Bug 152680

Summary: libxml2: an overflow when parsing remote resources.
Product: [Retired] Fedora Legacy Reporter: David Lawrence <dkl>
Component: Package requestAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: botsch, michal
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://xmlsoft.org/
Whiteboard: LEGACY, QA, rh73
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Lawrence 2005-03-30 23:23:45 UTC 
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. 
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines.  These routines can overflow a buffer if passed a very
long URL.  If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code.  The Common Vulnerabilities
and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0110
to this issue.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0110
https://www.redhat.com/archives/redhat-watch-list/2004-February/msg00007.html
http://mail.gnome.org/archives/xml/2004-February/msg00070.html



------- Additional Comments From michal 2004-02-26 16:49:22 ----

Created an attachment (id=560)
A proposed patch for bug #1324 adapted to sources from RH 7.3 distribution

Files in question do not differ very much across lib versions and that patch
will likely apply everywhere with slight offsets.



------- Additional Comments From dom 2004-02-27 07:44:22 ----

Patch applies cleanly to 7.3 and 8.0 - SRPMS at:

redhat 7.3:
http://www-astro.physics.ox.ac.uk/~dom/legacy/SRPMS/libxml2-2.4.19-5.legacy.src.rpm

redhat 8.0:
http://www-astro.physics.ox.ac.uk/~dom/legacy/SRPMS/libxml2-2.4.23-2.legacy.src.rpm

(version numbers should be correct this time!)

The patch doesn't apply cleanly to the 7.2 package
(libxml2-2.4.10-0.7x.2.src.rpm) so no 7.2 fix for now.



------- Additional Comments From arvand 2004-03-03 05:09:36 ----

This is from RedHat:

"[Updated 3 March 2004]
Revised libxml2 packages are now available as the original packages did not 
contain a complete patch."

References:

http://mail.gnome.org/archives/xml/2004-February/msg00070.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0110

So I guess we are back to square one? I guess we werent too far from it anyway.



------- Additional Comments From michal 2004-03-03 13:09:19 ----

Created an attachment (id=566)
"forgotten buffer overflow" patch to libxml2

> So I guess we are back to square one?
Not really.  One more small patch is required.	Applies on the top of the
previous one.  It seems to be all for the moment; but if somebody else
eyes that one that would be even better.

I am running right now with re-patched libxml2.



------- Additional Comments From michal 2004-03-03 13:37:10 ----

Created an attachment (id=567)
A fix of known issues for libxml2-2.4.10-0.7x.2, i.e. 7.2 package

This "carries over" to RH 7.2 all current fixes applied to sources used
in RH 7.3 and above.  I do not have RH 7.2 system running so somebody with
such would have to test it.

OTOH you can use this 7.3 rpms of this library on a 7.2 system and this should
not cause any problems.



------- Additional Comments From bugs.michael 2004-03-23 04:36:49 ----

What's the status here?

Package from comment 2 is good except it's missing the patch from comment 4 and
"Buildrequires: libxslt-devel zlib-devel" should be added.



------- Additional Comments From skvidal.edu 2004-04-30 20:46:04 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
libxml2 packages - updated with all comments/patches from this bug
e9603148f15b064d839b2feabc2e7e8b  libxml2-2.4.19-5.legacy.i386.rpm
c28a5f127bbd811c5c57e25ea3a65809  libxml2-2.4.19-5.legacy.src.rpm
31ed8e2030680461382e26b6d5348e30  libxml2-devel-2.4.19-5.legacy.i386.rpm
ba441fdad05d94f094b78ced37c26226  libxml2-python-2.4.19-5.legacy.i386.rpm
 
http://linux.duke.edu/~skvidal/RPMS/legacy/libxml2/
 
please QA
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFAk0ed1Aj3x2mIbMcRAjgJAJ9za1zAL/X+kYzkZgSxIEppcAPQ0wCfcCSS
EtmMEaGUoV7eZjn/vaUYRq8=
=HVdw
-----END PGP SIGNATURE-----




------- Additional Comments From bugs.michael 2004-05-01 05:20:03 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SHA1
9d5bfcd9ac771ebcb92bbd9d6cba44c9ef2fa2f7  libxml2-2.4.19-5.legacy.src.rpm

MD5
c28a5f127bbd811c5c57e25ea3a65809  libxml2-2.4.19-5.legacy.src.rpm

* src.rpm is not signed
* sources have not changed
* bounds checking patch makes sense and doesn't need any testing
* builds and upgrades fine on rh73

++PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAk7/+0iMVcrivHFQRAiXDAJ9rD/o/qPUVIt9FLhia3hVGchwowQCfS6LK
0ZZMRbFqQy+MIwWLqBdmT38=
=EOlY
-----END PGP SIGNATURE-----




------- Additional Comments From jkeating 2004-05-19 17:02:09 ----

Packages for 7.2 and 8.0.  Need quick QA on these before pushing to updates-testing.

http://geek.j2solutions.net/rpms/legacy/libxml2/

e8f50a68edd61cc2e6085390a1afcd6578f9edb6  7.2/libxml2-2.4.10-0.7x.3.legacy.i386.rpm
a98bc1ffc46a1ebd9bf67211af79212f5af9a816  7.2/libxml2-2.4.10-0.7x.3.legacy.src.rpm
d7c85626da4d2f9496eabf491e45f62256425ec6 
7.2/libxml2-devel-2.4.10-0.7x.3.legacy.i386.rpm
47e4f3733caca1a34e55e1e4ae79cc3a7f187485  7.2/sha1sums


b5ff99b1ce68cb22c767359296b51d513650a2e9  8.0/libxml2-2.4.23-2.legacy.i386.rpm
110f8321c8cc492a22cde952f56511f6db9bda34  8.0/libxml2-2.4.23-2.legacy.src.rpm
de270d96f7bad00debb59211447f89084bc5bf83  8.0/libxml2-devel-2.4.23-2.legacy.i386.rpm
606fa877723e1a0dc6cb759389bd65554b17d9d2 
8.0/libxml2-python-2.4.23-2.legacy.i386.rpm
cdda589eb44bce8c2e885418fc6641116d540472  8.0/sha1sums



------- Additional Comments From jkeating 2004-05-31 12:06:57 ----

Pushed to updates-testing.

  http://download.fedoralegacy.org/redhat/
 
7ea6c8e40a04c2eafb82d53e8e6931b27348f4ad 
7.3/updates-testing/SRPMS/libxml2-2.4.19-5.legacy.src.rpm
c325b2b9d03335b41db6b0b462a35d1ed847e56f 
7.3/updates-testing/i386/libxml2-2.4.19-5.legacy.i386.rpm
c53f70cad435630b3e5b5f5d363c7d425f980a35 
7.3/updates-testing/i386/libxml2-devel-2.4.19-5.legacy.i386.rpm
8819fa789731693645839f32f55aac2f2dc27906 
7.3/updates-testing/i386/libxml2-python-2.4.19-5.legacy.i386.rpm



------- Additional Comments From jpdalbec 2004-06-25 07:31:30 ----

How does one verify libxml2 in production?  I see that nautilus has a dependency
on it.  Is it enough to open the "start here" link and try a few of the control
panels?



------- Additional Comments From michal 2004-06-25 07:39:46 ----

I can only say that I have a patched libxml2 in use on seven machines with
various installations starting from March 3rd and I would still have to
see problems.  I am not sure how likely is a remote attack against, say, httpd
using this flaw but it definitely opens possibilities.



------- Additional Comments From jpdalbec 2004-06-30 03:26:22 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

++VERIFY RH 7.3

cc4f1a9f0163fe10fd36524758aacf34f2bb75ee  libpng-1.0.14-0.7x.4.i386.rpm
bca918186e519dbb73362f08453410a981770645  libpng-devel-1.0.14-0.7x.4.i386.rpm
5f39b22b6dbcd66c777289fde7777631c1b8146e  libxml2-2.4.2-1.i386.rpm
53cbe1a4c519cfb222b4a7527d948d52ac60e1d4  libxml2-devel-2.4.2-1.i386.rpm

I installed these packages on a production web server and restarted apache.
I haven't seen any problems.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFA4rrCJL4A+ldA7asRApZiAKCmXkwMXY2SztTjKbdoLcgvOdLA4wCfdOjr
DBm/gi1Dqs3HJkaqWu6rOQA=
=DL/l
-----END PGP SIGNATURE-----




------- Additional Comments From kev.uk 2004-07-22 06:36:24 ----

The rebuild of this package appears to have removed support for python2.2.
Looking at the files list for the previous package version
(libxml2-python-2.4.19-4) and the new version (libxml2-python-2.4.19-5), the
files for python2.2 have been removed. Given how the specfile operates, the
problem presumably arose as the rpm was rebuilt on a system with only python1.5
installed. The specfile automatically detects and builds for the versions of
python on the system.

[kev@coll kev]$ rpm -ql libxml2-python-2.4.19-5.legacy
/usr/lib/python1.5/site-packages/libxml2.py
/usr/lib/python1.5/site-packages/libxml2mod.so

But nothing for python2.2

This is currently breaking yum with the following error:

[kev@coll classes]$ yum
Traceback (most recent call last):
  File "/usr/bin/yum", line 22, in ?
    import yummain
  File "yummain.py", line 30, in ?
  File "yumcomps.py", line 4, in ?
  File "comps.py", line 5, in ?
  File "/usr/lib/python2.2/site-packages/libxml2.py", line 1, in ?
ImportError: No module named libxml2mod







------- Additional Comments From jpdalbec 2004-07-28 04:46:12 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

New RHL 7.3 libxml2 packages are available.

sha1sums:
d5a4b8060f08ffbbd259bc5e31ea5bbf9047ad7e  
http://cc.ysu.edu/jpdalbec/libxml2-2.4.19-6.legacy.i386.rpm
609f9276b2a096aced8fc15ddab896de0cd68056  
http://cc.ysu.edu/jpdalbec/libxml2-2.4.19-6.legacy.src.rpm
c3b195b77ca1f57d2b9e2af75d954a099cd3a23b  
http://cc.ysu.edu/jpdalbec/libxml2-devel-2.4.19-6.legacy.i386.rpm
668c6759e48173bce19be87b57797174039e78d3  
http://cc.ysu.edu/jpdalbec/libxml2-python-2.4.19-6.legacy.i386.rpm

changelog:
* Wed Jul 28 2004 John Dalbec <jpdalbec> 2.4.19-6.legacy
- - added buildrequires: python2 python2-devel per comment 14

Installed on workstation.  Yum still works.  libxml2-python filelist shows
modules for 1.5 and 2.2.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFBB7qpJL4A+ldA7asRAobKAJ910mSxhh83BIPA/sOZ0R81eU2QgQCgg1Rv
B5KQ+YI/hEbmD2XE8VNYmhE=
=6zsX
-----END PGP SIGNATURE-----




------- Additional Comments From dom 2004-07-28 04:51:30 ----

Such a package is already sitting in updates-testing:

http://www.redhat.com/archives/fedora-legacy-list/2004-July/msg00083.html



------- Additional Comments From jpdalbec 2004-07-30 10:57:39 ----

I guess I missed that.  Should this be changed to RESOLVED PENDING then?



------- Additional Comments From bugs.michael 2004-07-30 11:55:53 ----

I see libxml2-2.4.19-5 in "updates", the same version that was pushed to
updates-testing on 2004-05-31. This bug was closed on 2004-07-19:

https://bugzilla.fedora.us/show_activity.cgi?id=1324

How the 2004-07-22 build of libxml2-2.4.19-6 was pushed to updates-testing
cannot be seen from the activity log.



------- Additional Comments From jpdalbec 2004-08-16 09:47:22 ----

Can someone add the 2.4.19-6.legacy packages to the yum header.info file for
updates-testing?  Otherwise yum users won't see them.



------- Additional Comments From marcdeslauriers 2004-09-12 08:04:55 ----

libxml2-python-2.4.19-5.legacy should be removed ASAP from the updates directory
as I think it breaks yum.




------- Additional Comments From bugs.michael 2004-09-12 08:29:15 ----

The '5' release is missing "Buildrequires: python2-devel". The binary builds did
not miss anything, e.g. look at:

http://linux.duke.edu/~skvidal/RPMS/legacy/libxml2/libxml2-python-2.4.19-5.legacy.i386.rpm

The verification step was kind of skipped. Usually, differences between last
good release and a new update are caught prior to the VERIFIED step in bugzilla.
For that it's important to get official builds as soon as possible, because QA
on the binary builds is even more important for legacy updates than fixing
src.rpm bugs and waiting weeks for the binary builds.




------- Additional Comments From marcdeslauriers 2004-09-30 16:25:13 ----

the 2.4.19-6.legacy packages in updates-testing should be released as they're
identical to the 2.4.19-5 packages in the updates directory except for the
missing BuildRequires...



------- Bug moved to this database by dkl 2005-03-30 18:23 -------

This bug previously known as bug 1324 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1324
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
A proposed patch for bug #1324 adapted to sources from RH 7.3 distribution
https://bugzilla.fedora.us/attachment.cgi?action=view&id=560
"forgotten buffer overflow" patch to libxml2
https://bugzilla.fedora.us/attachment.cgi?action=view&id=566
A fix of known issues for libxml2-2.4.10-0.7x.2, i.e. 7.2 package
https://bugzilla.fedora.us/attachment.cgi?action=view&id=567

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Unknown severity major. Setting to default severity "normal".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl.
   Previous reporter was jonny.strom.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.