Bug 470480 (CVE-2008-4225)

Summary: CVE-2008-4225 libxml2: integer overflow leading to infinite loop in xmlBufferResize
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bressers, kreilly, veillard
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-26 08:07:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 470469, 470470, 470472, 470473, 470474, 470475    
Bug Blocks:    
Attachments:
Description Flags
Proposed patch from Drew Yao none

Description Jan Lieskovsky 2008-11-07 11:50:24 UTC 
Created attachment 322846 [details]
Proposed patch from Drew Yao

Description of problem:

Drew Yao of Apple Product Security has reported an integer overflow
present in xmlBufferResize function in the libxml2 library potentially
leading to an infinite loop. User could provide a very large XML file
for parsing to the XML parsing library, which could allow him to
cause a denial of service.

Proposed patch: See attachment.

Acknowledgements:

Red Hat would like to thank Drew Yao of the Apple Product Security team for
reporting this issue.
Comment 3 Jan Lieskovsky 2008-11-07 12:02:30 UTC 
This issue affects all versions of the libxml2 package, as shipped with
Red Hat Enterprise Linux 2.1, 3, 4 or 5.

This issue affects all versions of the libxml2 package, as shipped with
Fedora release of 8, 9 or 10.
Comment 6 Daniel Veillard 2008-11-12 14:49:36 UTC 
The patch looks fine, though it gets really hard to reproduce and test,

Daniel
Comment 8 Josh Bressers 2008-11-17 15:50:34 UTC 
Lifting embargo
Comment 9 Fedora Update System 2008-11-17 16:55:55 UTC 
libxml2-2.7.2-2.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/libxml2-2.7.2-2.fc9
Comment 10 Fedora Update System 2008-11-17 16:57:00 UTC 
libxml2-2.7.2-2.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/libxml2-2.7.2-2.fc10
Comment 11 Fedora Update System 2008-11-19 14:50:56 UTC 
libxml2-2.7.2-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2008-11-19 14:55:33 UTC 
libxml2-2.7.2-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2008-11-22 16:50:39 UTC 
libxml2-2.7.2-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Red Hat Product Security 2008-11-26 08:07:24 UTC 
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0988.html

Fedora:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-9729
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-9773
  https://admin.fedoraproject.org/updates/f10/FEDORA-2008-10038