Re: [xml] Security flaw affecting all previous libxml2 releases

From: "Fred Smith" <fred computrition com>
To: <xml gnome org>
Subject: Re: [xml] Security flaw affecting all previous libxml2 releases
Date: Thu, 17 Jan 2008 10:34:19 -0800

Trying to manually apply this patch to 2.4.25. I find that some parts of
it match up well and others don't.

There are three places in the file where similar code can be found. I'm
guessing that the one we're concerned with here is the one beginning
around line 1282, as that's the block where the "1-byte code" most
closely resembles the bottom part of this patch.

But I don't see a close match for the first change in the patch in any
of those areas. Specifically, there is no line reading "if (c == 0xC0)".
The place that most looks like the right place is:

        c = *cur;
        if (c & 0x80) {        <====================
            if (cur[1] == 0)
                xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
            if ((cur[1] & 0xc0) != 0x80)
                goto encoding_error;
            if ((c & 0xe0) == 0xe0) {

                if (cur[2] == 0)
                    xmlParserInputGrow(ctxt->input, INPUT_CHUNK);

see the line marked with arrow, it looks as if the patch wants to insert
a couple of lines right below there??

I'd be grateful if Daniel (or anyone else who has patched an ancient
version) could advise me on the correct changes to make here.

Thanks!

Fred Smith
Senior Applications Programmer/Analyst
Computrition, Inc.
fred computrition com
781-275-4488x148

-----Original Message-----
From: xml-bounces gnome org [mailto:xml-bounces gnome org] On Behalf

Of

Daniel Veillard
Sent: Friday, January 11, 2008 7:05 AM
To: xml gnome org
Subject: [xml] Security flaw affecting all previous libxml2 releases

  Unfortunately, a security flaw was found (originally by Brad

Fitzpatrick

from Google) and affecting all previous releases of libxml2 when

parsing

XML. Two specially crafted broken UTF-8 sequences when occuring at the
wrong place lead the parser to go into an infinite loop. Very

annoying,

as this lead to a relatively easy Denial of Service attack, the good

part

being that this is very unlikely to happen just by error, and to

protect

the community we won't release the way to reproduce this.

  But all users are strongly invited to upgrade their libxml2 versions

to

2.6.31 [1], or apply the patch [2] (or a derivative for 2.5 or 2.4
branches)
to their version. Most OS vendors shipping libxml2 should have updates
by now or very soon, if needed check your update stream, it is

referenced

as CVE-2007-6284 .

    Sorry for the inconvenience,

Daniel

[1] ftp://xmlsoft.org/libxml/libxml2-2.6.31.tar.gz
[2] http://veillard.com/libxml2.patch

--
Red Hat Virtualization group http://redhat.com/virtualization/
Daniel Veillard      | virtualization library  http://libvirt.org/
veillard redhat com  | libxml GNOME XML XSLT toolkit

http://xmlsoft.org/

http://veillard.com/ | Rpmfind RPM search engine  http://rpmfind.net/
_______________________________________________
xml mailing list, project page  http://xmlsoft.org/
xml gnome org
http://mail.gnome.org/mailman/listinfo/xml

Follow-Ups:
- Re: [xml] Security flaw affecting all previous libxml2 releases
  - From: Daniel Veillard

References:
- [xml] Security flaw affecting all previous libxml2 releases
  - From: Daniel Veillard

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]