Debian Bug report logs -
#825855
mxml: CVE-2016-4570 CVE-2016-4571: Stack exhaustion
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Luis Uribe <acme@eviled.org>:
Bug#825855; Package src:mxml.
(Mon, 30 May 2016 19:45:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Luis Uribe <acme@eviled.org>.
(Mon, 30 May 2016 19:45:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: mxml
Version: 2.6-2
Severity: important
Tags: security upstream
Forwarded: http://www.msweet.org/bugs.php?U549
Hi,
the following vulnerabilities were published for mxml.
CVE-2016-4570[0]:
Recursion using mxmlDelete at mxml-node.c:217 (stack-exhaustion-1.xml)
CVE-2016-4571[1]:
Recursion using mxml_write_node at mxml-file.c:2739 (stack-exhaustion-2.xml
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-4570
[1] https://security-tracker.debian.org/tracker/CVE-2016-4571
[2] http://www.msweet.org/bugs.php?U549
[3] http://seclists.org/oss-sec/2016/q2/276
[4] http://seclists.org/oss-sec/2016/q2/325
Regards,
Salvatore
Reply sent
to Alastair McKinstry <mckinstry@debian.org>:
You have taken responsibility.
(Fri, 10 Jun 2016 12:09:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 10 Jun 2016 12:09:09 GMT) (full text, mbox, link).
Message #10 received at 825855-close@bugs.debian.org (full text, mbox, reply):
Source: mxml
Source-Version: 2.9-1
We believe that the bug you reported is fixed in the latest version of
mxml, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 825855@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alastair McKinstry <mckinstry@debian.org> (supplier of updated mxml package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 10 Jun 2016 10:51:01 +0100
Source: mxml
Binary: libmxml-dev libmxml1
Architecture: source amd64
Version: 2.9-1
Distribution: sid
Urgency: medium
Maintainer: Alastair McKinstry <mckinstry@debian.org>
Changed-By: Alastair McKinstry <mckinstry@debian.org>
Description:
libmxml-dev - small XML parsing library (development)
libmxml1 - small XML parsing library (runtime)
Closes: 784865 825855
Changes:
mxml (2.9-1) unstable; urgency=medium
.
* New maintainer. Mark Luis Uribe as Uploader. Closes: #784865
* New upstream release
- refreshed patches.
- 04_minor_version.diff: correct minor version 8->9
* Patch to fix security issues due to recursion in mxmlDelete. Closes: #825855.
CVE-2016-4570
CVE-2016-4571
* Include updated debian/watch file
* New Standards-Version: 3.9.8. No changes required
Checksums-Sha1:
c32fcbf568de5210b3b5489cb177db0eddb9b738 1747 mxml_2.9-1.dsc
33c1373538294bca346dfe38c59e4b1541867343 271349 mxml_2.9.orig.tar.gz
0ce9eb7980479277e3d78fb5068ee13301ecd5a6 11168 mxml_2.9-1.debian.tar.xz
2e0557c15f669d738abd8e0ac0102c435b89ba0c 62164 libmxml-dev_2.9-1_amd64.deb
36f81f301ef757894930d0bf8768ab5cc7187afb 36216 libmxml1-dbgsym_2.9-1_amd64.deb
e9627dd867cd372d8d38d14820af282814cf9747 28038 libmxml1_2.9-1_amd64.deb
Checksums-Sha256:
43128f53b3b9920dce9fce47a561304ea8f8536ca721bee2123ebe841fbdf282 1747 mxml_2.9-1.dsc
26cc8ce2e7736dc5e9b5983de7d35be3e126e5ad6b99738c4d233923da9fb4ad 271349 mxml_2.9.orig.tar.gz
14ea1491816d1c9c5d0d88a0ce66b96bfe8b55818b76cee0ab12ad8bd3f5905e 11168 mxml_2.9-1.debian.tar.xz
808fd86a3b9b39ad621c223bcc71bd64e89ee298fc3f9ccec25fda3131765e37 62164 libmxml-dev_2.9-1_amd64.deb
45cbb5541057110b342aa02a85e7363e0d0e7ff82c02c000bc06e7dd16516792 36216 libmxml1-dbgsym_2.9-1_amd64.deb
13499957418c63b1b6ef08a4323c8ec130f9b070dc4d3046c93b28e8ff9910ba 28038 libmxml1_2.9-1_amd64.deb
Files:
5c3f63860accd17142eaf9bd6b1d1312 1747 libs optional mxml_2.9-1.dsc
0fd3dd387281ff0169655b82962d9c56 271349 libs optional mxml_2.9.orig.tar.gz
d477aaec25e893e5792394c9b67bd54c 11168 libs optional mxml_2.9-1.debian.tar.xz
3bad2ddce383250409e606a1d9a5c65d 62164 libdevel optional libmxml-dev_2.9-1_amd64.deb
b9edfa4e8781de14fd66f6126a23678a 36216 debug extra libmxml1-dbgsym_2.9-1_amd64.deb
d6f4a16c760b4ea44235be8166832138 28038 libs optional libmxml1_2.9-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJXWo6jAAoJEMvmu05dmtOl0QwP/juXSTL1nvNt/7ztccLwfIg3
d738S1dBcz18lTV6312unDNzHSlC11TnQhfp11m20r5uAw0ChVYqj9sqanw9A7gh
+psJbTg6qtT+MWrbb5rM8lNR/RhlgXOo4ydI4SZPEy8KRpMt7KzfwZj/66BGqgud
yvKKc7E0tcuWOWRohKX8eu2SFS/MMLCK1/sNUDsCXx0D1JvShdYPv4kVTVKo2flG
uLhCMnqBDNQrwvebLdf266hKOno3rwAcEjtMXHHm3ogRkatbYYDKPcOPeApmjzO7
FzObXu7bSBbj2wVVgiKDZppgrkokIXFAWSB95PgLeCDutlKfnbU3f1wyewc91kf9
3/il7a/uE6YzgFBIBiBWE10KayS0ncDFC2T+IX9LNzsuK29YQsvW/58FSwWbALr1
9yPhXSf2QPuRYJO8DhAvVxZrqlQRGIbOCBLthu3+dJafuW72ijqbvz0Jk5v2tLO2
CHwihq2tJ1Rqj44dQzfcbRRB7CBPvWa+DlGmh4HIZbivGSovJgfaKIMwITS2yxRk
V1waQlSJFUfdXKoNhSYkloQ1Lhn9XkNvr36LXUx5DlKRxXHpiRzMGNxA6nA7CwA1
9U8sKeEhXiVnyawDZE3LD3q54FPeMzEunim1wZRMaXVzDv9YHGxIuT/tVvGb1KIJ
5BiRbw1H9DVMoa4+wit9
=ioeQ
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Luis Uribe <acme@eviled.org>:
Bug#825855; Package src:mxml.
(Fri, 10 Jun 2016 16:00:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Luis Uribe <acme@eviled.org>.
(Fri, 10 Jun 2016 16:00:03 GMT) (full text, mbox, link).
Message #15 received at 825855@bugs.debian.org (full text, mbox, reply):
Control: reopen -1
Hi
I just schecked again, CVE-2016-4571 part at least is not yet fixed.
Building mxml with ASan, leads to the following with the
stack-exhaustion-2.xml reproducer:
==10554==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe8f42ce88 (pc 0x7f67a5de43e4 bp 0x7ffe8f42d6f0 sp 0x7ffe8f42ce90 T0)
#0 0x7f67a5de43e3 in strlen (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x6d3e3)
#1 0x40c499 in mxml_write_node /root/mxml-2.9/mxml-file.c:2749
#2 0x40c931 in mxml_write_node /root/mxml-2.9/mxml-file.c:2811
#3 0x40c931 in mxml_write_node /root/mxml-2.9/mxml-file.c:2811
#4 0x40c931 in mxml_write_node /root/mxml-2.9/mxml-file.c:2811
[...]
#246 0x40c931 in mxml_write_node /root/mxml-2.9/mxml-file.c:2811
#247 0x40c931 in mxml_write_node /root/mxml-2.9/mxml-file.c:2811
#248 0x40c931 in mxml_write_node /root/mxml-2.9/mxml-file.c:2811
#249 0x40c931 in mxml_write_node /root/mxml-2.9/mxml-file.c:2811
#250 0x40c931 in mxml_write_node /root/mxml-2.9/mxml-file.c:2811
#251 0x40c931 in mxml_write_node /root/mxml-2.9/mxml-file.c:2811
SUMMARY: AddressSanitizer: stack-overflow ??:0 strlen
==10554==ABORTING
Regards,
Salvatore
Bug reopened
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 825855-submit@bugs.debian.org.
(Fri, 10 Jun 2016 16:00:03 GMT) (full text, mbox, link).
No longer marked as fixed in versions mxml/2.9-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 825855-submit@bugs.debian.org.
(Fri, 10 Jun 2016 16:00:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Luis Uribe <acme@eviled.org>:
Bug#825855; Package src:mxml.
(Fri, 10 Jun 2016 16:06:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Luis Uribe <acme@eviled.org>.
(Fri, 10 Jun 2016 16:06:07 GMT) (full text, mbox, link).
Message #24 received at 825855@bugs.debian.org (full text, mbox, reply):
Hi,
But CVE-2016-4570 seems addressed with the applied patch. I have
updated the security-tracker accordingly.
Regards,
Salvatore
Reply sent
to Alastair McKinstry <mckinstry@debian.org>:
You have taken responsibility.
(Sat, 11 Jun 2016 07:21:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 11 Jun 2016 07:21:09 GMT) (full text, mbox, link).
Message #29 received at 825855-close@bugs.debian.org (full text, mbox, reply):
Source: mxml
Source-Version: 2.9-2
We believe that the bug you reported is fixed in the latest version of
mxml, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 825855@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alastair McKinstry <mckinstry@debian.org> (supplier of updated mxml package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 11 Jun 2016 07:31:20 +0100
Source: mxml
Binary: libmxml-dev libmxml1
Architecture: source amd64
Version: 2.9-2
Distribution: sid
Urgency: medium
Maintainer: Alastair McKinstry <mckinstry@debian.org>
Changed-By: Alastair McKinstry <mckinstry@debian.org>
Description:
libmxml-dev - small XML parsing library (development)
libmxml1 - small XML parsing library (runtime)
Closes: 825855
Changes:
mxml (2.9-2) unstable; urgency=medium
.
* Missing second patch for recursion fix. Closes: #825855.
Checksums-Sha1:
4cd809dd4676f81065efab02dfaccc4007a76e81 1747 mxml_2.9-2.dsc
f25ffb1da7ac75ec162d8f5496ca15e961b971df 11768 mxml_2.9-2.debian.tar.xz
6087e94da5d8465ae18829152ff860b2c0a68ca5 62302 libmxml-dev_2.9-2_amd64.deb
10993d54c617e34131559d0ae87feefeb489e7c3 36236 libmxml1-dbgsym_2.9-2_amd64.deb
5c266aa23729772fd5168ddb025d1f5d4b7c5a85 28210 libmxml1_2.9-2_amd64.deb
Checksums-Sha256:
87d17b5c2d5a6094fd44919b0996d2f76025f511a2fb0cf8fc5c67fa77641b38 1747 mxml_2.9-2.dsc
65c5cb32d90ee6dfef44e7f029cf84c776a2398b648425d4f3af3b573ff1b1a4 11768 mxml_2.9-2.debian.tar.xz
1289fa517b7966ae876ad3439829a0cd222731d57b592ee32bc482a41b5a3cf2 62302 libmxml-dev_2.9-2_amd64.deb
611e1872937c06ee92d482844bf2b9731c6129d385a26b2241b2cd473f798469 36236 libmxml1-dbgsym_2.9-2_amd64.deb
a95a7628a31e15a1b46ea4b23ebf3fb9c9570d1d4e5ecf6493576c848411c0e9 28210 libmxml1_2.9-2_amd64.deb
Files:
f5662c5f9306d9c23d9a5b7f532dba81 1747 libs optional mxml_2.9-2.dsc
29c889a4964af73ed1e13442461a4698 11768 libs optional mxml_2.9-2.debian.tar.xz
ad4de4bba94754b196a3358f12e73d6a 62302 libdevel optional libmxml-dev_2.9-2_amd64.deb
80366574ec7895129682c796796a3043 36236 debug extra libmxml1-dbgsym_2.9-2_amd64.deb
9415a09b47db0e38a054ac0796380469 28210 libs optional libmxml1_2.9-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJXW7TwAAoJEMvmu05dmtOl180P/1nyf4Ck0NgdX8rIw7tePO8j
Yv3E4U5SPtTuui5yjpL0hv8oOsIpt4GCY3DRCc0tGIDkK2jzPwgwvN8tZHfugulv
GCAvhg8SqPKztbtgRbPPz+p8bZxZfuXI8gKqNo0qieLqUzmZ4dsibtKnBrnYZHJU
lSZttOUWhhkgyYvehIh4eZ3MIyM9yrgK3GNEvi5D0tQTFxR2d2kw8k2Y8y61Q8AJ
LOrRLDgIWovI+pgEsRDKRG9l7mSy/36+CX4F3BOra5v5kb0fEd6piIwV9s2IN1Ss
PzEtoAta0BUWYTudcr/PNbAJq8DRmuD0+7EtUjsaxFXzEQys5D1sONHViWw8pz1R
kpYWxp1VCyYa6rG8j1UfaogLQWJw9Sh4DNcljV9Kw5krC72pihSXSq2vwtYYWwvh
hrlkq1GjVtbz8hfY56ahldq7hhJ+VTuaQdIeOoV5SF+IUZ7gHqLfSSacAkig56dn
FejG7Qp4XP/nKyEk1qmVOs4Bz+1QJ1JTJo6b1wwqhWwN+j/fQ4JQ7Mi9DKpMKFqA
SjmSbU/paFoFKz/LFsdcVC2JsIloet7Iz/6sEaiLqOnflaNMxqMIcLa/6R2JCi/3
F0g/QwjWSEk17/LAAdyjhzRncxcPPdMjVmHsXV5C3Iyaw7BPULK4k8BY3ZmiGsbX
JLgcCfzJofNmuo5+YJb/
=aFDg
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 14 Jul 2016 07:31:57 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:07:18 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon