Bug 470466 (CVE-2008-4226)

Summary: CVE-2008-4226 libxml2: integer overflow leading to memory corruption in xmlSAX2Characters
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bressers, kreilly, veillard
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: reported=20081103,public=20081117,source=vendorsec,impact=important,cwe=CWE-190[auto]
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-26 03:07:38 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 470469, 470470, 470472, 470473, 470474, 470475    
Bug Blocks:    
Attachments:
Description Flags
Proposed patch from Drew Yao
none
Modified patch from Drew to consider condition, when SIZE_T_MAX isn't defined in limits.h none

Description Jan Lieskovsky 2008-11-07 06:03:20 EST
Created attachment 322841 [details]
Proposed patch from Drew Yao

Description of problem:

Drew Yao from Apple Product Security has reported integer overflow leading
to memory corruption present in the xmlSAX2Characters() function in the
libxml2 library. User could trigger this flaw by providing very large
XML file for parsing to the XML parsing library, which would corrupt the
memory and might potentially allow arbitrary code execution.

Proposed patch: See attachment.

Acknowledgements:

Red Hat would like to thank Drew Yao of the Apple Product Security team for
reporting this issue.
Comment 3 Jan Lieskovsky 2008-11-07 06:16:35 EST
Created attachment 322844 [details]
Modified patch from Drew to consider condition, when SIZE_T_MAX isn't defined in limits.h
Comment 4 Jan Lieskovsky 2008-11-07 06:21:57 EST
This issue affects all versions of the libxml2 package, as shipped with
Red Hat Enterprise Linux 2.1 and 3 (the relevant part of code is in SAX.c,
the "characters()" function) and Red Hat Enterprise Linux 4 and 5 
(the relevant part of code is in SAX2.c, function xmlSAX2Characters()). 

This issue affects all versions of the libxml2 package, as shipped with
Fedora release of 8, 9 and 10.
Comment 7 Daniel Veillard 2008-11-12 10:45:04 EST
Okay, I confirm the patch is correct and the way to define SIZE_T_MAX
is probably the most correct/portable possible. BTW SIZE_T_MAX seems to be
Apple/BSD specific, it doesn't look like of the standard C library
(or at least not present in older versions).

Daniel
Comment 9 Josh Bressers 2008-11-17 10:50:36 EST
Lifting embargo
Comment 10 Fedora Update System 2008-11-17 11:55:58 EST
libxml2-2.7.2-2.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/libxml2-2.7.2-2.fc9
Comment 11 Fedora Update System 2008-11-17 11:57:02 EST
libxml2-2.7.2-2.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/libxml2-2.7.2-2.fc10
Comment 12 Fedora Update System 2008-11-19 09:50:59 EST
libxml2-2.7.2-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2008-11-19 09:55:36 EST
libxml2-2.7.2-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2008-11-22 11:50:42 EST
libxml2-2.7.2-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.