Bug 137266 - CAN-2004-0989 multiple buffer overflows
CAN-2004-0989 multiple buffer overflows
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: libxml2 (Show other bugs)
2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Veillard
: Security
Depends On:
Blocks: CVE-2004-0989
  Show dependency treegraph
 
Reported: 2004-10-26 22:10 EDT by Josh Bressers
Modified: 2008-01-29 04:55 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-10-28 10:47:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2004-10-26 22:10:16 EDT
The following information has been posted to bugtraq.

http://www.securityfocus.com/archive/1/379383/2004-10-24/2004-10-30/0

Details:

1]The vulnerable code occurs in the file nanoftp.c in function
xmlNanoFTPScanURL() around line 360:

    while (cur[0] != ']')
        buf[indx++] = *cur++;
             

buf is the stack buffer, and cur is the URL we control.  What's funny
here, is that in other areas of the code the same mistake is avoided,
we have this:

    while ((cur[0] != ']') && (indx < XML_NANO_MAX_URLBUF-1))
        buf[indx++] = *cur++;

Which occurs in a similar function to the one called above.
  

2]The vulnerable code occurs in the file nanoftp.c in function
xmlNanoFTPScanProxy() around line 610:

    while (cur[0] != ']')
        buf[indx++] = *cur++;
             

buf is the stack buffer, and cur is the URL we control.


3]There are two different functions, with three different code
sections each containing two overflows.  However I'd classify this as
two distinct bugs, not six, as two of the bugs are conditionally
compiled in only if two others are not.  The first two occur in the
file nanoftp.c, lines 1110-1120, in the function xmlNanoFTPConnect().
 The function getaddrinfo() is called to resolve a hostname, the
returned info is then copied into a heap buffer in a call to memcpy().
 The copy length is taken from the DNS reply, rather than using the
size of the destination structure.  The second set occur in
nanohttp.c, lines 1070-1080, in the function xmlNanoHTTPConnectHost().
 Data from getaddrinfo() is again copied incorrectly, this time into a
local stack buffer.  The third set of overflows occurs in nanohttp.c,
lines 1145-1155, in the function xmlNanoHTTPConnectHost().  This time,
gethostbyname() is called, and data is again memcpy()'d into a local
stack buffer using the DNS length instead of destination structure size.
Comment 1 Josh Bressers 2004-10-26 22:10:50 EDT
We'll want to make sure this fix makes it into FC3.
Comment 2 Daniel Veillard 2004-10-27 05:03:03 EDT
Hum, I wanted to make a new release of libxml2/libxslt at the
end of the week, I have a lot of stuff fixed in CVS, I doubt
this can go in FC3...

Daniel
Comment 4 Daniel Veillard 2004-10-28 10:47:24 EDT
libxml2-2.6.15-2 has been pushed as a FC2 security errata
libxml2-2.6.14-2 with just the fixes was released to rawhide for FC3

  So I think this issue is closed now,

  thanks,

Daniel

Note You need to log in before you can comment on or make changes to this bug.