Debian Bug report logs -
#747309
CVE-2014-0191
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Wed, 7 May 2014 11:45:01 UTC
Severity: grave
Tags: security
Found in version libxml2/2.9.1+dfsg1-3
Fixed in versions libxml2/2.7.8.dfsg-2+squeeze9, libxml2/2.9.1+dfsg1-4, libxml2/2.8.0+dfsg1-7+wheezy1
Done: Aron Xu <aron@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#747309; Package libxml2.
(Wed, 07 May 2014 11:45:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>.
(Wed, 07 May 2014 11:45:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libxml2
Version: 2.9.1+dfsg1-3
Severity: grave
Tags: security
Hi,
from oss-security. This was assigned CVE-2014-0191
| It was discovered that libxml2, a library providing support to read,
| modify and write XML files, incorrectly performs entity substituton in
| the doctype prolog, even if the application using libxml2 disabled any
| entity substitution. A remote attacker could provide a
| specially-crafted XML file that, when processed, would lead to the
| exhaustion of CPU and memory resources or file descriptors.
|
| This issue was discovered by Daniel Berrange of Red Hat.
Fix:
https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#747309; Package libxml2.
(Mon, 09 Jun 2014 15:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>.
(Mon, 09 Jun 2014 15:27:04 GMT) (full text, mbox, link).
Message #10 received at 747309@bugs.debian.org (full text, mbox, reply):
Hi,
Not looked in detail, but if applying this patch, it would also need a
followup patch to fix a regression.
See: https://bugs.launchpad.net/ubuntu/+source/libxml2/+bug/1321869
and http://www.ubuntu.com/usn/usn-2214-2/
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#747309; Package libxml2.
(Mon, 09 Jun 2014 21:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Aron Xu <aron@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>.
(Mon, 09 Jun 2014 21:12:04 GMT) (full text, mbox, link).
Message #15 received at 747309@bugs.debian.org (full text, mbox, reply):
Hi,
On Mon, Jun 9, 2014 at 11:22 PM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> Hi,
>
> Not looked in detail, but if applying this patch, it would also need a
> followup patch to fix a regression.
>
> See: https://bugs.launchpad.net/ubuntu/+source/libxml2/+bug/1321869
> and http://www.ubuntu.com/usn/usn-2214-2/
>
I tried to update the package when the first USN comes out and noticed
there's action from Ubuntu Security team for regression, so the update
was held back. Now I'll try to deal with the update as soon as
possible.
Regards,
Aron Xu
Reply sent
to Aron Xu <aron@debian.org>:
You have taken responsibility.
(Tue, 08 Jul 2014 23:09:14 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Tue, 08 Jul 2014 23:09:14 GMT) (full text, mbox, link).
Message #20 received at 747309-close@bugs.debian.org (full text, mbox, reply):
Source: libxml2
Source-Version: 2.9.1+dfsg1-4
We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 747309@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aron Xu <aron@debian.org> (supplier of updated libxml2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 09 Jul 2014 05:40:15 +0800
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-utils-dbg libxml2-dev libxml2-dbg libxml2-doc python-libxml2 python-libxml2-dbg
Architecture: source amd64 all
Version: 2.9.1+dfsg1-4
Distribution: unstable
Urgency: low
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Aron Xu <aron@debian.org>
Description:
libxml2 - GNOME XML library
libxml2-dbg - Debugging symbols for the GNOME XML library
libxml2-dev - Development files for the GNOME XML library
libxml2-doc - Documentation for the GNOME XML library
libxml2-utils - XML utilities
libxml2-utils-dbg - XML utilities (debug extension)
python-libxml2 - Python bindings for the GNOME XML library
python-libxml2-dbg - Python bindings for the GNOME XML library (debug extension)
Closes: 738080 742350 747309 753005
Changes:
libxml2 (2.9.1+dfsg1-4) unstable; urgency=low
.
[ Christian Svensson ]
* Do not build-depend on readline (Closes: #742350)
.
[ Daniel Schepler ]
* Patch to bootstrap without python (Closes: #738080)
.
[ Helmut Grohne ]
* Drop unneeded B-D on perl and binutils (Closes: #753005)
.
[ Adam Conrad ]
* Actually run dh_autoreconf, which the old/new mixed rules file misses.
.
[ Matthias Klose ]
* Add patch to fix python multiarch issue
* Allow the package to cross-build by tweaking B-Ds on python
* Set PYTHON_LIBS for cross builds
.
[ Aron Xu ]
* Use correct $CC
* Configure udeb without python
* New round of cherry-picking upstream fixes
- Includes fixes for CVE-2014-0191 (Closes: #747309).
* Call prename with -vf
* Require python-all-dev (>= 2.7.5-5~)
* Bump std-ver: 3.9.4 -> 3.9.5, no change
Checksums-Sha1:
a7101936e0888d1bb4a7087a5edf5db67ef22092 2220 libxml2_2.9.1+dfsg1-4.dsc
6ceda384b5ad36bc187cb55fd684f97825208c5d 32980 libxml2_2.9.1+dfsg1-4.debian.tar.xz
5cf24aa29f6ac7b1b2b47dad9f5fdcf6cf41a79e 797136 libxml2_2.9.1+dfsg1-4_amd64.deb
a416d9caa4a578e01d59338e6e7c4922d73c4936 90582 libxml2-utils_2.9.1+dfsg1-4_amd64.deb
d787620b73ac7c1ba9793a55376fe98684f8a6e8 120646 libxml2-utils-dbg_2.9.1+dfsg1-4_amd64.deb
46e4276f39c0db656b24044ca1f8ec1def7228c6 689202 libxml2-dev_2.9.1+dfsg1-4_amd64.deb
ae50b5fb8d9b2770372d21d18dc4e243c86c5635 1221708 libxml2-dbg_2.9.1+dfsg1-4_amd64.deb
e698d9b5413e08901c2ba62dbe24a3071cf8275b 810830 libxml2-doc_2.9.1+dfsg1-4_all.deb
2679a421b2f54c1022d847870b7b41fb046e2256 189772 python-libxml2_2.9.1+dfsg1-4_amd64.deb
90f13f94c208bd453a2abbec2bf733a986811057 310280 python-libxml2-dbg_2.9.1+dfsg1-4_amd64.deb
Checksums-Sha256:
f2058399dd598168a9edd07efef21d3f216dd7a9e7a85a4cbbef8068c9fc2b8c 2220 libxml2_2.9.1+dfsg1-4.dsc
4625874af6154b945e7d020baa061649f3c2047d73d247a8a5140ef31c5ba812 32980 libxml2_2.9.1+dfsg1-4.debian.tar.xz
05224fca7e70de7f4d1f9fc6f2828839756762e98071ef5666eb8dfd33205c43 797136 libxml2_2.9.1+dfsg1-4_amd64.deb
facc676c4285efcd92fa2943a967691fcd0ac5a9119d67747de5c699e7ce6488 90582 libxml2-utils_2.9.1+dfsg1-4_amd64.deb
23b8d52108f95246c131510f36e3cfe6122612a68cf099fa00c74f1a5ec56d9f 120646 libxml2-utils-dbg_2.9.1+dfsg1-4_amd64.deb
7c177e8418debb0e628b05588d2114e5289eb211a0c40ff3fe7ebfecf5192591 689202 libxml2-dev_2.9.1+dfsg1-4_amd64.deb
9a2bbb1f86dc1812db90bbe922e4c161305afc46658e3edd9df2bc99f6ca239f 1221708 libxml2-dbg_2.9.1+dfsg1-4_amd64.deb
90549a7a613538ccd7a9df4c3214a20a5de883e38be869a62cfe995a295d81a7 810830 libxml2-doc_2.9.1+dfsg1-4_all.deb
fea2593dc270ed726adc03abbf3393b052413765a60da4089ce675a32e33876b 189772 python-libxml2_2.9.1+dfsg1-4_amd64.deb
9ff8dd5fb01af1184b57862415a9e485db61a15d2abe1cecad2d0ce0d1b5cfad 310280 python-libxml2-dbg_2.9.1+dfsg1-4_amd64.deb
Files:
b4bb504e52cb75770d719f5520dac8f9 797136 libs standard libxml2_2.9.1+dfsg1-4_amd64.deb
1fa93abaef5d89da1beb15d7da691795 90582 text optional libxml2-utils_2.9.1+dfsg1-4_amd64.deb
2492c8b2897a132399bbcee92585bc36 120646 debug extra libxml2-utils-dbg_2.9.1+dfsg1-4_amd64.deb
e856af40164a44a4e4b6d3cff14237c8 689202 libdevel optional libxml2-dev_2.9.1+dfsg1-4_amd64.deb
deafdf7e30402d0c4afd855e3051a7c7 1221708 debug extra libxml2-dbg_2.9.1+dfsg1-4_amd64.deb
a018b810a5d19f16f50437df080a14c3 810830 doc optional libxml2-doc_2.9.1+dfsg1-4_all.deb
f4068e6236f122df7422f9854aa8f210 189772 python optional python-libxml2_2.9.1+dfsg1-4_amd64.deb
4310cf067e36c7b8162be4d0e65baa19 310280 debug extra python-libxml2-dbg_2.9.1+dfsg1-4_amd64.deb
abe59d5632bb4e40a3fd558581d97a05 2220 libs optional libxml2_2.9.1+dfsg1-4.dsc
2879a66ea84620f7e5c567aed972fd21 32980 libs optional libxml2_2.9.1+dfsg1-4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJTvHeaAAoJEGa1A/2e4BN5+vsH/jH0CsIDhljB6yLkksQ1rCuN
lNFUfXBHTMEActOLHkqffEeZ4NbRlPUgC/ybglKGgXrkOAJT9xlTcsBGkIvPpwh4
/2/NvDlZ1xAdW4mPv0rRgQ2C0a0rB3KEY3vMYOGsCxaKNF7bdsy+AJMmDZUTskpd
ZdO+SEFpCcbXsvDs0+Ndnr3eIQVQSg0rmQVoCz4IaM3NH1g+up1AQ7UzxOR4+/eS
SGB++qRG8vCf9Ele2zo3Po2yKy8jwxS4VufLuIuZ4TkKAchSNuXNImp32ORXTBG9
eyc4JihxgFGomjBiiSFlIa34CrJ2iVSnx62gYkLZMetVMm5+/Nc+fXsqC09Vt2k=
=F90d
-----END PGP SIGNATURE-----
Reply sent
to Aron Xu <aron@debian.org>:
You have taken responsibility.
(Sat, 12 Jul 2014 18:36:12 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sat, 12 Jul 2014 18:36:12 GMT) (full text, mbox, link).
Message #25 received at 747309-close@bugs.debian.org (full text, mbox, reply):
Source: libxml2
Source-Version: 2.8.0+dfsg1-7+wheezy1
We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 747309@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aron Xu <aron@debian.org> (supplier of updated libxml2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 09 Jul 2014 04:18:01 +0800
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-utils-dbg libxml2-dev libxml2-dbg libxml2-doc python-libxml2 python-libxml2-dbg
Architecture: source amd64 all
Version: 2.8.0+dfsg1-7+wheezy1
Distribution: stable-security
Urgency: high
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Aron Xu <aron@debian.org>
Description:
libxml2 - GNOME XML library
libxml2-dbg - Debugging symbols for the GNOME XML library
libxml2-dev - Development files for the GNOME XML library
libxml2-doc - Documentation for the GNOME XML library
libxml2-utils - XML utilities
libxml2-utils-dbg - XML utilities (debug extension)
python-libxml2 - Python bindings for the GNOME XML library
python-libxml2-dbg - Python bindings for the GNOME XML library (debug extension)
Closes: 747309
Changes:
libxml2 (2.8.0+dfsg1-7+wheezy1) stable-security; urgency=high
.
* debian/patches/cve-2014-0191.patch: libxml2 could be made to consume
resources if it processed a specially crafted file.
(Closes: #747309, CVE-2014-0191)
Checksums-Sha1:
c685e8e295d7ba1e127fd0500912ff98ce2c4753 2169 libxml2_2.8.0+dfsg1-7+wheezy1.dsc
1562b67bb4d51268344ef3e5e25981385918bff4 38887 libxml2_2.8.0+dfsg1-7+wheezy1.debian.tar.gz
9c642ed87ef26254ca9b84a6cb3591bcffb528d1 903856 libxml2_2.8.0+dfsg1-7+wheezy1_amd64.deb
e023f8f6ed09ad281db8f50af7a586def07b6b00 96584 libxml2-utils_2.8.0+dfsg1-7+wheezy1_amd64.deb
63876e5c357ddb8407519aad690f7dc957fb9451 127128 libxml2-utils-dbg_2.8.0+dfsg1-7+wheezy1_amd64.deb
a7cbff09c8caa8f29249a0251cd3b5861df306c9 900226 libxml2-dev_2.8.0+dfsg1-7+wheezy1_amd64.deb
e292d483e30488588b3560f13f302acbe656895a 1402114 libxml2-dbg_2.8.0+dfsg1-7+wheezy1_amd64.deb
c99530fc7cf0dffdb05a985d56c5d20105ce0691 1356592 libxml2-doc_2.8.0+dfsg1-7+wheezy1_all.deb
03aa4e19836d36ed3fe39b34196fd50f035f75e9 345742 python-libxml2_2.8.0+dfsg1-7+wheezy1_amd64.deb
f43866a2839356df6bf2fe461acc74f1b15e56f4 727802 python-libxml2-dbg_2.8.0+dfsg1-7+wheezy1_amd64.deb
Checksums-Sha256:
2e47ce36091c9197cdd22d061131fbf3fd66734233e6749fef2c34fbaf290b99 2169 libxml2_2.8.0+dfsg1-7+wheezy1.dsc
f223988c7616dcbf16124240023767af6098e2935af2691744d22e2f9e44e655 38887 libxml2_2.8.0+dfsg1-7+wheezy1.debian.tar.gz
5e4bc0bae6363691872aa89ac4d846cf6b8f924b31bb382d7bd18ee5fa01612d 903856 libxml2_2.8.0+dfsg1-7+wheezy1_amd64.deb
434c29d3ee9a074abf02aad91763afdc467c433a50b3090e2c8d1c1416166d89 96584 libxml2-utils_2.8.0+dfsg1-7+wheezy1_amd64.deb
9d029249ee9b062c677981480fa067c3926701fe131fc2d22f24e4a4555580ac 127128 libxml2-utils-dbg_2.8.0+dfsg1-7+wheezy1_amd64.deb
34ec11c42eb24f9e50953aa417ae7cf0b8fa293d173ee398435213dd086f9884 900226 libxml2-dev_2.8.0+dfsg1-7+wheezy1_amd64.deb
1fd51e3f672f047c09515749364ac271ac5c88e5fd5f0d015c0364bc8e4d0cba 1402114 libxml2-dbg_2.8.0+dfsg1-7+wheezy1_amd64.deb
dc00f67504786705338e9ad3e64c86589047626780bb2312f5738716d89e3e14 1356592 libxml2-doc_2.8.0+dfsg1-7+wheezy1_all.deb
9fce988c272f3a512a82ada18ac03253823d63dc0a8a24e4e9092152b67ba56d 345742 python-libxml2_2.8.0+dfsg1-7+wheezy1_amd64.deb
20d6f2eaec819f8ed93771b4e5b20e10b35e8bd48564c5acf7774ba6dd2c4fbe 727802 python-libxml2-dbg_2.8.0+dfsg1-7+wheezy1_amd64.deb
Files:
a98b103c7e4125746272d897fd79639b 2169 libs optional libxml2_2.8.0+dfsg1-7+wheezy1.dsc
6d834b47be63790855a9f6c12c961094 38887 libs optional libxml2_2.8.0+dfsg1-7+wheezy1.debian.tar.gz
21d15f4a719fcfb71cd6f4d0b964aa27 903856 libs standard libxml2_2.8.0+dfsg1-7+wheezy1_amd64.deb
d71428ecb490bbef88cb59172a03ca4e 96584 text optional libxml2-utils_2.8.0+dfsg1-7+wheezy1_amd64.deb
3b9d164b51d502aadfa4cd3de1df374a 127128 debug extra libxml2-utils-dbg_2.8.0+dfsg1-7+wheezy1_amd64.deb
0a3c957cbdb15dc25a91e01431fa1ee2 900226 libdevel optional libxml2-dev_2.8.0+dfsg1-7+wheezy1_amd64.deb
60fd6db707c62ef94767ab3db15e08d0 1402114 debug extra libxml2-dbg_2.8.0+dfsg1-7+wheezy1_amd64.deb
58a92e8e04ec7bc83793e1a0055a659d 1356592 doc optional libxml2-doc_2.8.0+dfsg1-7+wheezy1_all.deb
34cd1281c1aa8277939a58ab801efb8c 345742 python optional python-libxml2_2.8.0+dfsg1-7+wheezy1_amd64.deb
13b11f9df550d0e171106d1b4131c5dc 727802 debug extra python-libxml2-dbg_2.8.0+dfsg1-7+wheezy1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJTvGkJAAoJEGa1A/2e4BN5rtcH/jxTCcJ5Lk6I2gxV4e9MupbH
FqYJRsaEvFDYt/UTEd/T7wr2yOh+B0VDd5WByIcw1DTgO2kAoxG+4kW4D7sP07Ri
RkIs70dVWYZDvgM+YsYBjxdhe7of1knjk2sYcBv2Epmhr/BG54MJ5zXKG1RQJ8IL
dahRP6Aa7Kxzgjbv22Dbx/lvXWvaRZbOgz1cMUVakAwUYmFP7KTiXixBV0/EI94h
dw+gU6bo0ZkeEnyEf68UUq5Cit0GJP+ZENkjvnegePL6DGu3T28PT3qM0rB6UL+A
jgBZu4FRRiRghd1eGensmTNcKsQwEKlNoHGlF0b1qp/VTRLnseeEWPKE6TCQL40=
=nWc7
-----END PGP SIGNATURE-----
Marked as fixed in versions libxml2/2.7.8.dfsg-2+squeeze9.
Request was from Aron Xu <aron@debian.org>
to control@bugs.debian.org.
(Sat, 19 Jul 2014 16:39:19 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 17 Aug 2014 07:26:29 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:32:27 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon