Bug 533174 (CVE-2009-3560) - CVE-2009-3560 expat: buffer over-read and crash in big2_toUtf8() on XML with malformed UTF-8 sequences
Summary: CVE-2009-3560 expat: buffer over-read and crash in big2_toUtf8() on XML with ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-3560
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 531706 531707 531708 531710 531711 556778 557829 557837 812253 982566
Blocks: 801654
TreeView+ depends on / blocked
 
Reported: 2009-11-05 13:56 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:33 UTC (History)
14 users (show)

Fixed In Version: expat 2.1.0
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-01-22 07:47:00 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1625 0 normal SHIPPED_LIVE Moderate: expat security update 2009-12-07 19:08:01 UTC
Red Hat Product Errata RHSA-2011:0896 0 normal SHIPPED_LIVE Moderate: JBoss Enterprise Web Server 1.0.2 update 2011-06-22 23:16:28 UTC

Description Jan Lieskovsky 2009-11-05 13:56:40 UTC
The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1 allows context-dependent attackers to cause a denial of service (application crash)
via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625 and CVE-2009-3720.

Comment 15 Jan Lieskovsky 2009-11-27 14:23:47 UTC
Upstream patch (needs further testing):
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.165

Comment 19 Fedora Update System 2009-12-03 13:58:27 UTC
expat-2.0.1-8.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/expat-2.0.1-8.fc12

Comment 20 Fedora Update System 2009-12-03 14:01:25 UTC
expat-2.0.1-8.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/expat-2.0.1-8.fc11

Comment 21 Fedora Update System 2009-12-03 14:02:08 UTC
expat-2.0.1-8.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/expat-2.0.1-8.fc10

Comment 22 Fedora Update System 2009-12-04 23:57:05 UTC
expat-2.0.1-8.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2009-12-05 00:02:41 UTC
expat-2.0.1-8.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 24 Fedora Update System 2009-12-05 00:05:58 UTC
expat-2.0.1-8.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 25 errata-xmlrpc 2009-12-07 19:11:03 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 3

Via RHSA-2009:1625 https://rhn.redhat.com/errata/RHSA-2009-1625.html

Comment 26 Josh Bressers 2010-01-11 16:13:47 UTC
It seems this bug causes a regression:
https://bugzilla.novell.com/show_bug.cgi?id=566434

If this causes issues for us, the patch can be found here:
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?view=log#rev1.165

Comment 27 lindahl 2010-01-12 01:42:29 UTC
We have observed that this new library causes test failures for the CPAN module XML::Parser, so it'd be nice if you fixed it.

Comment 28 lindahl 2010-01-15 22:04:05 UTC
Hello? In case my last comment wasn't clear: Yes, we have observed the regression; the tests for the CPAN module XML::Parser fail with the updated expat. Please fix the regression.

Comment 29 Joe Orton 2010-01-18 10:49:01 UTC
Thanks for the report.  I've filed bug 556415 to track the regression.

Comment 41 Vincent Danen 2011-06-17 19:28:32 UTC
Fedora uses the system expat in in python-2.6.2-6 on F12; higher versions are not vulnerable.  With python3, Fedora uses the system expat as well.

Comment 42 errata-xmlrpc 2011-06-22 23:16:42 UTC
This issue has been addressed in following products:

  JBoss Enterprise Web Server 1.0

Via RHSA-2011:0896 https://rhn.redhat.com/errata/RHSA-2011-0896.html

Comment 43 Jan Lieskovsky 2013-07-09 10:06:21 UTC
Created compat-expat1 tracking bugs for this issue:

Affects: fedora-all [bug 982563]

Comment 46 Tomas Hoger 2014-07-21 21:44:08 UTC
(In reply to Jan Lieskovsky from comment #15)
> Upstream patch (needs further testing):
> http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.165

The final upstream patch:
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.166

Upstream bug report:
http://sourceforge.net/p/expat/bugs/2894085/

First fixed upstream in version 2.1.0:
http://sourceforge.net/projects/expat/files/expat/2.1.0/

Comment 47 Tomas Hoger 2014-07-21 21:48:50 UTC
Note: This problem only affected applications that set Default Handler for the expat XML parser.


Note You need to log in before you can comment on or make changes to this bug.