oss-sec mailing list archives
Regarding expat bug 1990430
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Thu, 22 Oct 2009 15:35:58 +0200
Hello Steve, vendors, this is due: [1] http://thread.gmane.org/gmane.comp.security.oss.general/2025/focus=2032 1, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2473 Patch: https://bugzilla.redhat.com/attachment.cgi?id=357950 2, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955 Patch: http://marc.info/?l=apr-dev&m=124396021826125&w=2 When looking at the patches, while the source code bases (patches) are different, the XML reproducer is the same - so is different source code sufficient to distinguish the CVE ids, or should they be merged? 3, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1885Patch: http://svn.apache.org/viewvc/xerces/c/trunk/src/xercesc/validators/DTD/DTDScanner.cpp?r1=709149&r2=781488&pathrev=781488
The testcases here were provided by CERT-FI and are the same as for: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2414 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2416 But different CVE identifiers needed to be used, due the fact, CVE-2009-1885 issue was disclosed earlier, than other vendors were prepared to release libxml2 updates. They also affect different code bases: CVE-2009-1885 Apache Xerces C++, while CVE-2009-2414, CVE-2009-2416 libxml / libxml2. 4, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625 CVE originally assigned to Apache Xerces2 Java (does it embed its own copy of expat), but also reported as expat issue here: http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?view=log Expat patch: http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15&view=patch The expat library is embedded also in: a, w3c-libwww http://www.w3.org/Library b, PyXML http://pyxml.sourceforge.net/ And probably also in other packages (still need to get the complete list). In this case, the reproducer, code base and patch are the same, just the expat library is embedded in multiple other products. Two questions remain to be answered here: a, Does Apache Xerces2 Java contain embedded copy ot the expat library (i.e. it's completely the same issue as in expat, w3c-libwww, PyXML and others) - Marc could you help to reply this question? b, Can we use CVE-2009-2625 to reference expat, w3c-libwww(expat), PyXML (expat) issues too or another one need to be assigned for these? (But the decision depends on the answer to previous question). Hoping this will bring at least a little bit more light into above [1] doubts Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- Regarding expat bug 1990430 Jan Lieskovsky (Oct 22)
- Re: Regarding expat bug 1990430 Marc Schoenefeld (Oct 22)
- Re: Re: Regarding expat bug 1990430 Michael Gilbert (Oct 22)
- Re: CVE Request -- expat [was: Re: Regarding expat bug 1990430] Jan Lieskovsky (Oct 23)
- Re: CVE Request -- expat [was: Re: Regarding expat bug 1990430] CERT-FI Vulnerability Co-ordination (Oct 26)
- Re: CVE Request -- expat [was: Re: Regarding expat bug 1990430] Mark J Cox (Oct 28)
- Re: Re: Regarding expat bug 1990430 Michael Gilbert (Oct 22)
- Re: Regarding expat bug 1990430 Marc Schoenefeld (Oct 22)