Bug#560946: CVE-2009-3560 and CVE-2009-3720 denial-of-services
Michael Gilbert
michael.s.gilbert at gmail.com
Mon Dec 14 16:57:50 UTC 2009
On Mon, 14 Dec 2009 17:48:10 +0100, Mike Hommey wrote:
> tag 560946 wontfix
> thanks
>
> On Mon, Dec 14, 2009 at 11:31:18AM -0500, Michael Gilbert wrote:
> > retitle 560946 xulrunner: embeds expat
> > severity 560946 important
> > thanks
> >
> > On Mon, 14 Dec 2009 09:15:12 +0100, Mike Hommey wrote:
> > > On Sat, Dec 12, 2009 at 10:56:59PM -0500, Michael Gilbert wrote:
> > > > package: xulrunner
> > > > severity: serious
> > > > tags: security
> > > >
> > > > Hi,
> > > >
> > > > The following CVE (Common Vulnerabilities & Exposures) ids were
> > > > published for expat. I have determined that this package embeds a
> > > > vulnerable copy of xmlparse.c and xmltok_impl.c. However, since this is
> > > > a mass bug filing (due to so many packages embedding expat), I have
> > > > not had time to determine whether the vulnerable code is actually
> > > > present in any of the binary packages derived from this source package.
> > > > Please determine whether this is the case. If the binary packages are
> > > > not affected, please feel free to close the bug with a message
> > > > containing the details of what you did to check.
> > > >
> > > > CVE-2009-3560[0]:
> > > > | The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1,
> > > > | as used in the XML-Twig module for Perl, allows context-dependent
> > > > | attackers to cause a denial of service (application crash) via an XML
> > > > | document with malformed UTF-8 sequences that trigger a buffer
> > > > | over-read, related to the doProlog function in lib/xmlparse.c, a
> > > > | different vulnerability than CVE-2009-2625 and CVE-2009-3720.
> > >
> > > From what I understand from the vulnerability, the an specially crafted
> > > big5 encoded document can trigger a bad conversion to utf-8 which in
> > > turn can trigger this bug, due to the malformed utf-8.
> > >
> > > > CVE-2009-3720[1]:
> > > > | The updatePosition function in lib/xmltok_impl.c in libexpat in Expat
> > > > | 2.0.1, as used in Python, PyXML, w3c-libwww, and other software,
> > > > | allows context-dependent attackers to cause a denial of service
> > > > | (application crash) via an XML document with crafted UTF-8 sequences
> > > > | that trigger a buffer over-read, a different vulnerability than
> > > > | CVE-2009-2625.
> > >
> > > This one is about a buffer overrun from malformed utf-8 at the end of
> > > the buffer.
> > >
> > > AFAIK, none of these bugs should be affecting the mozilla code base, as
> > > it is doing its own utf-8 conversions and sanitizes it well before it
> > > comes to expat.
> >
> > sounds reasonable to me. so to harden for future issues, i would still
> > recommend updating xulrunner to use the system expat. thanks.
>
> As I said in another message, this is simply impossible, as it is
> heavily modified.
>
> On the other hand, on the long run, it might disappear, as mozilla will
> be switching to a new html5 parser (which AFAIK is not based on expat).
ok, good enough. i've got too many bugs i'm dealing with right now to
remember all of these things...
mike
More information about the pkg-mozilla-maintainers
mailing list