Bug#560946: CVE-2009-3560 and CVE-2009-3720 denial-of-services

Mike Hommey mh at glandium.org
Mon Dec 14 16:48:10 UTC 2009 

tag 560946 wontfix
thanks

On Mon, Dec 14, 2009 at 11:31:18AM -0500, Michael Gilbert wrote:
> retitle 560946 xulrunner: embeds expat
> severity 560946 important
> thanks
> 
> On Mon, 14 Dec 2009 09:15:12 +0100, Mike Hommey wrote:
> > On Sat, Dec 12, 2009 at 10:56:59PM -0500, Michael Gilbert wrote:
> > > package: xulrunner
> > > severity: serious
> > > tags: security
> > > 
> > > Hi,
> > > 
> > > The following CVE (Common Vulnerabilities & Exposures) ids were
> > > published for expat.  I have determined that this package embeds a
> > > vulnerable copy of xmlparse.c and xmltok_impl.c.  However, since this is
> > > a mass bug filing (due to so many packages embedding expat), I have
> > > not had time to determine whether the vulnerable code is actually
> > > present in any of the binary packages derived from this source package.
> > > Please determine whether this is the case. If the binary packages are
> > > not affected, please feel free to close the bug with a message
> > > containing the details of what you did to check.
> > > 
> > > CVE-2009-3560[0]:
> > > | The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1,
> > > | as used in the XML-Twig module for Perl, allows context-dependent
> > > | attackers to cause a denial of service (application crash) via an XML
> > > | document with malformed UTF-8 sequences that trigger a buffer
> > > | over-read, related to the doProlog function in lib/xmlparse.c, a
> > > | different vulnerability than CVE-2009-2625 and CVE-2009-3720.
> >  
> > From what I understand from the vulnerability, the an specially crafted
> > big5 encoded document can trigger a bad conversion to utf-8 which in
> > turn can trigger this bug, due to the malformed utf-8.
> > 
> > > CVE-2009-3720[1]:
> > > | The updatePosition function in lib/xmltok_impl.c in libexpat in Expat
> > > | 2.0.1, as used in Python, PyXML, w3c-libwww, and other software,
> > > | allows context-dependent attackers to cause a denial of service
> > > | (application crash) via an XML document with crafted UTF-8 sequences
> > > | that trigger a buffer over-read, a different vulnerability than
> > > | CVE-2009-2625.
> > 
> > This one is about a buffer overrun from malformed utf-8 at the end of
> > the buffer.
> > 
> > AFAIK, none of these bugs should be affecting the mozilla code base, as
> > it is doing its own utf-8 conversions and sanitizes it well before it
> > comes to expat. 
> 
> sounds reasonable to me.  so to harden for future issues, i would still
> recommend updating xulrunner to use the system expat.  thanks.

As I said in another message, this is simply impossible, as it is
heavily modified.

On the other hand, on the long run, it might disappear, as mozilla will
be switching to a new html5 parser (which AFAIK is not based on expat).

Cheers,

Mike

More information about the pkg-mozilla-maintainers mailing list