Debian Bug report logs -
#660846
libxml2: CVE-2012-0841 computational DoS attack via hash collisions
Reported by: Nico Golde <nion@debian.org>
Date: Wed, 22 Feb 2012 10:01:26 UTC
Severity: grave
Tags: patch, security
Found in version libxml2/2.7.8.dfsg-7
Fixed in versions libxml2/2.7.8.dfsg-2+squeeze3, libxml2/2.7.8.dfsg-8
Done: Aron Xu <aron@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#660846; Package src:libxml2.
(Wed, 22 Feb 2012 10:01:29 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>.
(Wed, 22 Feb 2012 10:01:48 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: libxml2
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libxml2.
CVE-2012-0841[0]:
| Juraj Somorovsky reported that certain XML parsers/servers are affected by the
| same, or similar, flaw as the hash table collisions CPU usage denial of
| service. Sending a specially crafted message to an XML service can result in
| longer processing time, which could lead to a denial of service. It is
| reported that this attack on XML can be applied on different XML nodes (such as
| entities, element attributes, namespaces, various elements in the XML security,
| etc.).
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Patch: http://git.gnome.org/browse/libxml2/commit/?id=8973d58b7498fa5100a876815476b81fd1a2412a
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0841
http://security-tracker.debian.org/tracker/CVE-2012-0841
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Reply sent
to Nico Golde <nion@debian.org>:
You have taken responsibility.
(Thu, 23 Feb 2012 22:51:09 GMT) (full text, mbox, link).
Notification sent
to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(Thu, 23 Feb 2012 22:51:09 GMT) (full text, mbox, link).
Message #10 received at 660846-close@bugs.debian.org (full text, mbox, reply):
Source: libxml2
Source-Version: 2.7.8.dfsg-2+squeeze3
We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive:
libxml2-dbg_2.7.8.dfsg-2+squeeze3_amd64.deb
to main/libx/libxml2/libxml2-dbg_2.7.8.dfsg-2+squeeze3_amd64.deb
libxml2-dev_2.7.8.dfsg-2+squeeze3_amd64.deb
to main/libx/libxml2/libxml2-dev_2.7.8.dfsg-2+squeeze3_amd64.deb
libxml2-doc_2.7.8.dfsg-2+squeeze3_all.deb
to main/libx/libxml2/libxml2-doc_2.7.8.dfsg-2+squeeze3_all.deb
libxml2-utils_2.7.8.dfsg-2+squeeze3_amd64.deb
to main/libx/libxml2/libxml2-utils_2.7.8.dfsg-2+squeeze3_amd64.deb
libxml2_2.7.8.dfsg-2+squeeze3.diff.gz
to main/libx/libxml2/libxml2_2.7.8.dfsg-2+squeeze3.diff.gz
libxml2_2.7.8.dfsg-2+squeeze3.dsc
to main/libx/libxml2/libxml2_2.7.8.dfsg-2+squeeze3.dsc
libxml2_2.7.8.dfsg-2+squeeze3_amd64.deb
to main/libx/libxml2/libxml2_2.7.8.dfsg-2+squeeze3_amd64.deb
python-libxml2-dbg_2.7.8.dfsg-2+squeeze3_amd64.deb
to main/libx/libxml2/python-libxml2-dbg_2.7.8.dfsg-2+squeeze3_amd64.deb
python-libxml2_2.7.8.dfsg-2+squeeze3_amd64.deb
to main/libx/libxml2/python-libxml2_2.7.8.dfsg-2+squeeze3_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 660846@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated libxml2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 22 Feb 2012 11:17:27 +0000
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-dev libxml2-dbg libxml2-doc python-libxml2 python-libxml2-dbg
Architecture: source amd64 all
Version: 2.7.8.dfsg-2+squeeze3
Distribution: stable-security
Urgency: high
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
libxml2 - GNOME XML library
libxml2-dbg - Debugging symbols for the GNOME XML library
libxml2-dev - Development files for the GNOME XML library
libxml2-doc - Documentation for the GNOME XML library
libxml2-utils - XML utilities
python-libxml2 - Python bindings for the GNOME XML library
python-libxml2-dbg - Python bindings for the GNOME XML library (debug extension)
Closes: 660846
Changes:
libxml2 (2.7.8.dfsg-2+squeeze3) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Apply upstream patch to add randomization to hashing with large
dictionaries to mitigate hash DoS (CVE-2012-0841; Closes: #660846).
Checksums-Sha1:
73b619ec0bfc82bb6133e5124d609c7ba017d152 1554 libxml2_2.7.8.dfsg-2+squeeze3.dsc
025c3809163020b3f474c1e2d056bc0252ae31ad 115560 libxml2_2.7.8.dfsg-2+squeeze3.diff.gz
4db63f7da57bfeb346d0717dba2df70a8bc25d68 873848 libxml2_2.7.8.dfsg-2+squeeze3_amd64.deb
839125aabe55da6222ac9667332e600968b09d34 93986 libxml2-utils_2.7.8.dfsg-2+squeeze3_amd64.deb
b82e22c67091acb3961c6be01289839b638601ab 831542 libxml2-dev_2.7.8.dfsg-2+squeeze3_amd64.deb
50c0f576dac8f0372a8643e7a33b3b8eb8d1051c 989320 libxml2-dbg_2.7.8.dfsg-2+squeeze3_amd64.deb
50a3ea8b29185967aaf33783ff923eee0acbf194 1377788 libxml2-doc_2.7.8.dfsg-2+squeeze3_all.deb
c308d7551f4daf415270e0c348ab1554c462f6f2 340116 python-libxml2_2.7.8.dfsg-2+squeeze3_amd64.deb
4b9d291a0f5bc6c7fd11f5d53217a5b60bb8b940 870856 python-libxml2-dbg_2.7.8.dfsg-2+squeeze3_amd64.deb
Checksums-Sha256:
ba6982be741fd3b9e27ca212a08eb9cf7cf256b2a35f6ee820b175b1f7021af6 1554 libxml2_2.7.8.dfsg-2+squeeze3.dsc
ff12f6d7fa621ddb9aa582e252fccad73a048b71de718ecd709c36a53682f94a 115560 libxml2_2.7.8.dfsg-2+squeeze3.diff.gz
332f1881d1f1c8d17fa121071ddd9c47f12f86939d0910b1ff72027826d88db5 873848 libxml2_2.7.8.dfsg-2+squeeze3_amd64.deb
c518a02e56a48cd4352b33c2fd1c57173e1b6be905d68ca7f0aeedb78c4e0058 93986 libxml2-utils_2.7.8.dfsg-2+squeeze3_amd64.deb
ab60c2c46cea9ca1a1d16cd2f90f3fc217660f72de5384e9281caf25322fbb56 831542 libxml2-dev_2.7.8.dfsg-2+squeeze3_amd64.deb
88ae025012802e27b2d308d71d7923bd6c0e31c19b6b0d37fad50c23805af188 989320 libxml2-dbg_2.7.8.dfsg-2+squeeze3_amd64.deb
3bcd84132bf634c89a9d1efbe554b9f96b9a1832229811c18e98adda49759057 1377788 libxml2-doc_2.7.8.dfsg-2+squeeze3_all.deb
b1e7036ba8be4307d5d523f80551cfc4bc781d684aee9b3853e48af6a59a3eda 340116 python-libxml2_2.7.8.dfsg-2+squeeze3_amd64.deb
6d3175e89d0e71586711e8788e30c1d6c9551b803cd3dcfd431b35f149cdb05f 870856 python-libxml2-dbg_2.7.8.dfsg-2+squeeze3_amd64.deb
Files:
648d6a433e3cae1b840b3e652f9b00f3 1554 libs optional libxml2_2.7.8.dfsg-2+squeeze3.dsc
89e0ba2ed58ad5571d1a5bfd1fc2a107 115560 libs optional libxml2_2.7.8.dfsg-2+squeeze3.diff.gz
ce56939b3c0ed6e9dfd72e492ce0a634 873848 libs standard libxml2_2.7.8.dfsg-2+squeeze3_amd64.deb
62b8a6b7d2de80cf898e5e1a5c53c9d7 93986 text optional libxml2-utils_2.7.8.dfsg-2+squeeze3_amd64.deb
666de2862e437adff10052e3a922bf62 831542 libdevel optional libxml2-dev_2.7.8.dfsg-2+squeeze3_amd64.deb
086d317880f3bc8feac2e3937bf458dc 989320 debug extra libxml2-dbg_2.7.8.dfsg-2+squeeze3_amd64.deb
68238890d91902a49205e2fe9d64554e 1377788 doc optional libxml2-doc_2.7.8.dfsg-2+squeeze3_all.deb
ff47be0c80a754904cd03ae4252e227c 340116 python optional python-libxml2_2.7.8.dfsg-2+squeeze3_amd64.deb
b6e775c41c15465e8a6b59c052a30d25 870856 debug extra python-libxml2-dbg_2.7.8.dfsg-2+squeeze3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk9E1bUACgkQHYflSXNkfP+gnwCghECefXoZky+S+cZjdd8OG4u5
tc0An2kQ48rXwEy5sBvzY8c9tfDvmqKM
=Zqt0
-----END PGP SIGNATURE-----
Marked as found in versions libxml2/2.7.8.dfsg-7 and reopened.
Request was from Adrian Bunk <bunk@stusta.de>
to control@bugs.debian.org.
(Sat, 17 Mar 2012 08:42:03 GMT) (full text, mbox, link).
Reply sent
to Aron Xu <aron@debian.org>:
You have taken responsibility.
(Thu, 12 Apr 2012 06:33:10 GMT) (full text, mbox, link).
Notification sent
to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(Thu, 12 Apr 2012 06:33:10 GMT) (full text, mbox, link).
Message #17 received at 660846-close@bugs.debian.org (full text, mbox, reply):
Source: libxml2
Source-Version: 2.7.8.dfsg-8
We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive:
libxml2-dbg_2.7.8.dfsg-8_amd64.deb
to main/libx/libxml2/libxml2-dbg_2.7.8.dfsg-8_amd64.deb
libxml2-dev_2.7.8.dfsg-8_amd64.deb
to main/libx/libxml2/libxml2-dev_2.7.8.dfsg-8_amd64.deb
libxml2-doc_2.7.8.dfsg-8_all.deb
to main/libx/libxml2/libxml2-doc_2.7.8.dfsg-8_all.deb
libxml2-utils_2.7.8.dfsg-8_amd64.deb
to main/libx/libxml2/libxml2-utils_2.7.8.dfsg-8_amd64.deb
libxml2_2.7.8.dfsg-8.diff.gz
to main/libx/libxml2/libxml2_2.7.8.dfsg-8.diff.gz
libxml2_2.7.8.dfsg-8.dsc
to main/libx/libxml2/libxml2_2.7.8.dfsg-8.dsc
libxml2_2.7.8.dfsg-8_amd64.deb
to main/libx/libxml2/libxml2_2.7.8.dfsg-8_amd64.deb
python-libxml2-dbg_2.7.8.dfsg-8_amd64.deb
to main/libx/libxml2/python-libxml2-dbg_2.7.8.dfsg-8_amd64.deb
python-libxml2_2.7.8.dfsg-8_amd64.deb
to main/libx/libxml2/python-libxml2_2.7.8.dfsg-8_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 660846@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aron Xu <aron@debian.org> (supplier of updated libxml2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 12 Apr 2012 09:19:04 +0800
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-dev libxml2-dbg libxml2-doc python-libxml2 python-libxml2-dbg
Architecture: source amd64 all
Version: 2.7.8.dfsg-8
Distribution: unstable
Urgency: high
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Aron Xu <aron@debian.org>
Description:
libxml2 - GNOME XML library
libxml2-dbg - Debugging symbols for the GNOME XML library
libxml2-dev - Development files for the GNOME XML library
libxml2-doc - Documentation for the GNOME XML library
libxml2-utils - XML utilities
python-libxml2 - Python bindings for the GNOME XML library
python-libxml2-dbg - Python bindings for the GNOME XML library (debug extension)
Closes: 654176 660846
Changes:
libxml2 (2.7.8.dfsg-8) unstable; urgency=high
.
* New maintainer (Closes: #654176).
* Apply upstream patch to add randomization to hashing with large
dictionaries to mitigate hash DoS (CVE-2012-0841; Closes: #660846)
* Bump std-ver to 3.9.3, no change needed.
Checksums-Sha1:
d81d24ece272aa7f516e99f75192a1bb9e949a79 2053 libxml2_2.7.8.dfsg-8.dsc
e2f4f587a66c3bf9af6da6a765d7076c6866d201 124501 libxml2_2.7.8.dfsg-8.diff.gz
e0fd80bdc46ffce51018d412cd6a0f0d3ba7900d 894152 libxml2_2.7.8.dfsg-8_amd64.deb
cd09bc614b2752bd11c648c21d806f7d1ced4c3a 93708 libxml2-utils_2.7.8.dfsg-8_amd64.deb
11f8c494d80aae3c1f20a6442d14819a014281a3 855480 libxml2-dev_2.7.8.dfsg-8_amd64.deb
1af147eb0f6b1da75c5c73d737637a81669f9d3e 1151736 libxml2-dbg_2.7.8.dfsg-8_amd64.deb
a132de8e42a0a53ae2a711e453cdf858055cfff6 1345142 libxml2-doc_2.7.8.dfsg-8_all.deb
0a53667b1b8e3df1b3f0f90167e9ea5df5085345 340184 python-libxml2_2.7.8.dfsg-8_amd64.deb
c9bac5ae6e6d4e8eecf6a418027314e2e9d5fd68 860232 python-libxml2-dbg_2.7.8.dfsg-8_amd64.deb
Checksums-Sha256:
7d0103172f2897b9d92c6f37eedaa0f41726b501d13c25dcccebf27195cc8170 2053 libxml2_2.7.8.dfsg-8.dsc
30e8d2e56d204c0f9a762f04c8908e4a39420c252324742311e40db2a6034258 124501 libxml2_2.7.8.dfsg-8.diff.gz
4749b1e573ccc1dffae7ab1cef943e268ff465587c4f0e8c93c3015ae7e6c690 894152 libxml2_2.7.8.dfsg-8_amd64.deb
30923a7230e129f5a9447c14bdc8ff4dc3c54eeb5a0c367df441d4701e7f9615 93708 libxml2-utils_2.7.8.dfsg-8_amd64.deb
5493dcacbbb2f03791b8d8c40a3e03a83f0d02b1127799a0e3574b0a183c3b2b 855480 libxml2-dev_2.7.8.dfsg-8_amd64.deb
a5698822375aade7f1552f5b9ab1770e7ead07661cbbf3e3868042bdae13e1bf 1151736 libxml2-dbg_2.7.8.dfsg-8_amd64.deb
2eaa3326b120e9baf441845063e80dc33181da0abba0109c9de6aae35a6f36ac 1345142 libxml2-doc_2.7.8.dfsg-8_all.deb
0ac66f81270cbcd0c34c440e5aeb8d0503a122bb1398d0cf4ff60e3f791ab3c0 340184 python-libxml2_2.7.8.dfsg-8_amd64.deb
6ccda8d42d4867058bde5fb2f51ac825b03b55e20c44ca8b72e1862b1dc5384e 860232 python-libxml2-dbg_2.7.8.dfsg-8_amd64.deb
Files:
f516059832f36646237402a4787a36ab 2053 libs optional libxml2_2.7.8.dfsg-8.dsc
3f030c9d6d817a0541d6072cf2f15305 124501 libs optional libxml2_2.7.8.dfsg-8.diff.gz
1f6fc4061ddf6a6fdaf7f26c3ed83e2d 894152 libs standard libxml2_2.7.8.dfsg-8_amd64.deb
15786bebbb808f873f57a4bc7c6204ae 93708 text optional libxml2-utils_2.7.8.dfsg-8_amd64.deb
1443bc3504d0d724872de92ec99150af 855480 libdevel optional libxml2-dev_2.7.8.dfsg-8_amd64.deb
2216f4459d3039e323aa366cf1056e0e 1151736 debug extra libxml2-dbg_2.7.8.dfsg-8_amd64.deb
89886813a53887c05e7cbc63716cf9ba 1345142 doc optional libxml2-doc_2.7.8.dfsg-8_all.deb
796a4f39b4a52979eb70c63177611ecd 340184 python optional python-libxml2_2.7.8.dfsg-8_amd64.deb
12079f779d5a7d518e3827b681af8b55 860232 debug extra python-libxml2-dbg_2.7.8.dfsg-8_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEcBAEBAgAGBQJPhnRwAAoJEIAhAkTu07wN1ykH/jF8qk6erFI3c2NgZlwWWBt+
tXVgaG9nkWFu/Auz35FAntbMyfnoCl2g71yNpzj4WcKeD2WeF0xtB35jU//zn8jN
Nnzmj/0DKnkPu9BELer565dYhuz7kwizCCMwbZzQKfg5hQFOgfceYt6nE6vvJ59V
jhnSqM8mGqQHgF4XeV67nMXCbS/mfPako/oeK6IlceLucUVYP4VVfG6NWqaOsqDS
FFP+ADXc82hSo3aJRRk54S5gaAKgF3PuCS0u/jYC7Cbt5rg6XzrE53cFThgbvNY/
s1XQ8XAPvm/VXwxOsibCPprLFaM5M50d05l+rkXpd1BvCtFS2lv82VcB+avlgz8=
=rgPB
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 10 May 2012 07:41:08 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:28:33 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon