libxml2: CVE-2007-6284 denial of service via crafted UTF-8 sequence

Debian Bug report logs - #460292
libxml2: CVE-2007-6284 denial of service via crafted UTF-8 sequence

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Pascal Volk <user@localhost.localdomain.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libxml2: libxml2 UTF-8 parsing denial of service vulnerability

Date: Fri, 11 Jan 2008 21:48:52 +0100

Package: libxml2
Version: 2.6.30.dfsg-3
Severity: normal

A vulnerability has been reported in libxml2, prior to version 2.6.31, from
Daniel Veillard:
"Two specially crafted broken UTF-8 sequences when occuring at the wrong
place lead the parser to go into an infinite loop."
The report is available at:
    http://mail.gnome.org/archives/xml/2008-January/msg00036.html

A patch can be found at:
    http://veillard.com/libxml2.patch
The fixed source code can be downloaded from:
    ftp://xmlsoft.org/libxml/libxml2-2.6.31.tar.gz


Regards
Pascal

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing'), (50, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.22-3-k7 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libxml2 depends on:
ii  libc6                   2.7-5            GNU C Library: Shared libraries
ii  zlib1g                  1:1.2.3.3.dfsg-8 compression library - runtime

Versions of packages libxml2 recommends:
ii  xml-core                      0.11       XML infrastructure and XML catalog

-- no debconf information

Message #10 received at 460292@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: Pascal Volk <user@localhost.localdomain.org>, 460292@bugs.debian.org

Subject: Re: Bug#460292: libxml2: libxml2 UTF-8 parsing denial of service vulnerability

Date: Sat, 12 Jan 2008 04:31:07 +0100

[Message part 1 (text/plain, inline)]

Hi,
* Pascal Volk <user@localhost.localdomain.org> [2008-01-12 04:04]:
> Package: libxml2
> Version: 2.6.30.dfsg-3
> Severity: normal
> 
> A vulnerability has been reported in libxml2, prior to version 2.6.31, from
> Daniel Veillard:
> "Two specially crafted broken UTF-8 sequences when occuring at the wrong
> place lead the parser to go into an infinite loop."
> The report is available at:
>     http://mail.gnome.org/archives/xml/2008-January/msg00036.html
> 
> A patch can be found at:
>     http://veillard.com/libxml2.patch
> The fixed source code can be downloaded from:
>     ftp://xmlsoft.org/libxml/libxml2-2.6.31.tar.gz

Is there any service using libxml2? If not I would consider 
this a normal bug rather than a security issue.
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #15 received at 460292@bugs.debian.org (full text, mbox, reply):

From: Pascal Volk <user@localhost.localdomain.org>

To: Nico Golde <nion@debian.org>

Cc: 460292@bugs.debian.org

Subject: Re: Bug#460292: libxml2: libxml2 UTF-8 parsing denial of service vulnerability

Date: Sun, 13 Jan 2008 13:10:31 +0100

Am 12.01.2008 04:31 schrieb Nico Golde:
> 
> Is there any service using libxml2? If not I would consider 
> this a normal bug rather than a security issue.

There are services that use libxml2 indirectly. For example apache2 with
 libapache2-mod-php5, php5-cgi (with php5-xsl and/or php5-xmlrpc),
libapache2-modxslt, libapache2-mod-proxy-html.
icecast2 depends directly on libxml2.


Regards
Pascal

Message #20 received at 460292@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 460292@bugs.debian.org, control@bugs.debian.org

Subject: Re: Bug#460292: libxml2: libxml2 UTF-8 parsing denial of service vulnerability

Date: Sun, 13 Jan 2008 15:08:57 +0100

[Message part 1 (text/plain, inline)]

tags 460292 + security
severity 460292 grave
retitle 460292 libxml2: CVE-2007-6284 denial of service via crafted UTF-8 sequence
thanks

Hi Pascal,
* Pascal Volk <user@localhost.localdomain.org> [2008-01-13 14:33]:
> Am 12.01.2008 04:31 schrieb Nico Golde:
> > 
> > Is there any service using libxml2? If not I would consider 
> > this a normal bug rather than a security issue.
> 
> There are services that use libxml2 indirectly. For example apache2 with
>  libapache2-mod-php5, php5-cgi (with php5-xsl and/or php5-xmlrpc),
> libapache2-modxslt, libapache2-mod-proxy-html.
> icecast2 depends directly on libxml2.

Ok thank you. Adjusting bug status.

This is CVE-2007-6284, please mention this CVE id in the 
changelog if you close this bug.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #33 received at 460292@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 460292@bugs.debian.org

Subject: libxml2: CVE-2007-6284 denial of service via crafted UTF-8 sequence

Date: Sun, 13 Jan 2008 15:22:46 +0100

[Message part 1 (text/plain, inline)]

Hi,
attached is a patch for an NMU.
It will be also archived on:
http://people.debian.org/~nion/nmu-diff/libxml2-2.6.30.dfsg-3_2.6.30.dfsg-3.1.patch

Please ping me in case you have no time to do an upload in 
reasonable time.
Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[libxml2-2.6.30.dfsg-3_2.6.30.dfsg-3.1.patch (text/x-diff, attachment)]

[Message part 3 (application/pgp-signature, inline)]

Message #38 received at 460292@bugs.debian.org (full text, mbox, reply):

From: Mike Hommey <mh@glandium.org>

To: Nico Golde <nion@debian.org>, 460292@bugs.debian.org

Subject: Re: [xml/sgml-pkgs] Bug#460292: libxml2: CVE-2007-6284 denial of service via crafted UTF-8 sequence

Date: Mon, 14 Jan 2008 19:55:52 +0900

On Sun, Jan 13, 2008 at 03:22:46PM +0100, Nico Golde wrote:
> Hi,
> attached is a patch for an NMU.
> It will be also archived on:
> http://people.debian.org/~nion/nmu-diff/libxml2-2.6.30.dfsg-3_2.6.30.dfsg-3.1.patch
> 
> Please ping me in case you have no time to do an upload in 
> reasonable time.

Please go ahead. If you have time to take a look at libxml1 too,
which seems to be affected too, that would be appreciated.

Mike

Message #45 received at 460292@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 460292@bugs.debian.org

Subject: Re: Bug#460292: [xml/sgml-pkgs] Bug#460292: libxml2: CVE-2007-6284 denial of service via crafted UTF-8 sequence

Date: Mon, 14 Jan 2008 13:43:12 +0100

[Message part 1 (text/plain, inline)]

Hi Mike,
* Mike Hommey <mh@glandium.org> [2008-01-14 12:22]:
> On Sun, Jan 13, 2008 at 03:22:46PM +0100, Nico Golde wrote:
> > Hi,
> > attached is a patch for an NMU.
> > It will be also archived on:
> > http://people.debian.org/~nion/nmu-diff/libxml2-2.6.30.dfsg-3_2.6.30.dfsg-3.1.patch
> > 
> > Please ping me in case you have no time to do an upload in 
> > reasonable time.
> 
> Please go ahead. If you have time to take a look at libxml1 too,
> which seems to be affected too, that would be appreciated.

Thanks for the hint. I cloned this bug and fixed this as 
well in libxml1. I send you the diff to the other bug.
Going to upload libxml2 now.
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #50 received at 460292-close@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 460292-close@bugs.debian.org

Subject: Bug#460292: fixed in libxml2 2.6.30.dfsg-3.1

Date: Mon, 14 Jan 2008 13:02:05 +0000

Source: libxml2
Source-Version: 2.6.30.dfsg-3.1

We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive:

libxml2-dbg_2.6.30.dfsg-3.1_i386.deb
  to pool/main/libx/libxml2/libxml2-dbg_2.6.30.dfsg-3.1_i386.deb
libxml2-dev_2.6.30.dfsg-3.1_i386.deb
  to pool/main/libx/libxml2/libxml2-dev_2.6.30.dfsg-3.1_i386.deb
libxml2-doc_2.6.30.dfsg-3.1_all.deb
  to pool/main/libx/libxml2/libxml2-doc_2.6.30.dfsg-3.1_all.deb
libxml2-utils_2.6.30.dfsg-3.1_i386.deb
  to pool/main/libx/libxml2/libxml2-utils_2.6.30.dfsg-3.1_i386.deb
libxml2_2.6.30.dfsg-3.1.diff.gz
  to pool/main/libx/libxml2/libxml2_2.6.30.dfsg-3.1.diff.gz
libxml2_2.6.30.dfsg-3.1.dsc
  to pool/main/libx/libxml2/libxml2_2.6.30.dfsg-3.1.dsc
libxml2_2.6.30.dfsg-3.1_i386.deb
  to pool/main/libx/libxml2/libxml2_2.6.30.dfsg-3.1_i386.deb
python-libxml2_2.6.30.dfsg-3.1_i386.deb
  to pool/main/libx/libxml2/python-libxml2_2.6.30.dfsg-3.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 460292@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated libxml2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 13 Jan 2008 15:15:04 +0100
Source: libxml2
Binary: python-libxml2 libxml2-dbg libxml2-utils libxml2-doc libxml2-dev libxml2
Architecture: source all i386
Version: 2.6.30.dfsg-3.1
Distribution: unstable
Urgency: high
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 libxml2    - GNOME XML library
 libxml2-dbg - Debugging symbols for the GNOME XML library
 libxml2-dev - Development files for the GNOME XML library
 libxml2-doc - Documentation for the GNOME XML library
 libxml2-utils - XML utilities
 python-libxml2 - Python bindings for the GNOME XML library
Closes: 460292
Changes: 
 libxml2 (2.6.30.dfsg-3.1) unstable; urgency=high
 .
   * Non-maintainer upload by security team.
   * This update addresses the following security issue:
     - CVE-2007-6284: The xmlCurrentChar function allows context-dependent
       attackers to cause a denial of service (infinite loop) via XML
       containing invalid UTF-8 sequences (Closes: #460292).
Files: 
 d3be67719a452f09705f63200ddff4d6 917 libs optional libxml2_2.6.30.dfsg-3.1.dsc
 b734d1aabf66051020c56d65e4b5a6d9 185412 libs optional libxml2_2.6.30.dfsg-3.1.diff.gz
 8435850f49ff346858e6331d1b7ec5d4 1332676 doc optional libxml2-doc_2.6.30.dfsg-3.1_all.deb
 18a25eeac434bde4a5d968cf7a622bd1 779884 libs optional libxml2_2.6.30.dfsg-3.1_i386.deb
 33da42e097def81565233cd8993b08ee 33700 text optional libxml2-utils_2.6.30.dfsg-3.1_i386.deb
 39db63bdae76c1d00b6e34b7c5d53cb4 673072 libdevel optional libxml2-dev_2.6.30.dfsg-3.1_i386.deb
 0d4aa64b013dcc7cabcc4508ef3d7e34 901904 libdevel extra libxml2-dbg_2.6.30.dfsg-3.1_i386.deb
 62a303c1827f43c6399e74785812c353 263412 python optional python-libxml2_2.6.30.dfsg-3.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHi1qAHYflSXNkfP8RAv4CAJ4uDWhy8vcbLumWZ1y/8508aactYQCgl2Ae
iKEQ20tFS0YKCU0FHcttzUY=
=TzqD
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.