[xml/sgml] [CAN-2004-0989] libxml and libxml2 buffer overflow (+ RFS)

Ardo van Rangelrooij ardo@debian.org
Thu, 28 Oct 2004 10:45:17 -0500


Mike,

I'll take care of the uploads to unstable and experimental later today.

Thanks,
Ardo

Mike Hommey (mh@glandium.org) wrote:
> Hi,
> 
> As stated to team@s.d.o a few hours ago, I made out packages fixing
> CAN-2004-0989, being buffer overflows in nanohttp.c and nanoftp.c.
> 
> As for libxml, only nanoftp.c needed update (and actually seemed to be
> missing one fix for CAN-2004-0110, which I added). nanohttp.c did not
> present the vulnerable code.
> 
> As for libxml2, the version in woody is pretty old and doesn't have the
> __xmlIOErr() calls, so the fixed functions will just return -1 without
> more specific error message, which has no problem since we won't hit
> this portion of code on normal behaviour, only on exploit attempts...
> 
> All packages are built and available as follow:
> Woody security updates:
> http://glandium.org/debian/stable-security/libxml_1.8.17-2woody2_i386.changes
> http://glandium.org/debian/stable-security/libxml2_2.4.19-4woody2_i386.changes
> 
> Unstable (security update only ; urgency high):
> http://glandium.org/debian/unstable/libxml_1.8.17-9_i386.changes
> http://glandium.org/debian/unstable/libxml2_2.6.11-5_i386.changes
> 
> Experimental (new upstream version, which fixes the buffer overflow):
> http://glandium.org/debian/experimental/libxml2_2.6.15-1_i386.changes
> 
> Attached, you will find a diff between last woody versions and the new
> ones, for libxml and libxml2.
> 
> Security team, please sponsor the woody security updates ASAP.
> Debian XML/SGML group's DD folks, please sponsor the other updates ASAP ;)
> 
> Thanks
> 
> Mike
> 
> PS: Unstable and experimental versions are also available in svn
> repository:
> libxml2 for unstable:
> svn+ssh://login@svn.debian.org/svn/debian-xml-sgml/packages/libxml2/branches/unstable/
> libxml2 for experimental:
> svn+ssh://login@svn.debian.org/svn/debian-xml-sgml/packages/libxml2/trunk
> libxml for unstable:
> svn+ssh://login@svn.debian.org/svn/debian-xml-sgml/packages/libxml/trunk

-- 
Ardo van Rangelrooij                                     Debian XML/SGML Group
<ardo@debian.org>              <debian-xml-sgml-devel@lists.alioth.debian.org>
http://people.debian.org/~ardo/      http://debian-xml-sgml.alioth.debian.org/