Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 280617 (CVE-2009-2414) - <dev-libs/libxml2-2.7.3-r2 Multiple DoS vulnerabilities (CVE-2009-{2414,2416})
Summary: <dev-libs/libxml2-2.7.3-r2 Multiple DoS vulnerabilities (CVE-2009-{2414,2416})
Status: RESOLVED FIXED
Alias: CVE-2009-2414
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-08-06 23:03 UTC by Robert Buchholz (RETIRED)
Modified: 2010-09-22 20:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
libxml2-2.6.26-CVE-2009-2414,CVE-2009-2416.patch (libxml2-2.6.26-CVE-2009-2414,CVE-2009-2416.patch,2.22 KB, patch)
2009-08-06 23:07 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
libxml2-2.7.3-CVE-2009-2414,CVE-2009-2416.patch (libxml2-2.7.3-CVE-2009-2414,CVE-2009-2416.patch,2.89 KB, patch)
2009-08-07 00:03 UTC, Gilles Dartiguelongue
no flags Details | Diff
libxml2-2.7.3-r2.ebuild (libxml2-2.7.3-r2.ebuild,4.36 KB, text/plain)
2009-08-07 00:04 UTC, Gilles Dartiguelongue
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-08-06 23:03:58 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Jukka Taimisto and Rauli Kaksonen from the CROSS project at Codenomicon reported the following vulnerabilities:
* Multiple pointer use-after-free flaws CVE-2009-2416
* Stack oveeflow when parsing recursive XML structures CVE-2009-2414
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-08-06 23:05:25 UTC
Deadline is rather short and impact is limited to DoS. Let's just track this issue until it is public and bump in the tree. Agreed?
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-08-06 23:07:19 UTC
Created attachment 200443 [details, diff]
libxml2-2.6.26-CVE-2009-2414,CVE-2009-2416.patch
Comment 3 Gilles Dartiguelongue gentoo-dev 2009-08-06 23:43:34 UTC
Patch needs rebasing to apply on 2.7:

Hunk #1 FAILED at 4779.
Hunk #2 FAILED at 4796.
Hunk #3 FAILED at 4838.
Hunk #4 succeeded at 5801 (offset 562 lines).
Hunk #5 succeeded at 5815 (offset 562 lines).
Hunk #6 succeeded at 5949 (offset 564 lines).

I'll see what I can do tomorrow.
Comment 4 Gilles Dartiguelongue gentoo-dev 2009-08-07 00:03:44 UTC
Created attachment 200447 [details, diff]
libxml2-2.7.3-CVE-2009-2414,CVE-2009-2416.patch

rebased patch
Comment 5 Gilles Dartiguelongue gentoo-dev 2009-08-07 00:04:42 UTC
Created attachment 200448 [details]
libxml2-2.7.3-r2.ebuild

new ebuild applying the patch, compiles & runs tests fine on my amd64.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2009-08-07 01:03:52 UTC
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

CC'ing current Liaisons:
   alpha : armin76, klausman
   amd64 : keytoaster, tester
    hppa : jer
     ppc : josejx, ranger
   ppc64 : josejx, ranger
   sparc : fmccor
     x86 : fauli, maekke
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2009-08-07 17:11:58 UTC
compiles and tests fine on x86, testing reverse dependencies, will report if there are any failures.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2009-08-08 04:18:32 UTC
HPPA is OK.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2009-08-10 17:04:28 UTC
this is now public via:
 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2414
 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2416

please commit with KEYWORDS="x86 hppa"
Comment 11 Gilles Dartiguelongue gentoo-dev 2009-08-11 21:44:49 UTC
+*libxml2-2.7.3-r2 (11 Aug 2009)
+
+  11 Aug 2009; Gilles Dartiguelongue <eva@gentoo.org>
+  +libxml2-2.7.3-r2.ebuild,
+  +files/libxml2-2.7.3-CVE-2009-2414-CVE-2009-2416.patch:
+  Version bump. Fix CVE 2009-2414 and CVE 2009-2416, bug #280617.

Took the upstream patch. It's mostly the same but probably a bit safer so we
need amd64 and hppa to retest if possible.
Comment 12 Gilles Dartiguelongue gentoo-dev 2009-08-11 21:48:31 UTC
damn sorry about the marking fixed.
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2009-08-11 22:23:12 UTC
Arches, please test and mark stable:
=dev-libs/libxml2-2.7.3-r2
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 14 Jeroen Roovers (RETIRED) gentoo-dev 2009-08-12 02:03:45 UTC
Stable for HPPA.
Comment 15 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-12 16:09:06 UTC
CVE-2009-2416 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2416):
  Multiple use-after-free vulnerabilities in libxml2 2.5.10, 2.6.16,
  2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allow
  context-dependent attackers to cause a denial of service (application
  crash) via crafted (1) Notation or (2) Enumeration attribute types in
  an XML file, as demonstrated by the Codenomicon XML fuzzing framework.

Comment 16 Gilles Dartiguelongue gentoo-dev 2009-08-12 16:11:57 UTC
Hum sounds like we also need to take care of dev-libs/libxml
Comment 17 Christian Faulhammer (RETIRED) gentoo-dev 2009-08-13 16:03:28 UTC
(In reply to comment #16)
> Hum sounds like we also need to take care of dev-libs/libxml

 It is maintainer-needed, a stabilisation of the current one is found in bug 280470.
Comment 18 Christian Faulhammer (RETIRED) gentoo-dev 2009-08-13 17:01:24 UTC
x86 stable
Comment 19 Víctor Ostorga (RETIRED) gentoo-dev 2009-08-13 20:32:14 UTC
Ok, I have submitted libxml-1.8.17-r4 which fixes CAN-2004-0110 , CAN-2004-0989 ,  CVE-2009-2414 and CVE-2009-2416 . Can this package be managed in this bug or a new one is needed?
Comment 20 Robert Buchholz (RETIRED) gentoo-dev 2009-08-14 09:28:30 UTC
let's handle libxml-1 on bug 281446.
Comment 21 Raúl Porcel (RETIRED) gentoo-dev 2009-08-14 13:56:28 UTC
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 22 Markus Meier gentoo-dev 2009-08-14 17:53:42 UTC
amd64 stable
Comment 23 nixnut (RETIRED) gentoo-dev 2009-08-23 09:33:45 UTC
ppc stable
Comment 24 Brent Baude (RETIRED) gentoo-dev 2009-08-30 23:18:39 UTC
ppc64 done
Comment 25 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-31 07:24:44 UTC
GLSA request filed.
Comment 26 Stefan Behte (RETIRED) gentoo-dev Security 2009-09-14 22:48:42 UTC
CVE-2009-2414 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2414):
  Stack consumption vulnerability in libxml2 2.5.10, 2.6.16, 2.6.26,
  2.6.27, and 2.6.32, and libxml 1.8.17, allows context-dependent
  attackers to cause a denial of service (application crash) via a
  large depth of element declarations in a DTD, related to a function
  recursion, as demonstrated by the Codenomicon XML fuzzing framework.

Comment 27 Stefan Behte (RETIRED) gentoo-dev Security 2010-09-22 20:37:02 UTC
GLSA 201009-07, thanks everyone.