Debian Bug report logs -
#460292
libxml2: CVE-2007-6284 denial of service via crafted UTF-8 sequence
Reported by: Pascal Volk <user@localhost.localdomain.org>
Date: Fri, 11 Jan 2008 20:51:01 UTC
Severity: grave
Tags: patch, security
Found in version libxml2/2.6.30.dfsg-3
Fixed in version libxml2/2.6.30.dfsg-3.1
Done: Nico Golde <nion@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
:
Bug#460292
; Package libxml2
.
(full text, mbox, link).
Acknowledgement sent to Pascal Volk <user@localhost.localdomain.org>
:
New Bug report received and forwarded. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libxml2
Version: 2.6.30.dfsg-3
Severity: normal
A vulnerability has been reported in libxml2, prior to version 2.6.31, from
Daniel Veillard:
"Two specially crafted broken UTF-8 sequences when occuring at the wrong
place lead the parser to go into an infinite loop."
The report is available at:
http://mail.gnome.org/archives/xml/2008-January/msg00036.html
A patch can be found at:
http://veillard.com/libxml2.patch
The fixed source code can be downloaded from:
ftp://xmlsoft.org/libxml/libxml2-2.6.31.tar.gz
Regards
Pascal
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing'), (50, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.22-3-k7 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libxml2 depends on:
ii libc6 2.7-5 GNU C Library: Shared libraries
ii zlib1g 1:1.2.3.3.dfsg-8 compression library - runtime
Versions of packages libxml2 recommends:
ii xml-core 0.11 XML infrastructure and XML catalog
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
:
Bug#460292
; Package libxml2
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #10 received at 460292@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
* Pascal Volk <user@localhost.localdomain.org> [2008-01-12 04:04]:
> Package: libxml2
> Version: 2.6.30.dfsg-3
> Severity: normal
>
> A vulnerability has been reported in libxml2, prior to version 2.6.31, from
> Daniel Veillard:
> "Two specially crafted broken UTF-8 sequences when occuring at the wrong
> place lead the parser to go into an infinite loop."
> The report is available at:
> http://mail.gnome.org/archives/xml/2008-January/msg00036.html
>
> A patch can be found at:
> http://veillard.com/libxml2.patch
> The fixed source code can be downloaded from:
> ftp://xmlsoft.org/libxml/libxml2-2.6.31.tar.gz
Is there any service using libxml2? If not I would consider
this a normal bug rather than a security issue.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
:
Bug#460292
; Package libxml2
.
(full text, mbox, link).
Acknowledgement sent to Pascal Volk <user@localhost.localdomain.org>
:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #15 received at 460292@bugs.debian.org (full text, mbox, reply):
Am 12.01.2008 04:31 schrieb Nico Golde:
>
> Is there any service using libxml2? If not I would consider
> this a normal bug rather than a security issue.
There are services that use libxml2 indirectly. For example apache2 with
libapache2-mod-php5, php5-cgi (with php5-xsl and/or php5-xmlrpc),
libapache2-modxslt, libapache2-mod-proxy-html.
icecast2 depends directly on libxml2.
Regards
Pascal
Information forwarded to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
:
Bug#460292
; Package libxml2
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #20 received at 460292@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 460292 + security
severity 460292 grave
retitle 460292 libxml2: CVE-2007-6284 denial of service via crafted UTF-8 sequence
thanks
Hi Pascal,
* Pascal Volk <user@localhost.localdomain.org> [2008-01-13 14:33]:
> Am 12.01.2008 04:31 schrieb Nico Golde:
> >
> > Is there any service using libxml2? If not I would consider
> > this a normal bug rather than a security issue.
>
> There are services that use libxml2 indirectly. For example apache2 with
> libapache2-mod-php5, php5-cgi (with php5-xsl and/or php5-xmlrpc),
> libapache2-modxslt, libapache2-mod-proxy-html.
> icecast2 depends directly on libxml2.
Ok thank you. Adjusting bug status.
This is CVE-2007-6284, please mention this CVE id in the
changelog if you close this bug.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Tags added: security
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org
.
(Sun, 13 Jan 2008 14:09:45 GMT) (full text, mbox, link).
Severity set to `grave' from `normal'
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org
.
(Sun, 13 Jan 2008 14:09:46 GMT) (full text, mbox, link).
Changed Bug title to `libxml2: CVE-2007-6284 denial of service via crafted UTF-8 sequence' from `libxml2: libxml2 UTF-8 parsing denial of service vulnerability'.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org
.
(Sun, 13 Jan 2008 14:09:47 GMT) (full text, mbox, link).
Tags added: patch
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org
.
(Sun, 13 Jan 2008 14:15:01 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
:
Bug#460292
; Package libxml2
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #33 received at 460292@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
attached is a patch for an NMU.
It will be also archived on:
http://people.debian.org/~nion/nmu-diff/libxml2-2.6.30.dfsg-3_2.6.30.dfsg-3.1.patch
Please ping me in case you have no time to do an upload in
reasonable time.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[libxml2-2.6.30.dfsg-3_2.6.30.dfsg-3.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
:
Bug#460292
; Package libxml2
.
(full text, mbox, link).
Acknowledgement sent to Mike Hommey <mh@glandium.org>
:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #38 received at 460292@bugs.debian.org (full text, mbox, reply):
On Sun, Jan 13, 2008 at 03:22:46PM +0100, Nico Golde wrote:
> Hi,
> attached is a patch for an NMU.
> It will be also archived on:
> http://people.debian.org/~nion/nmu-diff/libxml2-2.6.30.dfsg-3_2.6.30.dfsg-3.1.patch
>
> Please ping me in case you have no time to do an upload in
> reasonable time.
Please go ahead. If you have time to take a look at libxml1 too,
which seems to be affected too, that would be appreciated.
Mike
Bug 460292 cloned as bug 460666.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org
.
(Mon, 14 Jan 2008 12:42:04 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
:
Bug#460292
; Package libxml2
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #45 received at 460292@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Mike,
* Mike Hommey <mh@glandium.org> [2008-01-14 12:22]:
> On Sun, Jan 13, 2008 at 03:22:46PM +0100, Nico Golde wrote:
> > Hi,
> > attached is a patch for an NMU.
> > It will be also archived on:
> > http://people.debian.org/~nion/nmu-diff/libxml2-2.6.30.dfsg-3_2.6.30.dfsg-3.1.patch
> >
> > Please ping me in case you have no time to do an upload in
> > reasonable time.
>
> Please go ahead. If you have time to take a look at libxml1 too,
> which seems to be affected too, that would be appreciated.
Thanks for the hint. I cloned this bug and fixed this as
well in libxml1. I send you the diff to the other bug.
Going to upload libxml2 now.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Reply sent to Nico Golde <nion@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Pascal Volk <user@localhost.localdomain.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #50 received at 460292-close@bugs.debian.org (full text, mbox, reply):
Source: libxml2
Source-Version: 2.6.30.dfsg-3.1
We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive:
libxml2-dbg_2.6.30.dfsg-3.1_i386.deb
to pool/main/libx/libxml2/libxml2-dbg_2.6.30.dfsg-3.1_i386.deb
libxml2-dev_2.6.30.dfsg-3.1_i386.deb
to pool/main/libx/libxml2/libxml2-dev_2.6.30.dfsg-3.1_i386.deb
libxml2-doc_2.6.30.dfsg-3.1_all.deb
to pool/main/libx/libxml2/libxml2-doc_2.6.30.dfsg-3.1_all.deb
libxml2-utils_2.6.30.dfsg-3.1_i386.deb
to pool/main/libx/libxml2/libxml2-utils_2.6.30.dfsg-3.1_i386.deb
libxml2_2.6.30.dfsg-3.1.diff.gz
to pool/main/libx/libxml2/libxml2_2.6.30.dfsg-3.1.diff.gz
libxml2_2.6.30.dfsg-3.1.dsc
to pool/main/libx/libxml2/libxml2_2.6.30.dfsg-3.1.dsc
libxml2_2.6.30.dfsg-3.1_i386.deb
to pool/main/libx/libxml2/libxml2_2.6.30.dfsg-3.1_i386.deb
python-libxml2_2.6.30.dfsg-3.1_i386.deb
to pool/main/libx/libxml2/python-libxml2_2.6.30.dfsg-3.1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 460292@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated libxml2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 13 Jan 2008 15:15:04 +0100
Source: libxml2
Binary: python-libxml2 libxml2-dbg libxml2-utils libxml2-doc libxml2-dev libxml2
Architecture: source all i386
Version: 2.6.30.dfsg-3.1
Distribution: unstable
Urgency: high
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
libxml2 - GNOME XML library
libxml2-dbg - Debugging symbols for the GNOME XML library
libxml2-dev - Development files for the GNOME XML library
libxml2-doc - Documentation for the GNOME XML library
libxml2-utils - XML utilities
python-libxml2 - Python bindings for the GNOME XML library
Closes: 460292
Changes:
libxml2 (2.6.30.dfsg-3.1) unstable; urgency=high
.
* Non-maintainer upload by security team.
* This update addresses the following security issue:
- CVE-2007-6284: The xmlCurrentChar function allows context-dependent
attackers to cause a denial of service (infinite loop) via XML
containing invalid UTF-8 sequences (Closes: #460292).
Files:
d3be67719a452f09705f63200ddff4d6 917 libs optional libxml2_2.6.30.dfsg-3.1.dsc
b734d1aabf66051020c56d65e4b5a6d9 185412 libs optional libxml2_2.6.30.dfsg-3.1.diff.gz
8435850f49ff346858e6331d1b7ec5d4 1332676 doc optional libxml2-doc_2.6.30.dfsg-3.1_all.deb
18a25eeac434bde4a5d968cf7a622bd1 779884 libs optional libxml2_2.6.30.dfsg-3.1_i386.deb
33da42e097def81565233cd8993b08ee 33700 text optional libxml2-utils_2.6.30.dfsg-3.1_i386.deb
39db63bdae76c1d00b6e34b7c5d53cb4 673072 libdevel optional libxml2-dev_2.6.30.dfsg-3.1_i386.deb
0d4aa64b013dcc7cabcc4508ef3d7e34 901904 libdevel extra libxml2-dbg_2.6.30.dfsg-3.1_i386.deb
62a303c1827f43c6399e74785812c353 263412 python optional python-libxml2_2.6.30.dfsg-3.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHi1qAHYflSXNkfP8RAv4CAJ4uDWhy8vcbLumWZ1y/8508aactYQCgl2Ae
iKEQ20tFS0YKCU0FHcttzUY=
=TzqD
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 16 Feb 2008 07:32:47 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:20:47 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.