Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 2.1 product line. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 116572

Summary: libxml2 ftp and http fetch had a bound checking error
Product: Red Hat Enterprise Linux 2.1 Reporter: Daniel Veillard <veillard>
Component: libxml2Assignee: Daniel Veillard <veillard>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 2.1CC: mjc
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-03-08 15:34:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 430644    
Attachments:
Description Flags
This patch fix the problem on 2.6.5 none

Description Daniel Veillard 2004-02-23 12:31:45 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.7 (X11; Linux i686; U;) Gecko/20030131

Description of problem:
When fetching a remote resource via ftp and http
libxml2 use special parsing routines which had a buffer
overflow problem if passed a URL more than 4Kb.
This is a potential security issue covering all libxml2
releases up to 2.6.5 and fixed in 2.6.6

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1./usr/bin/xmllint http://`perl -e 'print "A" x 5000'`
2.
3.
    

Actual Results:  segfaults

Expected Results:  should not segfault

Additional info:

This covers RHEL 2.1, RHL9, RHEL 3 and FC1 <grin/>
Comment 1 Daniel Veillard 2004-02-23 12:33:30 UTC 
Created attachment 97942 [details]
This patch fix the problem on 2.6.5
Comment 2 Daniel Veillard 2004-02-23 12:35:51 UTC 
Best processing seems to:
  - apply the patch for RHEL 2.1 and 3
  - push 2.6.6 or 2.6.7 as a fedora core 1 update
  - for RHL9 applying the patch is probably the simplest.

Daniel
Comment 4 Mark J. Cox 2004-02-24 09:38:10 UTC 
RHSA-2004:090 (RHEL) and RHSA-2004:091 (RHL9) in progress.
Comment 5 Mark J. Cox 2004-03-08 15:34:08 UTC 
was released 2004-02-26