CERT/CC Vulnerability Note VU#493966

Overview

Libxml is the XML parser for Gnome, a desktop suite and development platform for Linux systems. Libxml2, the latest version of the library as of this writing, has a buffer overflow vulnerability which may allow execution of arbitrary code.

Description

Gnome, a desktop suite and development platform for Linux systems, uses Libxml as an XML parser to handle encoding and decoding or URI strings (this is part of the GNOME XML Toolkit). The Libxml2 release of Libxml prior to version 2.6.6 (published Feb 12 2004) contains a buffer overflow vulnerability when parsing URI strings in XML-structrued files. If the URI is over 4096 bytes, it may be possible to crash software using a vulnerable version of Libxml2.

Impact

The complete impact of this vulnerability is not yet known. It is reported to cause a SEGV in software using a vulnerable version of Libxml2.

Solution

Update to Libxml2 version 2.6.6 or later at http://www.xmlsoft.org/downloads.html

Vendor Information

493966

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

Debian Affected

Fedora Project Affected

Updated: March 09, 2004

Status

Affected

Vendor Statement

Please see http://www.redhat.com/archives/fedora-announce-list/2004-February/msg00029.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SECURITY: Update of libxml2 2.6.6 available

From: Daniel Veillard <veillard redhat com>
To: fedora-announce-list redhat com
Subject: SECURITY: Update of libxml2 2.6.6 available
Date: Wed, 25 Feb 2004 16:43:43 -0500

---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-087
2004-02-25
---------------------------------------------------------------------

Name : libxml2
Version : 2.6.6
Release : 3
Summary : Library providing XML and HTML support
Description :
This library allows to manipulate XML files. It includes support
to read, modify and write XML and HTML files. There is DTDs support
this includes parsing and validation even with complex DtDs, either
at parse time or later once the document has been modified. The output
can be a simple SAX stream or and in-memory DOM like representations.
In this case one can use the built-in XPath and XPointer implementation
to select subnodes or ranges. A flexible Input/Output mechanism is
available, with existing HTTP and FTP modules and combined to an
URI library.

---------------------------------------------------------------------
Update Information:

Updated libxml2 packages are available to fix an overflow when parsing
the URI for remote resources.
---------------------------------------------------------------------
* Thu Feb 12 2004 Daniel Veillard <veillard redhat com>

- upstream release 2.6.6 see

http://xmlsoft.org/news.html

---------------------------------------------------------------------
This update can be downloaded from:

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

c46c9ba42ba7d27bfcf48899119a1d40 SRPMS/libxml2-2.6.6-3.src.rpm
d7a9dec974250e425d6052e0f648b6c5 i386/libxml2-2.6.6-3.i386.rpm
0758aa446c1a43d18bc016df35288806 i386/libxml2-devel-2.6.6-3.i386.rpm
07843af17c126497f4baa8d279c7d920 i386/libxml2-python-2.6.6-3.i386.rpm
ae7105805216615e6460c60be9c679da i386/debug/libxml2-debuginfo-2.6.6-3.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
---------------------------------------------------------------------

Daniel

--
Daniel Veillard | Red Hat Network

https://rhn.redhat.com/

veillard redhat com | libxml GNOME XML XSLT toolkit

http://xmlsoft.org/

http://veillard.com/

| Rpmfind RPM search engine

[

][

] [

][

] [

] [

] [

]

If you have feedback, comments, or additional information about this vulnerability, please send us email.

GNOME Project Affected

Updated: March 09, 2004

Status

Affected

Vendor Statement

Please see http://lists.gnome.org/archives/gnome-announce-list/2004-February/msg00051.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

ANNOUNCE: The GNOME XML toolkit 2.6.6

From: Daniel Veillard <veillard redhat com>
To: gnome-announce-list gnome org
Subject: ANNOUNCE: The GNOME XML toolkit 2.6.6
Date: Thu, 12 Feb 2004 12:28:49 -0500 (EST)

Application
===========

The GNOME XML toolkit 2.6.6

Description
===========

Libxml2 is the XML C parser and toolkit developed for the Gnome project
(but usable outside of the Gnome platform).
It also provides the xmllint XML/HTML processing tool.
This release fix a potential security problem, people are advised to
upgrade.

Enhancements
============

- Parsers: added xmlByteConsumed(ctxt) API to get the byte offest in
input.
- XInclude: allow the 2001 namespace without warning.
- reader API: structured error reporting (Steve Ball)

Fixes
=====

- nanohttp and nanoftp: buffer overflow error on URI parsing (Igor and
William)
reported by Yuuichi Teranishi
- make test and path issues
- xmlWriter attribute serialization (William Brack)
- xmlWriter indentation (William)
- schemas validation (Eric Haszlakiewicz)
- XInclude dictionnaries issues (William and Oleg Paraschenko)
- XInclude empty fallback (William)
- HTML warnings (William)
- XPointer in XInclude (William)
- Python namespace serialization
- isolat1ToUTF8 bound error (Alfred Mickautsch)
- output of parameter entities in internal subset (William)
- internal subset bug in push mode
- <xs:all> fix (Alexey Sarytchev)
- Build: fix for automake-1.8 (Alexander Winston)
warnings removal (Philip Ludlam)
SOCKLEN_T detection fixes (Daniel Richard)
fix --with-minimum configuration.
- Documentation: missing example/index.html (John Fleck)
version dependancies (John Fleck)
- Windows compilation: mingw, msys (Mikhail Grushinskiy),
function prototype (Cameron Johnson),
MSVC6 compiler warnings,
_WINSOCKAPI_ patch

Download
========

ftp://xmlsoft.org/

Website
=======

http://xmlsoft.org/

GNOME Software Map entry
========================

http://www.gnome.org/softwaremap/projects/libxml

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Gentoo Linux Affected

Updated: March 09, 2004

Status

Affected

Vendor Statement

Please see http://bugs.gentoo.org/show_bug.cgi?id=42735 or http://secunia.com/advisories/11051/

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200403-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ~ http://security.gentoo.org- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ~ Severity: Normal ~ Title: Libxml2 URI Parsing Buffer Overflow Vulnerabilities ~ Date: March 06, 2004 ~ Bugs: #42735 ~ ID: 200403-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A buffer overflow has been discovered in libxml2 versions prior to 2.6.6 which may be exploited by an attacker allowing the execution of arbitrary code. Description =========== Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When the libxml2 library fetches a remote resource via FTP or HTTP, libxml2 uses parsing routines that can overflow a buffer caused by improper bounds checking if they are passed a URL longer than 4096 bytes. Impact ====== If an attacker is able to exploit an application using libxml2 that parses remote resources, then this flaw could be used to execute arbitrary code. Workaround ========== No workaround is available; users are urged to upgrade libxml2 to 2.6.6. Resolution ========== All users are recommended to upgrade their libxml2 installation: ~ # emerge sync ~ # emerge -pv ">=dev-libs/libxml2-2.6.6" ~ # emerge ">=dev-libs/libxml2-2.6.6" References ========== ~ [ 1 ]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0110Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug athttp://bugs.gentoo.org. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla -http://enigmail.mozdev.orgiD8DBQFASl4EMMXbAy2b2EIRAv+yAJ9NbGSqlVb4KzZ2IC4c2DBt3aaV1ACgxlhB 1c1NaJh9ByyfACBlmAU0Yz4= =scAU -----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Linux Netwosix Affected

Updated: March 09, 2004

Status

Affected

Vendor Statement

Please see http://www.netwosix.org/adv04.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

************************************************************************************
Netwosix Linux Security Advisory #2004-0004 <http://www.netwosix.org>
- -----------------------------------------------------------------------------------

Package name: libxml2
Summary: Buffer overflow in the nanohttp or nanoftp modules in
XMLSoft Libxml2 2.6.0
Date: 2004-03-04
Affected versions: Netwosix 1.0
************************************************************************************

- -> Package description:
- ------------------------
Libxml2 is the XML C parser and toolkit developed for the Gnome project.

- -> Problem description:
- ------------------------
A flaw in libxml2 versions prior to 2.6.6 was found by Yuuichi
Teranishi. When fetching a remote source via FTP or HTTP, libxml2
uses special parsing routines that can overflow a buffer if passed a
very long URL. In the event that the attacker can find a program that
uses libxml2 which parses remote resources and allows them to
influence the URL, this flaw could be used to execute arbitrary code.

- -> Action:
- ------------------------
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.

- -> Location:
- ---------------------

You can download the latest version of this package in NEPOTE format from:
<http://download.netwosix.org/0004/nepote>

- -> Nepote Update (Nepote has been updated with new ports on 25 February 2004.
Update your portage tree from http://nepote.netwosix.org, first):
- ---------------------

See this instructions to update the port of this package:

# cd /usr/ports/lib/libxml
# rm nepote
# wget http://download.netwosix.org/0004/nepote
# sh nepote (to install the new and updated package)

- -> References
- ---------------------

Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0110

- -> About Linux Netwosix:
- ---------------------------------
Linux Netwosix is a powerful and optimized Linux distribution for servers
and Network Security related jobs. It can also be used for special operations
such as penetration testing with its big collection of security oriented
software and sources. It's a light distribution created for the requirements
of every SysAdmin and it's very portable and highly configurable. Our
philosophy is to give greater liberty for configuration to the SysAdmin.
Only in this way can he/she configure a powerful and stable server machine.
Linux Netwosix also has a powerful ports system (Nepote) similar to the xBSD
systems but more flexible and usable.

- -> Questions?
- ---------------------
Check out our mailing lists:
<http://www.netwosix.org/mailing.html>

The advisory itself is available at
<http://www.netwosix.org/adv04.html>
- --------------------------------------------------

MD5sums of the packages:
- - --------------------------------------------------------------------------
60cb43bdcc312a611178df10c52a19c6 0004/nepote
- - --------------------------------------------------------------------------

Vincenzo Ciaglia - Linux Netwosix Security Advisories
<ciaglia@netwosix.org> - <http://www.netwosix.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAR6JP6jz9pGuz4koRAvzeAJ98LXBB30rNXDdkoTjW20FLCVuDmwCeOqsh
0JB1uL92Ux7adp2bz+uf/0c=
=ySSs
-----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft Affected

Updated: March 09, 2004

Status

Affected

Vendor Statement

Please see http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:018

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandrakelinux Security Update Advisory _______________________________________________________________________ Package name: libxml2 Advisory ID: MDKSA-2004:018 Date: March 3rd, 2004 Affected versions: 9.1, 9.2, Corporate Server 2.1 ______________________________________________________________________ Problem Description: A flaw in libxml2 versions prior to 2.6.6 was found by Yuuichi Teranishi. When fetching a remote source via FTP or HTTP, libxml2 uses special parsing routines that can overflow a buffer if passed a very long URL. In the event that the attacker can find a program that uses libxml2 which parses remote resources and allows them to influence the URL, this flaw could be used to execute arbitrary code. The updated packages provide a backported fix to correct the problem. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0110______________________________________________________________________ Updated Packages: Corporate Server 2.1: 51af35991ac6ceef5cd6ddc4330e1995 corporate/2.1/RPMS/libxml2-2.4.23-4.2.C21mdk.i586.rpm 34e6aa4c010e14199767c97d5fe0b706 corporate/2.1/RPMS/libxml2-devel-2.4.23-4.2.C21mdk.i586.rpm 9b551a5dfa4129f88fa90062ed684725 corporate/2.1/RPMS/libxml2-python-2.4.23-4.2.C21mdk.i586.rpm 7c2efde8dde2fabc15d0c59fd867d156 corporate/2.1/RPMS/libxml2-utils-2.4.23-4.2.C21mdk.i586.rpm 153ca0fed634a7485046181baf06ea94 corporate/2.1/SRPMS/libxml2-2.4.23-4.2.C21mdk.src.rpm Corporate Server 2.1/x86_64: 2bfb3a34f15d5484119f94ea0d8c9d69 x86_64/corporate/2.1/RPMS/libxml2-2.4.23-4.2.C21mdk.x86_64.rpm 251108957d5ba90a9082d1f1976e5fb7 x86_64/corporate/2.1/RPMS/libxml2-devel-2.4.23-4.2.C21mdk.x86_64.rpm 7f4d9e5052d9ca41cd0ed8dba78d2416 x86_64/corporate/2.1/RPMS/libxml2-python-2.4.23-4.2.C21mdk.x86_64.rpm 63e3b6910f6e42b775cb936ce581b16e x86_64/corporate/2.1/RPMS/libxml2-utils-2.4.23-4.2.C21mdk.x86_64.rpm 153ca0fed634a7485046181baf06ea94 x86_64/corporate/2.1/SRPMS/libxml2-2.4.23-4.2.C21mdk.src.rpm Mandrakelinux 9.1: 9b91d9a62e88829d180335e93005d706 9.1/RPMS/libxml2-2.5.4-1.2.91mdk.i586.rpm 42ea5fe9ee7733bab3e726cb0005a9e8 9.1/RPMS/libxml2-devel-2.5.4-1.2.91mdk.i586.rpm 98642ae61a8884d25878bc91f1d06622 9.1/RPMS/libxml2-python-2.5.4-1.2.91mdk.i586.rpm 3a7b2acf410ed9d6dc7d34d7e7fc319a 9.1/RPMS/libxml2-utils-2.5.4-1.2.91mdk.i586.rpm bbb88662f90ff49f28a2e3e6905106f3 9.1/SRPMS/libxml2-2.5.4-1.2.91mdk.src.rpm Mandrakelinux 9.1/PPC: bcf80b555579701ed2ba8925bc1a9634 ppc/9.1/RPMS/libxml2-2.5.4-1.2.91mdk.ppc.rpm 3f6a1d38b9aaefd39a2ad116ec65643d ppc/9.1/RPMS/libxml2-devel-2.5.4-1.2.91mdk.ppc.rpm cdb9ee131ca5bd58564259d6917a9c56 ppc/9.1/RPMS/libxml2-python-2.5.4-1.2.91mdk.ppc.rpm 3c96adac2eb332f1e535b80e626a2c80 ppc/9.1/RPMS/libxml2-utils-2.5.4-1.2.91mdk.ppc.rpm bbb88662f90ff49f28a2e3e6905106f3 ppc/9.1/SRPMS/libxml2-2.5.4-1.2.91mdk.src.rpm Mandrakelinux 9.2: 6566203ab3c4fb904ae0126196aaf400 9.2/RPMS/libxml2-2.5.11-1.2.92mdk.i586.rpm 5552925b636b9926059c5c27ca37a588 9.2/RPMS/libxml2-devel-2.5.11-1.2.92mdk.i586.rpm 377f7250ee689d7ee7453b852e651d02 9.2/RPMS/libxml2-python-2.5.11-1.2.92mdk.i586.rpm 7e04e506249fbb224690ce3cc6434776 9.2/RPMS/libxml2-utils-2.5.11-1.2.92mdk.i586.rpm 34048480a99f5f04d02902ab918cf5c8 9.2/SRPMS/libxml2-2.5.11-1.2.92mdk.src.rpm Mandrakelinux 9.2/AMD64: 12bfba14856691201fb44eeecd2e0760 amd64/9.2/RPMS/lib64xml2-2.5.11-1.2.92mdk.amd64.rpm 0267276afa32b153be2ab27821f2a45c amd64/9.2/RPMS/lib64xml2-devel-2.5.11-1.2.92mdk.amd64.rpm 545cdb232a403bb77dbd7ae5881dfe01 amd64/9.2/RPMS/lib64xml2-python-2.5.11-1.2.92mdk.amd64.rpm 32012969ba7f58a67f8569d86ca90246 amd64/9.2/RPMS/libxml2-utils-2.5.11-1.2.92mdk.amd64.rpm 34048480a99f5f04d02902ab918cf5c8 amd64/9.2/SRPMS/libxml2-2.5.11-1.2.92mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. A list of FTP mirrors can be obtained from: http://www.mandrakesecure.net/en/ftp.phpAll packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing: gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98 Please be aware that sometimes it takes the mirrors a few hours to update. You can view other update advisories for Mandrakelinux at: http://www.mandrakesecure.net/en/advisories/Mandrakesoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting: http://www.mandrakesecure.net/en/mlist.phpIf you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team <security linux-mandrake.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFARrVQmqjQ0CJFipgRApmfAKDAmU1wWFUMOt0zdBXMK5B3TnbFiQCgtUPf ZHaFx48BQTxaJG6ZbwDG/0E= =Tz/7 -----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenPKG Affected

Updated: March 09, 2004

Status

Affected

Vendor Statement

Please see http://www.openpkg.org/security/OpenPKG-SA-2004.003-libxml.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Projecthttp://www.openpkg.org/security.html http://www.openpkg.orgopenpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.003 05-Mar-2004 ________________________________________________________________________ Package: libxml Vulnerability: arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= libxml-2.6.5-20040126 >= libxml-2.6.6-20040212 OpenPKG 2.0 none N.A. OpenPKG 1.3 <= libxml-2.5.8-1.3.0 >= libxml-2.5.8-1.3.1 Affected Releases: Dependent Packages: OpenPKG CURRENT apache::with_mod_php_dom perl-xml::with_libxml php::with_dom php5::with_xml php5::with_dom cadaver dia kde-libs libgdome libglade libwmf libxslt neon pan ripe-dbase roadrunner scli scrollkeeper sitecopy subversion wv xmlsec xmlstarlet xmlto xmms OpenPKG 1.3 apache::with_mod_php_dom perl-xml::with_libxml php::with_dom libgdome libwmf libxslt neon sitecopy xmlsec Description: A flaw in the HTTP and FTP client sub-library of libxml2 [0] found by Yuuichi Teranishi can be exploited to cause a buffer overflow if passed a very long URL [1]. This could be used by an attacker to execute arbitrary code on the host computer. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0110 [2] to the problem. Please check whether you are affected by running "<prefix>/bin/rpm -q libxml". If you have the "libxml" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see solution) and any dependent packages (see above). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5], fetch it from the OpenPKG FTP service [6] or a mirror location, verify its integrity [7], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the affected release OpenPKG 1.3, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $f t p f t p . o p e n p k g . o r g f t p > b i n f t p > c d r e l e a s e / 1.3 / U P D f t p > g e t l i b x m l - 2.5 .8 - 1.3 .1 . s r c . r p m f t p > b y e$ <prefix>/bin/rpm -v --checksig libxml-2.5.8-1.3.1.src.rpm $< p r e f i x > / b i n / r p m - - r e b u i l d l i b x m l - 2.5 .8 - 1.3 .1 . s r c . r p m$ su - # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/libxml-2.5.8-1.3.1.*.rpm Additionally, we recommend that you rebuild and reinstall all dependent packages (see above), if any, too. [3][4] ________________________________________________________________________ References: [0]http://xmlsoft.org/ [1]http://xmlsoft.org/news.html [2]http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0110 [3]http://www.openpkg.org/tutorial.html#regular-source [4]http://www.openpkg.org/tutorial.html#regular-binary [5]ftp://ftp.openpkg.org/release/1.3/UPD/libxml-2.5.8-1.3.1.src.rpm [6]ftp://ftp.openpkg.org/release/1.3/UPD/ [7]http://www.openpkg.org/security.html#signature________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F) of the OpenPKG project which you can retrieve fromhttp://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions onhttp://pgp.openpkg.org/for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG <openpkg@openpkg.org> iD8DBQFASLo3gHWT4GPEy58RAr+bAKDII0jb/BQ94576qHt2KDt7akiqEwCg2aUT IuYPKcQCRD4xwJbjDNj9QHs= =zN3S -----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc. Affected

Updated: March 09, 2004

Status

Affected

Vendor Statement

Please see https://rhn.redhat.com/errata/RHSA-2004-090.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

- ---------------------------------------------------------------------
Red Hat Security Advisory

Synopsis: Updated libxml2 packages fix security vulnerability
Advisory ID: RHSA-2004:091-02
Issue date: 2004-03-03
Updated on: 2004-03-03
Product: Red Hat Linux
Keywords:
Cross references:
Obsoletes:
CVE Names: CAN-2004-0110
- ---------------------------------------------------------------------

1. Topic:

Updated libxml2 packages that fix an overflow when parsing remote resources
are now available.

[Updated 3 March 2004]
Revised libxml2 packages are now available as the original packages did not
contain a complete patch.

2. Relevant releases/architectures:

Red Hat Linux 9 - i386

3. Problem description:

libxml2 is a library for manipulating XML files.

Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. The Common Vulnerabilities
and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0110
to this issue.

All users are advised to upgrade to these updated packages, which contain a
backported fix and are not vulnerable to this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

If up2date fails to connect to Red Hat Network due to SSL
Certificate Errors, you need to install a version of the
up2date client with an updated certificate. The latest version of
up2date is available from the Red Hat FTP site and may also be
downloaded directly from the RHN website:

https://rhn.redhat.com/help/latest-up2date.pxt

5. RPMs required:

Red Hat Linux 9:

SRPMS:
ftp://updates.redhat.com/9/en/os/SRPMS/libxml2-2.5.4-3.rh9.src.rpm

i386:
ftp://updates.redhat.com/9/en/os/i386/libxml2-2.5.4-3.rh9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/libxml2-devel-2.5.4-3.rh9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/libxml2-python-2.5.4-3.rh9.i386.rpm

6. Verification:

MD5 sum Package Name
- --------------------------------------------------------------------------

cb550a537cbc60b95dcc4396ab419466 9/en/os/SRPMS/libxml2-2.5.4-3.rh9.src.rpm
b063360d9efb8f4de082f1324fdcd421 9/en/os/i386/libxml2-2.5.4-3.rh9.i386.rpm
8590c8fcd8268d3b682531a4428f14f8 9/en/os/i386/libxml2-devel-2.5.4-3.rh9.i386.rpm
d34886934ad6c00607e0117815bc1e0a 9/en/os/i386/libxml2-python-2.5.4-3.rh9.i386.rpm

These packages are GPG signed by Red Hat for security. Our key is
available from https://www.redhat.com/security/keys.html

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:

md5sum <filename>

7. References:

http://mail.gnome.org/archives/xml/2004-February/msg00070.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0110

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://www.redhat.com/solutions/security/news/contact.html

Copyright 2003 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFARdnpXlSAg2UNWIIRAtbLAJwKtHXbxKmYMXH+ijc1U1tdDyh4OQCglW2U
cVDJ2zxOZzZgjfNOV0z3fIU=
=zsb2
-----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI Affected

Updated: March 09, 2004

Status

Affected

Vendor Statement

Please see ftp://patches.sgi.com/support/free/security/advisories/20040301-01-U.asc

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE----- ____________________________________________________________________________ SGI Security Advisory Title : SGI Advanced Linux Environment security update #13 Number : 20040301-01-U Date : March 3, 2004 Reference : Redhat Advisory RHSA-2004:090-06, CAN-2004-0110 Reference : Redhat Advisory RHSA-2004:058-08, CAN-2003-0973 Fixed in : Patch 10056 for SGI ProPack v2.4 and SGI ProPack v2.3 ______________________________________________________________________________ SGI provides this information freely to the SGI user community for its consideration, interpretation, implementation and use. SGI recommends that this information be acted upon as soon as possible. SGI provides the information in this Security Advisory on an "AS-IS" basis only, and disclaims all warranties with respect thereto, express, implied or otherwise, including, without limitation, any warranty of merchantability or fitness for a particular purpose. In no event shall SGI be liable for any loss of profits, loss of business, loss of data or for any indirect, special, exemplary, incidental or consequential damages of any kind arising from your use of, failure to use or improper use of any of the instructions or information in this Security Advisory. ______________________________________________________________________________ - -------------- - --- Update --- - -------------- SGI has released Patch 10056: SGI Advanced Linux Environment security update #13, which includes updated RPMs for SGI ProPack v2.4 and SGI ProPack v2.3 for the SGI Altix family of systems, in response to the following security issues: Updated mod_python packages fix denial of service vulnerabilityhttp://rhn.redhat.com/errata/RHSA-2004-058.htmlUpdated libxml2 packages fix security vulnerabilityhttp://rhn.redhat.com/errata/RHSA-2004-090.htmlPatch 10056 is available fromhttp://support.sgi.com/ andftp://patches.sgi.com/support/free/security/patches/ProPack/2.3/ftp://patches.sgi.com/support/free/security/patches/ProPack/2.4/The individual RPMs from Patch 10056 are available from:ftp://oss.sgi.com/projects/sgi_propack/download/2.3/updates/RPMSftp://oss.sgi.com/projects/sgi_propack/download/2.3/updates/SRPMSftp://oss.sgi.com/projects/sgi_propack/download/2.4/updates/RPMSftp://oss.sgi.com/projects/sgi_propack/download/2.4/updates/SRPMSNote: Four weeks after the release of SGI ProPack v2.4, weekly security updates for SGI ProPack v2.3 will discontinue. Please upgrade to SGI ProPack v2.4 as soon as possible. See the SGI ProPack Support Policy onhttp://support.sgi.com/for additional information. - ------------- - --- Links --- - ------------- SGI Security Advisories can be found at:http://www.sgi.com/support/security/ andftp://patches.sgi.com/support/free/security/advisories/Red Hat Errata: Security Alerts, Bugfixes, and Enhancementshttp://www.redhat.com/apps/support/errata/SGI Advanced Linux Environment security updates can found on:ftp://oss.sgi.com/projects/sgi_propack/download/SGI patches can be found at the following patch servers:http://support.sgi.com/The primary SGI anonymous FTP site for security advisories and security patches isftp://patches.sgi.com/support/free/security/- ----------------------------------------- - --- SGI Security Information/Contacts --- - ----------------------------------------- If there are questions about this document, email can be sent to security-info@sgi.com. ------oOo------ SGI provides security information and patches for use by the entire SGI community. This information is freely available to any person needing the information and is available via anonymous FTP and the Web. The primary SGI anonymous FTP site for security advisories and patches is patches.sgi.com. Security advisories and patches are located under the URLftp://patches.sgi.com/support/free/security/The SGI Security Headquarters Web page is accessible at the URL:http://www.sgi.com/support/security/For issues with the patches on the FTP sites, email can be sent to security-info@sgi.com. For assistance obtaining or working with security patches, please contact your SGI support provider. ------oOo------ SGI provides a free security mailing list service called wiretap and encourages interested parties to self-subscribe to receive (via email) all SGI Security Advisories when they are released. Subscribing to the mailing list can be done via the Web (http://www.sgi.com/support/security/wiretap.html) or by sending email to SGI as outlined below. % mail wiretap-request@sgi.com subscribe wiretap < YourEmailAddress such as midwatch@sgi.com > end ^d In the example above, <YourEmailAddress> is the email address that you wish the mailing list information sent to. The word end must be on a separate line to indicate the end of the body of the message. The control-d (^d) is used to indicate to the mail program that you are finished composing the mail message. ------oOo------ SGI provides a comprehensive customer World Wide Web site. This site is located athttp://www.sgi.com/support/security/ . ------oOo------ If there are general security questions on SGI systems, email can be sent to security-info@sgi.com. For reporting *NEW* SGI security issues, email can be sent to security-alert@sgi.com or contact your SGI support provider. A support contract is not required for submitting a security report. ______________________________________________________________________________ This information is provided freely to all interested parties and may be redistributed provided that it is not altered in any way, SGI is appropriately credited and the document retains and includes its valid PGP signature. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBQEZc7rQ4cFApAP75AQGbfgP9EVFvHOutQopidet9Q3H1lw4tbpIzqgt1 1MeA6n3rfDYDe1pQLw1jLb1Exlp8iEFzBerbe0Lxen+zEAlRdUi1wL9NCnyo89Ro D6B8+KNvgibtERzcf9y7NgHU8fTDxPjcmegQMl3Nst3/6zYwy3NNUFPIXTfnAySe X1ERZhNMqSk= =4964 -----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Trustix Secure Linux Affected

Updated: March 09, 2004

Status

Affected

Vendor Statement

Please see http://www.trustix.org/errata/misc/2004/TSL-2004-0010-libxml2.asc.txt

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2004-0010

Package name: libxml2
Summary: buffer overrun in nanohttp
Date: 2004-03-05
Affected versions: Trustix 2.0

- --------------------------------------------------------------------------
Package description:
This library allows to manipulate XML files. It includes support
to read, modify and write XML and HTML files.

Problem description:
URLs longer than 4096 bytes would cause an overflow while using nanohttp
in libxml2.

Action:
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.

Location:
All Trustix updates are available from
<URI:http://http.trustix.org/pub/trustix/updates/>
<URI:ftp://ftp.trustix.org/pub/trustix/updates/>

About Trustix Secure Linux:
Trustix Secure Linux is a small Linux distribution for servers. With focus
on security and stability, the system is painlessly kept safe and up to
date from day one using swup, the automated software updater.

Automatic updates:
Users of the SWUP tool can enjoy having updates automatically
installed using 'swup --upgrade'.

Public testing:
Most updates for Trustix are made available for public testing some time
before release.
If you want to contribute by testing the various packages in the
testing tree, please feel free to share your findings on the
tsl-discuss mailinglist.
The testing tree is located at
<URI:http://tsldev.trustix.org/cloud/>

You may also use swup for public testing of updates:

site {
class = 0
location = "http://tsldev.trustix.org/cloud/rdfs/latest.rdf"
regexp = ".*"
}

Questions?
Check out our mailing lists:
<URI:http://www.trustix.org/support/>

Verification:
This advisory along with all Trustix packages are signed with the
TSL sign key.
This key is available from:
<URI:http://www.trustix.org/TSL-SIGN-KEY>

The advisory itself is available from the errata pages at
<URI:http://www.trustix.org/errata/trustix-2.0/>
or directly at
<URI:http://www.trustix.org/errata/misc/2004/TSL-2004-0010-libxml2.asc.txt>

MD5sums of the packages:
- --------------------------------------------------------------------------
13066c223f0c3148eb69cfd399ea3f14 2.0/rpms/libxml2-2.5.10-1tr.i586.rpm
b0a80332a30d823552dc99a13ffbf689 2.0/rpms/libxml2-devel-2.5.10-1tr.i586.rpm
f58ec53e75a663aee96b7e472d01874f 2.0/rpms/libxml2-python-2.5.10-1tr.i586.rpm
2a048d808097e162648d7f31f6c0ada5 2.0/srpms/libxml2-2.5.10-1tr.src.rpm
- --------------------------------------------------------------------------

Trustix Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFASK8Ei8CEzsK9IksRAlmZAKC6aFKwT15n2LKkY7H1JGSFRWD8ywCdHGGE
GJx7SovoxEdiZWCV6Jy1bKc=
=fzDy
-----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to Yuuichi Teranishi for finding this vulnerability.

This document was written by Jeffrey S. Havrilla.

Other Information

CVE IDs:	CVE-2004-0110
Date Public:	2004-02-12
Date First Published:	2004-03-09
Date Last Updated:	2004-03-09 20:04 UTC
Document Revision:	9

Software Engineering Institute

CERT Coordination Center

Libxml2 URI parsing errors in nanohttp and nanoftp

Vulnerability Note VU#493966

Overview

Description

Impact

Solution

Vendor Information

Debian Affected

Fedora Project Affected

GNOME Project Affected

Gentoo Linux Affected

Linux Netwosix Affected

MandrakeSoft Affected

OpenPKG Affected

Red Hat Inc. Affected

SGI Affected

Trustix Secure Linux Affected

CVSS Metrics

References

Acknowledgements

Other Information

Contact CERT/CC