[xml/sgml] [CAN-2004-0989] libxml and libxml2 buffer overflow (+ RFS)

Mike Hommey mh@glandium.org
Thu, 28 Oct 2004 19:30:35 +0900


--8P1HSweYDcXXzwPJ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Hi,

As stated to team@s.d.o a few hours ago, I made out packages fixing
CAN-2004-0989, being buffer overflows in nanohttp.c and nanoftp.c.

As for libxml, only nanoftp.c needed update (and actually seemed to be
missing one fix for CAN-2004-0110, which I added). nanohttp.c did not
present the vulnerable code.

As for libxml2, the version in woody is pretty old and doesn't have the
__xmlIOErr() calls, so the fixed functions will just return -1 without
more specific error message, which has no problem since we won't hit
this portion of code on normal behaviour, only on exploit attempts...

All packages are built and available as follow:
Woody security updates:
http://glandium.org/debian/stable-security/libxml_1.8.17-2woody2_i386.changes
http://glandium.org/debian/stable-security/libxml2_2.4.19-4woody2_i386.changes

Unstable (security update only ; urgency high):
http://glandium.org/debian/unstable/libxml_1.8.17-9_i386.changes
http://glandium.org/debian/unstable/libxml2_2.6.11-5_i386.changes

Experimental (new upstream version, which fixes the buffer overflow):
http://glandium.org/debian/experimental/libxml2_2.6.15-1_i386.changes

Attached, you will find a diff between last woody versions and the new
ones, for libxml and libxml2.

Security team, please sponsor the woody security updates ASAP.
Debian XML/SGML group's DD folks, please sponsor the other updates ASAP ;)

Thanks

Mike

PS: Unstable and experimental versions are also available in svn
repository:
libxml2 for unstable:
svn+ssh://login@svn.debian.org/svn/debian-xml-sgml/packages/libxml2/branches/unstable/
libxml2 for experimental:
svn+ssh://login@svn.debian.org/svn/debian-xml-sgml/packages/libxml2/trunk
libxml for unstable:
svn+ssh://login@svn.debian.org/svn/debian-xml-sgml/packages/libxml/trunk

--8P1HSweYDcXXzwPJ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="libxml_1.8.17-2woody2.patch"

diff -ruN libxml-1.8.17-2woody1/debian/changelog libxml-1.8.17/debian/changelog
--- libxml-1.8.17-2woody1/debian/changelog	2004-10-28 17:20:07.000000000 +0900
+++ libxml-1.8.17/debian/changelog	2004-10-28 17:20:21.000000000 +0900
@@ -1,3 +1,10 @@
+libxml (1:1.8.17-2woody2) stable-security; urgency=high
+
+  * Backport patch from libxml2-2.6.15 to fix buffer overflows [nanohttp.c,
+    nanoftp.c, CAN-2004-0989]
+
+ -- Mike Hommey <mh@glandium.org>  Thu, 28 Oct 2004 17:18:04 +0900
+
 libxml (1:1.8.17-2woody1) stable-security; urgency=high
 
   * Non-maintainer upload by the Security Team
diff -ruN libxml-1.8.17-2woody1/nanoftp.c libxml-1.8.17/nanoftp.c
--- libxml-1.8.17-2woody1/nanoftp.c	2004-10-28 17:20:07.000000000 +0900
+++ libxml-1.8.17/nanoftp.c	2004-10-28 17:25:40.000000000 +0900
@@ -236,7 +236,7 @@
     if (*cur == 0) return;
 
     buf[index] = 0;
-    while (1) {
+    while (index < XML_NANO_MAX_URLBUF - 1) {
         if (cur[0] == ':') {
 	    buf[index] = 0;
 	    ctxt->hostname = xmlMemStrdup(buf);
@@ -830,6 +830,11 @@
     if (hp == NULL)
         return(-1);
 
+    if ((unsigned int) hp->h_length >
+	sizeof(((struct sockaddr_in *)&ctxt->ftpAddr)->sin_addr)) {
+	return (-1);
+    }
+
     /*
      * Prepare the socket
      */

--8P1HSweYDcXXzwPJ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="libxml2_2.4.19-4woody2.patch"

diff -ruN libxml2-2.4.19-4woody1/debian/changelog libxml2-2.4.19/debian/changelog
--- libxml2-2.4.19-4woody1/debian/changelog	2004-10-28 17:07:28.000000000 +0900
+++ libxml2-2.4.19/debian/changelog	2004-10-28 17:07:48.000000000 +0900
@@ -1,3 +1,10 @@
+libxml2 (2.4.19-4woody2) stable-security; urgency=high
+
+  * Backport patch from libxml2-2.6.15 to fix buffer overflows [nanohttp.c,
+    nanoftp.c, CAN-2004-0989]
+
+ -- Mike Hommey <mh@glandium.org>  Thu, 28 Oct 2004 17:02:45 +0900
+
 libxml2 (2.4.19-4woody1) stable-security; urgency=high
 
   * Non-maintainer upload by the Security Team
diff -ruN libxml2-2.4.19-4woody1/nanoftp.c libxml2-2.4.19/nanoftp.c
--- libxml2-2.4.19-4woody1/nanoftp.c	2004-10-28 17:07:28.000000000 +0900
+++ libxml2-2.4.19/nanoftp.c	2004-10-28 17:07:48.000000000 +0900
@@ -289,7 +289,7 @@
 	}
     }
 
-    while (1) {
+    while (indx < XML_NANO_MAX_URLBUF - 1) {
         if (cur[0] == ':') {
 	    buf[indx] = 0;
 	    ctxt->hostname = xmlMemStrdup(buf);
@@ -877,6 +877,11 @@
     if (hp == NULL)
         return(-1);
 
+    if ((unsigned int) hp->h_length >
+        sizeof(((struct sockaddr_in *)&ctxt->ftpAddr)->sin_addr)) {
+	return (-1);
+    }
+
     /*
      * Prepare the socket
      */
diff -ruN libxml2-2.4.19-4woody1/nanohttp.c libxml2-2.4.19/nanohttp.c
--- libxml2-2.4.19-4woody1/nanohttp.c	2004-10-28 17:07:28.000000000 +0900
+++ libxml2-2.4.19/nanohttp.c	2004-10-28 17:07:48.000000000 +0900
@@ -914,6 +914,9 @@
     for (i = 0; h->h_addr_list[i]; i++) {
         if (h->h_addrtype == AF_INET) {
             /* A records (IPv4) */
+	    if ((unsigned int) h->h_length > sizeof(ia)) {
+	       return (-1);
+	    }
             memcpy(&ia, h->h_addr_list[i], h->h_length);
             sockin.sin_family = h->h_addrtype;
             sockin.sin_addr = ia;
@@ -922,6 +925,9 @@
 #ifdef SUPPORT_IP6
         } else if (h->h_addrtype == AF_INET6) {
             /* AAAA records (IPv6) */
+	    if ((unsigned int) h->h_length > sizeof(ia6)) {
+	       return (-1);
+	    }
             memcpy(&ia6, h->h_addr_list[i], h->h_length);
             sockin6.sin_family = h->h_addrtype;
             sockin6.sin_addr = ia6;

--8P1HSweYDcXXzwPJ--