Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2008-4226 libxml2: integer overflow leading to memory corruption in xmlSAX2Characters|
|Product:||[Other] Security Response||Reporter:||Jan Lieskovsky <jlieskov>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||bressers, kreilly, veillard|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2008-11-26 03:07:38 EST||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||470469, 470470, 470472, 470473, 470474, 470475|
Description Jan Lieskovsky 2008-11-07 06:03:20 EST
Created attachment 322841 [details] Proposed patch from Drew Yao Description of problem: Drew Yao from Apple Product Security has reported integer overflow leading to memory corruption present in the xmlSAX2Characters() function in the libxml2 library. User could trigger this flaw by providing very large XML file for parsing to the XML parsing library, which would corrupt the memory and might potentially allow arbitrary code execution. Proposed patch: See attachment. Acknowledgements: Red Hat would like to thank Drew Yao of the Apple Product Security team for reporting this issue.
Comment 3 Jan Lieskovsky 2008-11-07 06:16:35 EST
Created attachment 322844 [details] Modified patch from Drew to consider condition, when SIZE_T_MAX isn't defined in limits.h
Comment 4 Jan Lieskovsky 2008-11-07 06:21:57 EST
This issue affects all versions of the libxml2 package, as shipped with Red Hat Enterprise Linux 2.1 and 3 (the relevant part of code is in SAX.c, the "characters()" function) and Red Hat Enterprise Linux 4 and 5 (the relevant part of code is in SAX2.c, function xmlSAX2Characters()). This issue affects all versions of the libxml2 package, as shipped with Fedora release of 8, 9 and 10.
Comment 7 Daniel Veillard 2008-11-12 10:45:04 EST
Okay, I confirm the patch is correct and the way to define SIZE_T_MAX is probably the most correct/portable possible. BTW SIZE_T_MAX seems to be Apple/BSD specific, it doesn't look like of the standard C library (or at least not present in older versions). Daniel
Comment 9 Josh Bressers 2008-11-17 10:50:36 EST
Comment 10 Fedora Update System 2008-11-17 11:55:58 EST
libxml2-2.7.2-2.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/libxml2-2.7.2-2.fc9
Comment 11 Fedora Update System 2008-11-17 11:57:02 EST
libxml2-2.7.2-2.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/libxml2-2.7.2-2.fc10
Comment 12 Fedora Update System 2008-11-19 09:50:59 EST
libxml2-2.7.2-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2008-11-19 09:55:36 EST
libxml2-2.7.2-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2008-11-22 11:50:42 EST
libxml2-2.7.2-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
Comment 15 Red Hat Product Security 2008-11-26 03:07:38 EST
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0988.html Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-9729 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-9773 https://admin.fedoraproject.org/updates/f10/FEDORA-2008-10038