Peter Valchev discovered a flaw in the way expat handled malformed UTF-8 sequences when processing XML files. Incorrect UTF-8 sequenced could cause expat to fail to properly detect end of input and continue reading behind the end of input buffer. This results in a crash once reading reaches unmapped memory. Non-public upstream bug report: http://sourceforge.net/tracker/?func=detail&aid=1990430&group_id=10127&atid=110127 Contents of the report leaked via expat-bugs mailing list posts: http://mail.python.org/pipermail/expat-bugs/2009-January/002781.html Upstream patch: http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15 References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=551936 https://bugs.gentoo.org/show_bug.cgi?id=280615
Created attachment 366572 [details] pythontest1.xml test case Source: https://bugs.gentoo.org/show_bug.cgi?id=280615#c4
Created attachment 366573 [details] pythontest2.xml test case Source: https://bugs.gentoo.org/show_bug.cgi?id=280615#c5
Similar problem was found in xerces-j2, an XML parses used in Java JREs / JDKs. Issue was tracked as CVE-2009-2625 (bug #512921) and that CVE was also (incorrectly) used to refer to this similar flaw in expat.
Python SVN commit with test cases from comment #1 and comment #2, fixing expat copy embedded in python sources: http://svn.python.org/view?view=rev&revision=74429
This issue does NOT affect the version of the PyXML package, as shipped with Red Hat Enterprise Linux 3. This issue affects the versions of the PyXML package, as shipped with Red Hat Enterprise Linux 4 and 5. -- This issue affects the versions of the PyXML package, as shipped with Fedora releases of 10 and 11, and as scheduled to appear in Fedora release of 12. Please fix.
PyXML-0.8.4-11.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/PyXML-0.8.4-11.fc10
PyXML-0.8.4-15.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/PyXML-0.8.4-15.fc11
This issue does NOT affect the version of the 4Suite package, as shipped with Red Hat Enterprise Linux 3. This issue affects the version of the 4Suite package, as shipped with Red Hat Enterprise Linux 4. -- This issue affects the versions of the python-4Suite-XML package, as shipped with Fedora releases of 10, 11 and as scheduled to be included into Fedora release of 12. Please fix.
PyXML-0.8.4-16.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/PyXML-0.8.4-16.fc11
expat-2.0.1-6.fc11.1 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/expat-2.0.1-6.fc11.1
python-4Suite-XML-1.0.2-8.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/python-4Suite-XML-1.0.2-8.fc11
python-4Suite-XML-1.0.2-8.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/python-4Suite-XML-1.0.2-8.fc10
PyXML-0.8.4-12.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
python-4Suite-XML-1.0.2-8.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
python-4Suite-XML-1.0.2-8.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
expat-2.0.1-6.fc11.1 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
expat-2.0.1-5.fc10.1 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
PyXML-0.8.4-16.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
Added RHTS test: /CoreOS/4Suite/Security/CVE-2009-9024-expat-buffer-over-read-and-crash-on-XML
This issue has been addressed in following products: Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Via RHSA-2009:1572 https://rhn.redhat.com/errata/RHSA-2009-1572.html
expat-2.0.1-8.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/expat-2.0.1-8.fc12
expat-2.0.1-8.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Via RHSA-2009:1625 https://rhn.redhat.com/errata/RHSA-2009-1625.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2010:0002 https://rhn.redhat.com/errata/RHSA-2010-0002.html
This issue also affects Fedora's python due this little lovely in the .spec file (since Fedora 8): # python's build is stupid and doesn't fail if extensions fail to build # let's list a few that we care about... for so in _bsddb.so _ctypes.so _cursesmodule.so _elementtree.so _sqlite3.so _ssl.so readline.so _hashlib.so zlibmodule.so bz2.so pyexpat.so; do if [ ! -f $RPM_BUILD_ROOT/%{_libdir}/python%{pybasever}/lib-dynload/$so ]; then echo "Missing $so!!!" exit 1 fi done Reproduced this issue on Fedora 12 with the following gdb output: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff1040cf0 in ?? () from /usr/lib64/python2.6/lib-dynload/pyexpat.so (gdb) bt #0 0x00007ffff1040cf0 in ?? () from /usr/lib64/python2.6/lib-dynload/pyexpat.so #1 0x00007ffff1029ad0 in PyExpat_XML_GetCurrentLineNumber () from /usr/lib64/python2.6/lib-dynload/pyexpat.so comment #4 indicates this was fixed upstream; we need to correct this (and CVE-2009-3560) in Fedora. For whatever reason, the same pyexpat.so module is built on RHEL5 and earlier, but without this loop in the spec (and whether as a by-product of the build, I'm not sure) is definitely linked against the system expat as shown when removing expat from a RHEL5 system and trying to run the reproducer, I get "ImportError: libexpat.so.0: cannot open shared object file".
Python contains its own copy of expat, which makes it vulnerable to this issue in Red Hat Enterprise Linux (RHEL) 4 and above. However, the vulnerability in python is masked due to PyXML (which has been updated); when PyXML is installed, python will use its expat rather than its own internal expat (i.e. /usr/lib/python2.x/lib-dynload/pyexpat.so). Technically, PyXML should always be installed and when it is, python is not vulnerable to this issue. If PyXML gets removed from the system, then python is using its own expat and then becomes vulnerable to the issue. PyXML is a dependency for 4Suite and system-config-printer on RHEL4, and system-config-printer-libs on RHEL5. On Red Hat Enterprise Linux 3, python is linked against the system expat and is not vulnerable to this issue, even if PyXML is removed.
Expat is embedded in a number of other packages: Affects libtlen where a bug has been filed https://bugzilla.redhat.com/show_bug.cgi?id=652502 Also affects and currently unreported: udinits2 nodeupdown-backend-ganglia mcabber centerim I will file additional bug reports for these.
Further investigation shows the following Fedora packages are affected by this flaw (using embedded expat): SimGear: SimGear-2.0.0/simgear/xml/xmltok_impl.c torcs: torcs-1.3.1/src/libs/txml/xmltok_impl.c centerim: centerim-4.22.9/libjabber/xmltok_impl_c.h tla: tla-1.3.5/src/expat/lib/xmltok_impl.c sitecopy: sitecopy-0.16.6/lib/expat/xmltok/xmltok_impl.c I do not know if they are all in a position to be exploited or not, but they do all use embedded expat and have the vulnerable file/function in question. Ideally, these should be updated to use the system expat wherever possible, and patched otherwise. Tracking bugs to follow.
Created torcs tracking bugs for this issue Affects: fedora-all [bug 691935]
Created tla tracking bugs for this issue Affects: fedora-all [bug 691938]
Created centerim tracking bugs for this issue Affects: fedora-all [bug 691936] Affects: epel-all [bug 691937]
Created sitecopy tracking bugs for this issue Affects: fedora-all [bug 691939]
Created SimGear tracking bugs for this issue Affects: fedora-all [bug 691934]
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2011:0492 https://rhn.redhat.com/errata/RHSA-2011-0492.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2011:0491 https://rhn.redhat.com/errata/RHSA-2011-0491.html
Fedora uses the system expat in in python-2.6.2-6 on F12; higher versions are not vulnerable. With python3, Fedora uses the system expat as well.
This issue has been addressed in following products: JBoss Enterprise Web Server 1.0 Via RHSA-2011:0896 https://rhn.redhat.com/errata/RHSA-2011-0896.html
*** Bug 801636 has been marked as a duplicate of this bug. ***
Created compat-expat1 tracking bugs for this issue: Affects: fedora-all [bug 982563]