Bug 458086 - (CVE-2008-3281) CVE-2008-3281 libxml2 denial of service
CVE-2008-3281 libxml2 denial of service
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 458091 458092 458093 458094 458095 458096 459712 459713 459714
  Show dependency treegraph
Reported: 2008-08-06 09:59 EDT by Red Hat Product Security
Modified: 2013-03-26 14:15 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-03-26 14:15:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Red Hat Product Security 2008-08-06 09:59:19 EDT
Daniel Veillard discovered that a specially crafted document can lead to a
recursive evaluation of entities, the result being an exhaustion of memory
and CPU usage


Red Hat would like to thank Andreas Solberg for responsibly disclosing this
Comment 8 Josh Bressers 2008-08-06 11:13:04 EDT
I was mistaken,
Andreas Solberg is the discoverer of this flaw.
Comment 17 Tomas Hoger 2008-08-20 14:11:23 EDT
Public now via:
Comment 19 Fedora Update System 2008-09-10 02:44:24 EDT
libxml2-2.6.32-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Fedora Update System 2008-09-10 03:04:15 EDT
libxml2-2.6.32-3.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 21 Dmitry Butskoy 2008-10-02 12:04:59 EDT
It seems that it introduces some issues with createrepo command
(which uses libxml2-python and libxml2).

Sometimes the changelog entries of packages contain "<" and/or ">" symbols. For example, a fragment of the changelog of "k3b" package:

> * Wed Oct  6 02:00:00 2004 Harald Hoyer <harald@redhat.com> 0:0.11.17-1
> - version 0.11.17
> - revert the dao -> tao change
> - add the suid feature to every app automatically

note the "->" in the line:

> - revert the dao -> tao change

When I create my local repodata ("cd somewhere; createrepo ."), the correspond fragment appears in the "repodata/other.xml.gz" file, in the form of:

> - revert the dao -&gt; tao change

Then, when I update my repodata by "createrepo --update .", I receive an error:

> Scanning old repo data
> Indexed 2997 base nodes
> Indexed 3001 filelist nodes
> /var/ftp/.4/fedora-8/fedora/i386/./repodata/other.xml.gz:118813: parser error : Detected an entity reference loop
> - revert the dao -&gt; tao change
>                       ^
> Traceback (most recent call last):
>   File "/usr/share/createrepo/genpkgmetadata.py", line 722, in <module>
>     main(sys.argv[1:])
>   File "/usr/share/createrepo/genpkgmetadata.py", line 645, in main
>     mdgen.doPkgMetadata(directory)
>   File "/usr/share/createrepo/genpkgmetadata.py", line 161, in doPkgMetadata
>     basefile, flfile, otherfile, opts)
>   File "/usr/share/createrepo/readMetadata.py", line 41, in __init__
>     self.scan()
>   File "/usr/share/createrepo/readMetadata.py", line 64, in scan
>     root = libxml2.parseFile(self.files['other']).getRootElement()
>   File "/usr/lib/python2.5/site-packages/libxml2.py", line 1279, in parseFile
>     if ret is None:raise parserError('xmlParseFile() failed')
> libxml2.parserError: xmlParseFile() failed

IOW, the initial "full" createrepo run seems OK, the subsequent run with "--update" is failed.

Any comments?
Comment 22 Dmitry Butskoy 2008-10-02 12:15:58 EDT
Forget, the latest libxml2-2.7.1 has no such an issue...
Comment 23 Daniel Veillard 2008-10-02 12:24:41 EDT
w.r.t. comment #21 the first fix had that problem, we pushed other updates
using a different fix without that problem later. 2.7.x fixes it too

Comment 24 Vincent Danen 2013-03-26 14:15:22 EDT
This was fixed in RHEL 2.1, 3, 4, and 5 via:


Note You need to log in before you can comment on or make changes to this bug.