Re: [xml] Security flaw affecting all previous libxml2 releases

Trying to manually apply this patch to 2.4.25. I find that some parts of
it match up well and others don't.

There are three places in the file where similar code can be found. I'm
guessing that the one we're concerned with here is the one beginning
around line 1282, as that's the block where the "1-byte code" most
closely resembles the bottom part of this patch.

But I don't see a close match for the first change in the patch in any
of those areas. Specifically, there is no line reading "if (c == 0xC0)".
The place that most looks like the right place is:

        c = *cur;
        if (c & 0x80) {        <====================
            if (cur[1] == 0)
                xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
            if ((cur[1] & 0xc0) != 0x80)
                goto encoding_error;
            if ((c & 0xe0) == 0xe0) {

                if (cur[2] == 0)
                    xmlParserInputGrow(ctxt->input, INPUT_CHUNK);

see the line marked with arrow, it looks as if the patch wants to insert
a couple of lines right below there??

I'd be grateful if Daniel (or anyone else who has patched an ancient
version) could advise me on the correct changes to make here.


Fred Smith
Senior Applications Programmer/Analyst
Computrition, Inc.
fred computrition com

-----Original Message-----
From: xml-bounces gnome org [mailto:xml-bounces gnome org] On Behalf
Daniel Veillard
Sent: Friday, January 11, 2008 7:05 AM
To: xml gnome org
Subject: [xml] Security flaw affecting all previous libxml2 releases

  Unfortunately, a security flaw was found (originally by Brad
from Google) and affecting all previous releases of libxml2 when
XML. Two specially crafted broken UTF-8 sequences when occuring at the
wrong place lead the parser to go into an infinite loop. Very
as this lead to a relatively easy Denial of Service attack, the good
being that this is very unlikely to happen just by error, and to
the community we won't release the way to reproduce this.

  But all users are strongly invited to upgrade their libxml2 versions
2.6.31 [1], or apply the patch [2] (or a derivative for 2.5 or 2.4
to their version. Most OS vendors shipping libxml2 should have updates
by now or very soon, if needed check your update stream, it is
as CVE-2007-6284 .

    Sorry for the inconvenience,



Red Hat Virtualization group
Daniel Veillard      | virtualization library
veillard redhat com  | libxml GNOME XML XSLT toolkit | Rpmfind RPM search engine
xml mailing list, project page
xml gnome org

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]