Re: [xml] fixes for libxml2 -- security vulnerabilities

From: Csaba Raduly <rcsaba gmail com>
To: "Gelle, Sreenivasulu" <sreenivasulu gelle sap com>
Cc: "xml gnome org" <xml gnome org>
Subject: Re: [xml] fixes for libxml2 -- security vulnerabilities
Date: Thu, 22 Sep 2011 09:31:43 +0200

On Thu, Sep 22, 2011 at 2:20 AM, Gelle, Sreenivasulu  wrote:

HI
I want to know fixes(source code) in for the problems reported in . Please
send me the fixes and if not where I can find them.


CVE-2009-2416

An XML document with specially-crafted Notation or Enumeration attribute
types in a DTD definition leads to the use of a pointers to memory areas
which have already been freed.

CVE-2009-2414

Missing checks for the depth of ELEMENT DTD definitions when parsing child
content can lead to extensive stack-growth due to a function recursion which
can be triggered via a crafted XML document.
Thanks
-Srini


Dear Sreenivasulu,

It is now 2011-09-22. These bugs have been fixed on 2009-08-10, that
is, more than two years ago:
http://git.gnome.org/browse/libxml2/commit/?id=489f9671e71cc44a97b23111b3126ac8a1e21a59

The latest libxml2 sources already contain the fixes for both vulnerabilities.

Hope this helps,
Csaba
-- 
GCS a+ e++ d- C++ ULS$ L+$ !E- W++ P+++$ w++$ tv+ b++ DI D++ 5++
The Tao of math: The numbers you can count are not the real numbers.
Life is complex, with real and imaginary parts.
"Ok, it boots. Which means it must be bug-free and perfect. " -- Linus Torvalds
"People disagree with me. I just ignore them." -- Linus Torvalds

References:
- [xml] fixes for libxml2 -- security vulnerabilities
  - From: Gelle, Sreenivasulu

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]