Bug 470466 (CVE-2008-4226) - CVE-2008-4226 libxml2: integer overflow leading to memory corruption in xmlSAX2Characters
Summary: CVE-2008-4226 libxml2: integer overflow leading to memory corruption in xmlS...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-4226
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 470469 470470 470472 470473 470474 470475
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-11-07 11:03 UTC by Jan Lieskovsky
Modified: 2023-05-11 13:16 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-11-26 08:07:38 UTC
Embargoed:

Attachments (Terms of Use)
Proposed patch from Drew Yao (821 bytes, patch)
2008-11-07 11:03 UTC, Jan Lieskovsky 		no flags Details | Diff
Modified patch from Drew to consider condition, when SIZE_T_MAX isn't defined in limits.h (1.08 KB, patch)
2008-11-07 11:16 UTC, Jan Lieskovsky 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0988 0 normal SHIPPED_LIVE Important: libxml2 security update 2008-11-17 16:23:22 UTC

Description Jan Lieskovsky 2008-11-07 11:03:20 UTC 
Created attachment 322841 [details]
Proposed patch from Drew Yao

Description of problem:

Drew Yao from Apple Product Security has reported integer overflow leading
to memory corruption present in the xmlSAX2Characters() function in the
libxml2 library. User could trigger this flaw by providing very large
XML file for parsing to the XML parsing library, which would corrupt the
memory and might potentially allow arbitrary code execution.

Proposed patch: See attachment.

Acknowledgements:

Red Hat would like to thank Drew Yao of the Apple Product Security team for
reporting this issue.
Comment 3 Jan Lieskovsky 2008-11-07 11:16:35 UTC 
Created attachment 322844 [details]
Modified patch from Drew to consider condition, when SIZE_T_MAX isn't defined in limits.h
Comment 4 Jan Lieskovsky 2008-11-07 11:21:57 UTC 
This issue affects all versions of the libxml2 package, as shipped with
Red Hat Enterprise Linux 2.1 and 3 (the relevant part of code is in SAX.c,
the "characters()" function) and Red Hat Enterprise Linux 4 and 5 
(the relevant part of code is in SAX2.c, function xmlSAX2Characters()). 

This issue affects all versions of the libxml2 package, as shipped with
Fedora release of 8, 9 and 10.
Comment 7 Daniel Veillard 2008-11-12 15:45:04 UTC 
Okay, I confirm the patch is correct and the way to define SIZE_T_MAX
is probably the most correct/portable possible. BTW SIZE_T_MAX seems to be
Apple/BSD specific, it doesn't look like of the standard C library
(or at least not present in older versions).

Daniel
Comment 9 Josh Bressers 2008-11-17 15:50:36 UTC 
Lifting embargo
Comment 10 Fedora Update System 2008-11-17 16:55:58 UTC 
libxml2-2.7.2-2.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/libxml2-2.7.2-2.fc9
Comment 11 Fedora Update System 2008-11-17 16:57:02 UTC 
libxml2-2.7.2-2.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/libxml2-2.7.2-2.fc10
Comment 12 Fedora Update System 2008-11-19 14:50:59 UTC 
libxml2-2.7.2-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2008-11-19 14:55:36 UTC 
libxml2-2.7.2-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2008-11-22 16:50:42 UTC 
libxml2-2.7.2-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Red Hat Product Security 2008-11-26 08:07:38 UTC 
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0988.html

Fedora:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-9729
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-9773
  https://admin.fedoraproject.org/updates/f10/FEDORA-2008-10038
Note You need to log in before you can comment on or make changes to this bug.