This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 531697 - (CVE-2009-3720) CVE-2009-3720 expat: buffer over-read and crash on XML with malformed UTF-8 sequences
CVE-2009-3720 expat: buffer over-read and crash on XML with malformed UTF-8 s...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20090117,repor...
: Security
: 801636 (view as bug list)
Depends On: 531706 531707 531708 531710 531711 531850 531851 531852 531854 532114 532115 532903 556778 557829 557837 652502 691934 691935 691936 691937 691938 691939 693954 693955 693956 812253 982566
Blocks: 801654
  Show dependency treegraph
 
Reported: 2009-10-29 04:31 EDT by Tomas Hoger
Modified: 2015-11-02 07:47 EST (History)
38 users (show)

See Also:
Fixed In Version: expat 2.1.0
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-01-22 03:43:46 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
pythontest1.xml test case (3 bytes, text/plain)
2009-10-29 04:32 EDT, Tomas Hoger
no flags Details
pythontest2.xml test case (25 bytes, text/plain)
2009-10-29 04:33 EDT, Tomas Hoger
no flags Details

  None (edit)
Description Tomas Hoger 2009-10-29 04:31:08 EDT
Peter Valchev discovered a flaw in the way expat handled malformed UTF-8 sequences when processing XML files.  Incorrect UTF-8 sequenced could cause expat to fail to properly detect end of input and continue reading behind the end of input buffer.  This results in a crash once reading reaches unmapped memory.

Non-public upstream bug report:
http://sourceforge.net/tracker/?func=detail&aid=1990430&group_id=10127&atid=110127

Contents of the report leaked via expat-bugs mailing list posts:
http://mail.python.org/pipermail/expat-bugs/2009-January/002781.html

Upstream patch:
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15

References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=551936
https://bugs.gentoo.org/show_bug.cgi?id=280615
Comment 1 Tomas Hoger 2009-10-29 04:32:51 EDT
Created attachment 366572 [details]
pythontest1.xml test case

Source: https://bugs.gentoo.org/show_bug.cgi?id=280615#c4
Comment 2 Tomas Hoger 2009-10-29 04:33:34 EDT
Created attachment 366573 [details]
pythontest2.xml test case

Source: https://bugs.gentoo.org/show_bug.cgi?id=280615#c5
Comment 3 Tomas Hoger 2009-10-29 04:43:56 EDT
Similar problem was found in xerces-j2, an XML parses used in Java JREs / JDKs. Issue was tracked as CVE-2009-2625 (bug #512921) and that CVE was also (incorrectly) used to refer to this similar flaw in expat.
Comment 4 Tomas Hoger 2009-10-29 04:45:28 EDT
Python SVN commit with test cases from comment #1 and comment #2, fixing expat copy embedded in python sources:
  http://svn.python.org/view?view=rev&revision=74429
Comment 12 Jan Lieskovsky 2009-10-29 13:33:02 EDT
This issue does NOT affect the version of the PyXML package, as shipped
with Red Hat Enterprise Linux 3.

This issue affects the versions of the PyXML package, as shipped
with Red Hat Enterprise Linux 4 and 5.

--

This issue affects the versions of the PyXML package, as shipped
with Fedora releases of 10 and 11, and as scheduled to appear
in Fedora release of 12.

Please fix.
Comment 14 Fedora Update System 2009-10-30 10:50:46 EDT
PyXML-0.8.4-11.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/PyXML-0.8.4-11.fc10
Comment 15 Fedora Update System 2009-10-30 11:54:40 EDT
PyXML-0.8.4-15.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/PyXML-0.8.4-15.fc11
Comment 20 Jan Lieskovsky 2009-10-30 13:41:11 EDT
This issue does NOT affect the version of the 4Suite package, as
shipped with Red Hat Enterprise Linux 3.

This issue affects the version of the 4Suite package, as shipped
with Red Hat Enterprise Linux 4.

--

This issue affects the versions of the python-4Suite-XML package,
as shipped with Fedora releases of 10, 11 and as scheduled to
be included into Fedora release of 12.

Please fix.
Comment 23 Fedora Update System 2009-11-02 09:50:05 EST
PyXML-0.8.4-16.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/PyXML-0.8.4-16.fc11
Comment 24 Fedora Update System 2009-11-02 15:04:52 EST
expat-2.0.1-6.fc11.1 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/expat-2.0.1-6.fc11.1
Comment 25 Fedora Update System 2009-11-02 15:15:06 EST
expat-2.0.1-6.fc11.1 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/expat-2.0.1-6.fc11.1
Comment 27 Fedora Update System 2009-11-03 10:04:32 EST
python-4Suite-XML-1.0.2-8.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/python-4Suite-XML-1.0.2-8.fc11
Comment 28 Fedora Update System 2009-11-03 10:05:22 EST
python-4Suite-XML-1.0.2-8.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/python-4Suite-XML-1.0.2-8.fc10
Comment 32 Fedora Update System 2009-11-04 07:18:12 EST
PyXML-0.8.4-12.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 33 Fedora Update System 2009-11-04 07:20:00 EST
python-4Suite-XML-1.0.2-8.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 34 Fedora Update System 2009-11-04 07:28:16 EST
python-4Suite-XML-1.0.2-8.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 35 Fedora Update System 2009-11-04 07:31:36 EST
expat-2.0.1-6.fc11.1 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 36 Fedora Update System 2009-11-04 07:40:48 EST
expat-2.0.1-5.fc10.1 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 37 Fedora Update System 2009-11-04 07:41:02 EST
PyXML-0.8.4-16.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 41 Miroslav Vadkerti 2009-11-10 06:35:08 EST
Added RHTS test:
/CoreOS/4Suite/Security/CVE-2009-9024-expat-buffer-over-read-and-crash-on-XML
Comment 42 errata-xmlrpc 2009-11-10 14:47:45 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4

Via RHSA-2009:1572 https://rhn.redhat.com/errata/RHSA-2009-1572.html
Comment 43 Fedora Update System 2009-12-03 08:58:33 EST
expat-2.0.1-8.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/expat-2.0.1-8.fc12
Comment 44 Fedora Update System 2009-12-04 19:06:04 EST
expat-2.0.1-8.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 45 errata-xmlrpc 2009-12-07 14:10:59 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 3

Via RHSA-2009:1625 https://rhn.redhat.com/errata/RHSA-2009-1625.html
Comment 47 errata-xmlrpc 2010-01-04 13:03:28 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2010:0002 https://rhn.redhat.com/errata/RHSA-2010-0002.html
Comment 49 Vincent Danen 2010-01-22 12:11:13 EST
This issue also affects Fedora's python due this little lovely in the .spec file (since Fedora 8):

# python's build is stupid and doesn't fail if extensions fail to build
# let's list a few that we care about...
for so in _bsddb.so _ctypes.so _cursesmodule.so _elementtree.so _sqlite3.so _ssl.so readline.so _hashlib.so zlibmodule.so bz2.so pyexpat.so; do
    if [ ! -f $RPM_BUILD_ROOT/%{_libdir}/python%{pybasever}/lib-dynload/$so ]; then
       echo "Missing $so!!!"
       exit 1
    fi
done


Reproduced this issue on Fedora 12 with the following gdb output:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff1040cf0 in ?? () from /usr/lib64/python2.6/lib-dynload/pyexpat.so
(gdb) bt
#0  0x00007ffff1040cf0 in ?? () from /usr/lib64/python2.6/lib-dynload/pyexpat.so
#1  0x00007ffff1029ad0 in PyExpat_XML_GetCurrentLineNumber () from /usr/lib64/python2.6/lib-dynload/pyexpat.so

comment #4 indicates this was fixed upstream; we need to correct this (and CVE-2009-3560) in Fedora.

For whatever reason, the same pyexpat.so module is built on RHEL5 and earlier, but without this loop in the spec (and whether as a by-product of the build, I'm not sure) is definitely linked against the system expat as shown when removing expat from a RHEL5 system and trying to run the reproducer, I get "ImportError: libexpat.so.0: cannot open shared object file".
Comment 56 Vincent Danen 2010-03-04 10:35:41 EST
Python contains its own copy of expat, which makes it vulnerable to this issue in Red Hat Enterprise Linux (RHEL) 4 and above.  However, the vulnerability in python is masked due to PyXML (which has been updated); when PyXML is installed, python will use its expat rather than its own internal expat (i.e. /usr/lib/python2.x/lib-dynload/pyexpat.so).

Technically, PyXML should always be installed and when it is, python is not vulnerable to this issue.  If PyXML gets removed from the system, then python is using its own expat and then becomes vulnerable to the issue.

PyXML is a dependency for 4Suite and system-config-printer on RHEL4, and system-config-printer-libs on RHEL5.

On Red Hat Enterprise Linux 3, python is linked against the system expat and is not vulnerable to this issue, even if PyXML is removed.
Comment 57 Silvio Cesare 2010-11-11 22:49:03 EST
Expat is embedded in a number of other packages:

Affects libtlen where a bug has been filed https://bugzilla.redhat.com/show_bug.cgi?id=652502

Also affects and currently unreported:
  udinits2
  nodeupdown-backend-ganglia
  mcabber
  centerim

I will file additional bug reports for these.
Comment 58 Vincent Danen 2011-03-29 17:58:53 EDT
Further investigation shows the following Fedora packages are affected by this flaw (using embedded expat):

SimGear: SimGear-2.0.0/simgear/xml/xmltok_impl.c
torcs: torcs-1.3.1/src/libs/txml/xmltok_impl.c
centerim: centerim-4.22.9/libjabber/xmltok_impl_c.h
tla: tla-1.3.5/src/expat/lib/xmltok_impl.c
sitecopy: sitecopy-0.16.6/lib/expat/xmltok/xmltok_impl.c

I do not know if they are all in a position to be exploited or not, but they do all use embedded expat and have the vulnerable file/function in question.

Ideally, these should be updated to use the system expat wherever possible, and patched otherwise.  Tracking bugs to follow.
Comment 59 Vincent Danen 2011-03-29 18:00:16 EDT
Created torcs tracking bugs for this issue

Affects: fedora-all [bug 691935]
Comment 60 Vincent Danen 2011-03-29 18:00:23 EDT
Created tla tracking bugs for this issue

Affects: fedora-all [bug 691938]
Comment 61 Vincent Danen 2011-03-29 18:00:28 EDT
Created centerim tracking bugs for this issue

Affects: fedora-all [bug 691936]
Affects: epel-all [bug 691937]
Comment 62 Vincent Danen 2011-03-29 18:00:32 EDT
Created sitecopy tracking bugs for this issue

Affects: fedora-all [bug 691939]
Comment 63 Vincent Danen 2011-03-29 18:00:36 EDT
Created SimGear tracking bugs for this issue

Affects: fedora-all [bug 691934]
Comment 70 errata-xmlrpc 2011-05-05 14:20:37 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0492 https://rhn.redhat.com/errata/RHSA-2011-0492.html
Comment 71 errata-xmlrpc 2011-05-05 14:56:31 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2011:0491 https://rhn.redhat.com/errata/RHSA-2011-0491.html
Comment 72 Vincent Danen 2011-06-17 15:29:06 EDT
Fedora uses the system expat in in python-2.6.2-6 on F12; higher versions are not vulnerable.  With python3, Fedora uses the system expat as well.
Comment 73 errata-xmlrpc 2011-06-22 19:16:33 EDT
This issue has been addressed in following products:

  JBoss Enterprise Web Server 1.0

Via RHSA-2011:0896 https://rhn.redhat.com/errata/RHSA-2011-0896.html
Comment 74 Kurt Seifried 2012-03-08 23:41:40 EST
*** Bug 801636 has been marked as a duplicate of this bug. ***
Comment 75 Jan Lieskovsky 2013-07-09 06:07:14 EDT
Created compat-expat1 tracking bugs for this issue:

Affects: fedora-all [bug 982563]

Note You need to log in before you can comment on or make changes to this bug.