oss-sec mailing list archives
Re: CVE Request -- expat [was: Re: Regarding expat bug 1990430]
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Fri, 23 Oct 2009 15:08:57 +0200
Hi Steve, Josh, vendors, Michael Gilbert wrote:
On Thu, 22 Oct 2009 16:04:37 +0200 Marc Schoenefeld wrote:Jan Lieskovsky wrote:Hello Steve, vendors, [...] a, Does Apache Xerces2 Java contain embedded copy ot the expat library (i.e. it's completely the same issue as in expat, w3c-libwww, PyXML and others) - Marc could you help to reply this question?Hi, the upstream patch for CVE-2009-2625 for xerces-j2 is java-only [1] and unrelated to fixes in other native C parsing libraries.
Based on the above -^ I would vote for separate CVE identifier for expat flaw (and its embedded copies in dozen of packages): https://bugs.gentoo.org/show_bug.cgi?id=280615#c8 https://bugs.gentoo.org/show_bug.cgi?id=280615#c10 To remember sounding of CVE-2009-2625: --------------------------------------- Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework. Argumentation for new CVE id: ----------------------------- a, CVE-2009-2625 doesn't mention expat (just "other products", this could be fixed though) b, The impact differs on Apache Xerces2 Java (infinite loop and application hang, 100% cpu use -- have checked unpatched java-1.6.0-openjdk) and in expat (clean crash) - gdb output attached for both testcases. Steve, Josh, which way would be easier to follow? i, mention expat in CVE-2009-2625, change impact to DoS (crash) via malformed XML file, which triggers UTF-8 parser crash? or ii. assign new CVE id for expat (and its embedded copies) with clean impact description and note that crash happens in UTF-8 parser? Opinions, ACKs, NACKs appreciated. Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
hi, mandriva and gentoo used CVE-2009-2625 as their reference CVE for the expat fixes. debian is also currently tracking the issue with this CVE for the time being. however, we have not yet released fixed packages. mike
pythontest1.xml: --------------- Core was generated by `xmlwf pythontest1.xml'. Program terminated with signal 11, Segmentation fault. [New process 30314] #0 big2_updatePosition (enc=0x2a4940, ptr=0x9ff5000 <Address 0x9ff5000 out of bounds>, end=0x9fd4be3 "", pos=0x9fd41a0) at lib/xmltok_impl.c:1748 1748 switch (BYTE_TYPE(enc, ptr)) { (gdb) bt #0 big2_updatePosition (enc=0x2a4940, ptr=0x9ff5000 <Address 0x9ff5000 out of bounds>, end=0x9fd4be3 "", pos=0x9fd41a0) at lib/xmltok_impl.c:1748 #1 0x002808f1 in XML_GetCurrentColumnNumber (parser=0x9fd4008) at lib/xmlparse.c:1803 #2 0x0804b340 in reportError (parser=0x9fd4008, filename=0xbf8f2662 "pythontest1.xml") at xmlwf/xmlfile.c:66 #3 0x0804b6e2 in processFile (data=0xb78fa000, size=3, filename=0xbf8f2662 "pythontest1.xml", args=0xbf8f16f0) at xmlwf/xmlfile.c:83 #4 0x0804b9cf in filemap (name=0xbf8f2662 "pythontest1.xml", processor=0x804b680 <processFile>, arg=0xbf8f16f0) at xmlwf/unixfilemap.c:61 #5 0x0804b5ef in XML_ProcessFile (parser=0x9fd4008, filename=0xbf8f2662 "pythontest1.xml", flags=1) at xmlwf/xmlfile.c:238 #6 0x08049692 in main (argc=2, argv=Cannot access memory at address 0x9ff5004 ) at xmlwf/xmlwf.c:847 pythontest2.xml: --------------- Core was generated by `xmlwf pythontest2.xml'. Program terminated with signal 11, Segmentation fault. [New process 30322] #0 normal_updatePosition (enc=0x2a38a0, ptr=0x8a87000 <Address 0x8a87000 out of bounds>, end=0x8a66bee "\205='1.0'?>\r\n", pos=0x8a661a0) # at lib/xmltok_impl.c:1748 # 1748 switch (BYTE_TYPE(enc, ptr)) { # (gdb) bt # #0 normal_updatePosition (enc=0x2a38a0, ptr=0x8a87000 <Address 0x8a87000 out of bounds>, end=0x8a66bee "\205='1.0'?>\r\n", pos=0x8a661a0) # at lib/xmltok_impl.c:1748 # #1 0x002808f1 in XML_GetCurrentColumnNumber (parser=0x8a66008) at lib/xmlparse.c:1803 # #2 0x0804b340 in reportError (parser=0x8a66008, filename=0xbfcc3662 "pythontest2.xml") at xmlwf/xmlfile.c:66 # #3 0x0804b6e2 in processFile (data=0xb772c000, size=25, filename=0xbfcc3662 "pythontest2.xml", args=0xbfcc3070) at xmlwf/xmlfile.c:83 # #4 0x0804b9cf in filemap (name=0xbfcc3662 "pythontest2.xml", processor=0x804b680 <processFile>, arg=0xbfcc3070) at xmlwf/unixfilemap.c:61 # #5 0x0804b5ef in XML_ProcessFile (parser=0x8a66008, filename=0xbfcc3662 "pythontest2.xml", flags=1) at xmlwf/xmlfile.c:238 # #6 0x08049692 in main (argc=2, argv=0x20407) at xmlwf/xmlwf.c:847
Current thread:
- Regarding expat bug 1990430 Jan Lieskovsky (Oct 22)
- Re: Regarding expat bug 1990430 Marc Schoenefeld (Oct 22)
- Re: Re: Regarding expat bug 1990430 Michael Gilbert (Oct 22)
- Re: CVE Request -- expat [was: Re: Regarding expat bug 1990430] Jan Lieskovsky (Oct 23)
- Re: CVE Request -- expat [was: Re: Regarding expat bug 1990430] CERT-FI Vulnerability Co-ordination (Oct 26)
- Re: CVE Request -- expat [was: Re: Regarding expat bug 1990430] Mark J Cox (Oct 28)
- Re: Re: Regarding expat bug 1990430 Michael Gilbert (Oct 22)
- Re: Regarding expat bug 1990430 Marc Schoenefeld (Oct 22)