Bug 470466 - (CVE-2008-4226) CVE-2008-4226 libxml2: integer overflow leading to memory corruption in xmlSAX2Characters
CVE-2008-4226 libxml2: integer overflow leading to memory corruption in xmlS...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
reported=20081103,public=20081117,sou...
: Security
Depends On: 470469 470470 470472 470473 470474 470475
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-07 06:03 EST by Jan Lieskovsky
Modified: 2016-03-04 05:59 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-26 03:07:38 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Proposed patch from Drew Yao (821 bytes, patch)
2008-11-07 06:03 EST, Jan Lieskovsky
no flags Details | Diff
Modified patch from Drew to consider condition, when SIZE_T_MAX isn't defined in limits.h (1.08 KB, patch)
2008-11-07 06:16 EST, Jan Lieskovsky
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2008-11-07 06:03:20 EST
Created attachment 322841 [details]
Proposed patch from Drew Yao

Description of problem:

Drew Yao from Apple Product Security has reported integer overflow leading
to memory corruption present in the xmlSAX2Characters() function in the
libxml2 library. User could trigger this flaw by providing very large
XML file for parsing to the XML parsing library, which would corrupt the
memory and might potentially allow arbitrary code execution.

Proposed patch: See attachment.

Acknowledgements:

Red Hat would like to thank Drew Yao of the Apple Product Security team for
reporting this issue.
Comment 3 Jan Lieskovsky 2008-11-07 06:16:35 EST
Created attachment 322844 [details]
Modified patch from Drew to consider condition, when SIZE_T_MAX isn't defined in limits.h
Comment 4 Jan Lieskovsky 2008-11-07 06:21:57 EST
This issue affects all versions of the libxml2 package, as shipped with
Red Hat Enterprise Linux 2.1 and 3 (the relevant part of code is in SAX.c,
the "characters()" function) and Red Hat Enterprise Linux 4 and 5 
(the relevant part of code is in SAX2.c, function xmlSAX2Characters()). 

This issue affects all versions of the libxml2 package, as shipped with
Fedora release of 8, 9 and 10.
Comment 7 Daniel Veillard 2008-11-12 10:45:04 EST
Okay, I confirm the patch is correct and the way to define SIZE_T_MAX
is probably the most correct/portable possible. BTW SIZE_T_MAX seems to be
Apple/BSD specific, it doesn't look like of the standard C library
(or at least not present in older versions).

Daniel
Comment 9 Josh Bressers 2008-11-17 10:50:36 EST
Lifting embargo
Comment 10 Fedora Update System 2008-11-17 11:55:58 EST
libxml2-2.7.2-2.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/libxml2-2.7.2-2.fc9
Comment 11 Fedora Update System 2008-11-17 11:57:02 EST
libxml2-2.7.2-2.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/libxml2-2.7.2-2.fc10
Comment 12 Fedora Update System 2008-11-19 09:50:59 EST
libxml2-2.7.2-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2008-11-19 09:55:36 EST
libxml2-2.7.2-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2008-11-22 11:50:42 EST
libxml2-2.7.2-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.