Bug 470466 (CVE-2008-4226)
| Summary: | CVE-2008-4226 libxml2: integer overflow leading to memory corruption in xmlSAX2Characters | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> | ||||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | |||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | high | ||||||||
| Version: | unspecified | CC: | bressers, kreilly, veillard | ||||||
| Target Milestone: | --- | Keywords: | Security | ||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2008-11-26 08:07:38 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | 470469, 470470, 470472, 470473, 470474, 470475 | ||||||||
| Bug Blocks: | |||||||||
| Attachments: |
|
||||||||
Created attachment 322844 [details]
Modified patch from Drew to consider condition, when SIZE_T_MAX isn't defined in limits.h
This issue affects all versions of the libxml2 package, as shipped with Red Hat Enterprise Linux 2.1 and 3 (the relevant part of code is in SAX.c, the "characters()" function) and Red Hat Enterprise Linux 4 and 5 (the relevant part of code is in SAX2.c, function xmlSAX2Characters()). This issue affects all versions of the libxml2 package, as shipped with Fedora release of 8, 9 and 10. Okay, I confirm the patch is correct and the way to define SIZE_T_MAX is probably the most correct/portable possible. BTW SIZE_T_MAX seems to be Apple/BSD specific, it doesn't look like of the standard C library (or at least not present in older versions). Daniel Lifting embargo libxml2-2.7.2-2.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/libxml2-2.7.2-2.fc9 libxml2-2.7.2-2.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/libxml2-2.7.2-2.fc10 libxml2-2.7.2-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. libxml2-2.7.2-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. libxml2-2.7.2-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0988.html Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-9729 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-9773 https://admin.fedoraproject.org/updates/f10/FEDORA-2008-10038 |
Created attachment 322841 [details] Proposed patch from Drew Yao Description of problem: Drew Yao from Apple Product Security has reported integer overflow leading to memory corruption present in the xmlSAX2Characters() function in the libxml2 library. User could trigger this flaw by providing very large XML file for parsing to the XML parsing library, which would corrupt the memory and might potentially allow arbitrary code execution. Proposed patch: See attachment. Acknowledgements: Red Hat would like to thank Drew Yao of the Apple Product Security team for reporting this issue.