Re: [xml] Security flaw affecting all previous libxml2 releases



Trying to manually apply this patch to 2.4.25. I find that some parts of
it match up well and others don't.

There are three places in the file where similar code can be found. I'm
guessing that the one we're concerned with here is the one beginning
around line 1282, as that's the block where the "1-byte code" most
closely resembles the bottom part of this patch.

But I don't see a close match for the first change in the patch in any
of those areas. Specifically, there is no line reading "if (c == 0xC0)".
The place that most looks like the right place is:

        c = *cur;
        if (c & 0x80) {        <====================
            if (cur[1] == 0)
                xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
            if ((cur[1] & 0xc0) != 0x80)
                goto encoding_error;
            if ((c & 0xe0) == 0xe0) {

                if (cur[2] == 0)
                    xmlParserInputGrow(ctxt->input, INPUT_CHUNK);

see the line marked with arrow, it looks as if the patch wants to insert
a couple of lines right below there??

I'd be grateful if Daniel (or anyone else who has patched an ancient
version) could advise me on the correct changes to make here.

Thanks!

Fred Smith
Senior Applications Programmer/Analyst
Computrition, Inc.
fred computrition com
781-275-4488x148
 

-----Original Message-----
From: xml-bounces gnome org [mailto:xml-bounces gnome org] On Behalf
Of
Daniel Veillard
Sent: Friday, January 11, 2008 7:05 AM
To: xml gnome org
Subject: [xml] Security flaw affecting all previous libxml2 releases

  Unfortunately, a security flaw was found (originally by Brad
Fitzpatrick
from Google) and affecting all previous releases of libxml2 when
parsing
XML. Two specially crafted broken UTF-8 sequences when occuring at the
wrong place lead the parser to go into an infinite loop. Very
annoying,
as this lead to a relatively easy Denial of Service attack, the good
part
being that this is very unlikely to happen just by error, and to
protect
the community we won't release the way to reproduce this.

  But all users are strongly invited to upgrade their libxml2 versions
to
2.6.31 [1], or apply the patch [2] (or a derivative for 2.5 or 2.4
branches)
to their version. Most OS vendors shipping libxml2 should have updates
by now or very soon, if needed check your update stream, it is
referenced
as CVE-2007-6284 .

    Sorry for the inconvenience,

Daniel

[1] ftp://xmlsoft.org/libxml/libxml2-2.6.31.tar.gz
[2] http://veillard.com/libxml2.patch

--
Red Hat Virtualization group http://redhat.com/virtualization/
Daniel Veillard      | virtualization library  http://libvirt.org/
veillard redhat com  | libxml GNOME XML XSLT toolkit
http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine  http://rpmfind.net/
_______________________________________________
xml mailing list, project page  http://xmlsoft.org/
xml gnome org
http://mail.gnome.org/mailman/listinfo/xml



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]