which avoids breaking compatibility of the public headers.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496125#79
[2] https://bugzilla.redhat.com/show_bug.cgi?id=459830 (currently down)
Comment 26 Christian Hoffmann (RETIRED) gentoo-dev 2008-08-25 23:21:24 UTC
(In reply to comment #25)
> (In reply to comment #24)
> Some updates (from oss-sec), Nico Golde pointed to [1] which says that
> rebuilding the affected packages (only librsvg known until now) should solve
> this. Not that nice for a security update though...
Ok, according to oss-sec, some more packages are affected:
  gnome-base/librsvg (as already noted)
  app-misc/strigi
  net-news/liferea (1.4.16b has been tested)
  dev-lang/php USE=xml (5.2.6 has been tested)
  x11-libs/qt-webkit (4.4.0 has been tested)

So, requring zero-change version bumps of these packages and putting DEPENDs as necessary does not sound like a too good idea, maybe we should really wait for the new patch to be tested appropriately.
  
Comment 27 Mart Raudsepp gentoo-dev 2008-08-26 05:35:20 UTC
(In reply to comment #26)
> So, requring zero-change version bumps of these packages and putting DEPENDs as
> necessary does not sound like a too good idea, maybe we should really wait for
> the new patch to be tested appropriately.

Yes, I will not allow an ABI break without soname bump in anyhow - security or not, ABI stability is important in GNOME world. Was a mistake I didn't notice that the patch breaks ABI before putting it in.
Comment 28 Robert Buchholz (RETIRED) gentoo-dev 2008-08-30 14:41:09 UTC
Mart, what's your plan to resolve this issue?
Comment 29 Mart Raudsepp gentoo-dev 2008-09-25 01:28:43 UTC
It turns out upstream restored the ABI before release of 2.7.0 and there was some blindness from my part by not noticing this in SVN or release changes, and the fact not being mentioned in any of the upstream bugs I monitored or looked at.
libxml2-2.7.1 is now in the tree and includes an ABI compatible fix for this security bug and also security bug 237806.
Arches, please give it a good spin and stable. A list of packages that shouldn't break when compiled against libxml2-2.6.32 and ran against libxml2-2.7.1 is in comment #26, plus check you can still log in via gdm-2.20.x after making sure it restarted.
Comment 30 Jeroen Roovers gentoo-dev 2008-09-25 13:49:28 UTC
Stable for HPPA.
Comment 31 Ferris McCormick (RETIRED) gentoo-dev 2008-09-25 14:20:59 UTC
Sparc stable, tests look good.
Comment 32 Markus Rothe (RETIRED) gentoo-dev 2008-09-27 15:35:49 UTC
ppc64 stable
Comment 33 Raúl Porcel (RETIRED) gentoo-dev 2008-09-27 16:37:51 UTC
alpha/ia64/x86 stable
Comment 34 Markus Meier gentoo-dev 2008-09-28 12:31:53 UTC
amd64 stable
Comment 35 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-01 17:15:19 UTC
ppc stable
Comment 36 Tobias Heinlein (RETIRED) gentoo-dev 2008-10-01 21:26:16 UTC
GLSA request filed.
Comment 37 Christian Weiske 2008-10-02 12:43:28 UTC
Do I see this right that the issue should be fixed in libxml-2.7.1? I still have it, just try download http://tmp.cweiske.de/manual.xml and run "xmllint manual.xml"
Comment 38 Ian Abbott 2008-10-02 13:59:09 UTC
(In reply to comment #37)
> Do I see this right that the issue should be fixed in libxml-2.7.1? I still
> have it, just try download http://tmp.cweiske.de/manual.xml and run "xmllint
> manual.xml"

Same here.  I see you've already reported it upstream: http://bugzilla.gnome.org/show_bug.cgi?id=554660

Comment 39 Christian Hoffmann (RETIRED) gentoo-dev 2008-10-02 14:44:39 UTC
Back to [upstream] for the second time then (I can reproduce the issue as well, btw).
Comment 40 Robert Buchholz (RETIRED) gentoo-dev 2008-10-02 16:52:19 UTC
(In reply to comment #37)
> Do I see this right that the issue should be fixed in libxml-2.7.1? I still
> have it, just try download http://tmp.cweiske.de/manual.xml and run "xmllint
> manual.xml"

Let's handle this new issue in bug 239346, back to [glsa] for this issue.
Comment 41 Robert Buchholz (RETIRED) gentoo-dev 2008-12-02 17:46:23 UTC
GLSA 200812-06