Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>.
(Sun, 13 Dec 2009 04:09:39 GMT) (full text, mbox, link).
From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: submit@bugs.debian.org
Subject: CVE-2009-3560 and CVE-2009-3720 denial-of-services
Date: Sat, 12 Dec 2009 22:53:07 -0500
package: libparagui1.1
severity: serious
tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) ids were
published for expat. I have determined that this package embeds a
vulnerable copy of xmlparse.c and xmltok_impl.c. However, since this is
a mass bug filing (due to so many packages embedding expat), I have
not had time to determine whether the vulnerable code is actually
present in any of the binary packages derived from this source package.
Please determine whether this is the case. If the binary packages are
not affected, please feel free to close the bug with a message
containing the details of what you did to check.
CVE-2009-3560[0]:
| The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1,
| as used in the XML-Twig module for Perl, allows context-dependent
| attackers to cause a denial of service (application crash) via an XML
| document with malformed UTF-8 sequences that trigger a buffer
| over-read, related to the doProlog function in lib/xmlparse.c, a
| different vulnerability than CVE-2009-2625 and CVE-2009-3720.
CVE-2009-3720[1]:
| The updatePosition function in lib/xmltok_impl.c in libexpat in Expat
| 2.0.1, as used in Python, PyXML, w3c-libwww, and other software,
| allows context-dependent attackers to cause a denial of service
| (application crash) via an XML document with crafted UTF-8 sequences
| that trigger a buffer over-read, a different vulnerability than
| CVE-2009-2625.
These issues also affect old versions of expat, so this package in etch
and lenny is very likely affected. This is a low-severity security
issue, so DSAs will not be issued to correct these problems. However,
you can optionally submit a proposed-update to the release team for
inclusion in the next stable point releases. If you plan to do this,
please open new bugs and include the security tag so we are aware that
you are working on that.
For further information see [0],[1],[2],[3]. In particular, [2] and [3]
are links to the patches for CVE-2009-3560 and CVE-2009-3720
respectively. Note that the ideal solution would be to make use of the
system expat so only one package will need to be updated for future
security issues. Preferably in your update to unstable, alter your
package to make use of the system expat.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560http://security-tracker.debian.org/tracker/CVE-2009-3560
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720http://security-tracker.debian.org/tracker/CVE-2009-3720
[2]
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.165
[3]
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15&view=patch
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>: Bug#560934; Package libparagui1.1.
(Sun, 13 Dec 2009 15:33:43 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>.
(Sun, 13 Dec 2009 15:33:43 GMT) (full text, mbox, link).
Hi all,
In order to guarantee that the system expat is used, the
'--with-expat=sys' configure argument must be used. If you think
your package is already using the system expat, or if you are updating
your package to use the system expat, please check to make sure that
this option is being used. Thanks.
Mike
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>: Bug#560934; Package libparagui1.1.
(Sun, 13 Dec 2009 16:27:55 GMT) (full text, mbox, link).
Acknowledgement sent
to Matthias Klose <doko@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>.
(Sun, 13 Dec 2009 16:27:55 GMT) (full text, mbox, link).
On 13.12.2009 16:29, Michael Gilbert wrote:
> Hi all,
>
> In order to guarantee that the system expat is used, the
> '--with-expat=sys' configure argument must be used. If you think
> your package is already using the system expat, or if you are updating
> your package to use the system expat, please check to make sure that
> this option is being used. Thanks.
there's no such option for python, which uses a modified copy of expat.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>: Bug#560934; Package libparagui1.1.
(Mon, 14 Dec 2009 07:57:46 GMT) (full text, mbox, link).
Acknowledgement sent
to Mike Hommey <mh@glandium.org>:
Extra info received and forwarded to list. Copy sent to Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>.
(Mon, 14 Dec 2009 07:57:46 GMT) (full text, mbox, link).
On Sun, Dec 13, 2009 at 05:21:26PM +0100, Matthias Klose wrote:
> On 13.12.2009 16:29, Michael Gilbert wrote:
> >Hi all,
> >
> >In order to guarantee that the system expat is used, the
> >'--with-expat=sys' configure argument must be used. If you think
> >your package is already using the system expat, or if you are updating
> >your package to use the system expat, please check to make sure that
> >this option is being used. Thanks.
>
> there's no such option for python, which uses a modified copy of expat.
Likewise with mozilla, which uses a heavily modified copy of expat.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>: Bug#560934; Package libparagui1.1.
(Mon, 14 Dec 2009 12:15:43 GMT) (full text, mbox, link).
Acknowledgement sent
to Ove Kaaven <ovek@arcticnet.no>:
Extra info received and forwarded to list. Copy sent to Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>.
(Mon, 14 Dec 2009 12:15:43 GMT) (full text, mbox, link).
Mike Hommey skrev:
> On Sun, Dec 13, 2009 at 05:21:26PM +0100, Matthias Klose wrote:
>> On 13.12.2009 16:29, Michael Gilbert wrote:
>>> Hi all,
>>>
>>> In order to guarantee that the system expat is used, the
>>> '--with-expat=sys' configure argument must be used. If you think
>>> your package is already using the system expat, or if you are updating
>>> your package to use the system expat, please check to make sure that
>>> this option is being used. Thanks.
>> there's no such option for python, which uses a modified copy of expat.
>
> Likewise with mozilla, which uses a heavily modified copy of expat.
And I think the xml parser in simgear was ripped from some version of
mozilla. (Of course, I wouldn't consider a security flaw in a flight
simulator library as critical as one in an actual web browser or
anything, so I'm not sure how much I need to worry...)
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>: Bug#560934; Package libparagui1.1.
(Mon, 04 Jan 2010 09:33:13 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Leidert <daniel.leidert@wgdd.de>:
Extra info received and forwarded to list. Copy sent to Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>.
(Mon, 04 Jan 2010 09:33:13 GMT) (full text, mbox, link).
Reply sent
to Moritz Muehlenhoff <jmm@inutil.org>:
You have taken responsibility.
(Tue, 05 Jan 2010 22:33:23 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer.
(Tue, 05 Jan 2010 22:33:24 GMT) (full text, mbox, link).
Subject: Re: CVE-2009-3560 and CVE-2009-3720 denial-of-services
Date: Tue, 5 Jan 2010 23:26:48 +0100
Michael Gilbert wrote:
> package: libparagui1.1
> severity: serious
> tags: security
>
> Hi,
>
> The following CVE (Common Vulnerabilities & Exposures) ids were
> published for expat. I have determined that this package embeds a
> vulnerable copy of xmlparse.c and xmltok_impl.c. However, since this is
> a mass bug filing (due to so many packages embedding expat), I have
> not had time to determine whether the vulnerable code is actually
> present in any of the binary packages derived from this source package.
> Please determine whether this is the case. If the binary packages are
> not affected, please feel free to close the bug with a message
> containing the details of what you did to check.
Paragui uses the system copy of expat.
Cheers,
Moritz
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 03 Feb 2010 07:33:56 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.