Debian Bug report logs - #498768
libxml2: does not correctly handle long entity names (CVE-2008-3529)

version graph

Package: libxml2; Maintainer for libxml2 is Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>; Source for libxml2 is src:libxml2.

Reported by: Michael Gilbert <michael.s.gilbert@gmail.com>

Date: Sat, 13 Sep 2008 04:30:01 UTC

Severity: grave

Tags: security

Found in versions libxml2/2.6.32.dfsg-3, 2.6.27.dfsg-4, libxml2/2.6.27.dfsg-2

Fixed in versions libxml2/2.6.32.dfsg-4, libxml2/2.6.27.dfsg-5

Done: Mike Hommey <glandium@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#498768; Package libxml2. Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libxml2: does not correctly handle long entity names (CVE-2008-3529)
Date: Fri, 12 Sep 2008 23:29:03 -0400
Package: libxml2
Version: 2.6.32.dfsg-3
Severity: grave
Tags: security
Justification: user security hole

ubuntu just released a fix for a problem in libxml2 [1].  the issue appears
to currently be reserved [2], but since ubuntu has released a fix, other
distributions need to follow suit soon to limit the window of opportunity 
for attacks.  the description of the problem is

    It was discovered that libxml2 did not correctly handle long entity 
    names.   If a user were tricked into processing a specially crafted XML 
    document, a remote attacker could execute arbitrary code with user 
    privileges or cause the application linked against libxml2 to crash, 
    leading to a denial of service.

this likely affects all releases (stable, testing, and unstable).

thanks for the hard work.

[1] http://lwn.net/Articles/298282/
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3529

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-etchnhalf.1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libxml2 depends on:
ii  libc6                  2.7-13            GNU C Library: Shared libraries
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

Versions of packages libxml2 recommends:
ii  xml-core                      0.11       XML infrastructure and XML catalog

libxml2 suggests no packages.

-- no debconf information




Bug marked as found in version 2.6.27.dfsg-4. Request was from "Michael Gilbert" <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Sat, 13 Sep 2008 17:54:02 GMT) Full text and rfc822 format available.

Bug marked as found in version 2.6.27.dfsg-2. Request was from "Michael Gilbert" <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Sat, 13 Sep 2008 18:09:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#498768; Package libxml2. Full text and rfc822 format available.

Acknowledgement sent to Mike Hommey <mh@glandium.org>:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #14 received at 498768@bugs.debian.org (full text, mbox):

From: Mike Hommey <mh@glandium.org>
To: Michael Gilbert <michael.s.gilbert@gmail.com>, 498768@bugs.debian.org
Subject: Re: [xml/sgml-pkgs] Bug#498768: libxml2: does not correctly handle long entity names (CVE-2008-3529)
Date: Sat, 13 Sep 2008 20:55:06 +0200
[Message part 1 (text/plain, inline)]
On Fri, Sep 12, 2008 at 11:29:03PM -0400, Michael Gilbert wrote:
> Package: libxml2
> Version: 2.6.32.dfsg-3
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> ubuntu just released a fix for a problem in libxml2 [1].  the issue appears
> to currently be reserved [2], but since ubuntu has released a fix, other
> distributions need to follow suit soon to limit the window of opportunity 
> for attacks.  the description of the problem is
> 
>     It was discovered that libxml2 did not correctly handle long entity 
>     names.   If a user were tricked into processing a specially crafted XML 
>     document, a remote attacker could execute arbitrary code with user 
>     privileges or cause the application linked against libxml2 to crash, 
>     leading to a denial of service.
> 
> this likely affects all releases (stable, testing, and unstable).
> 
> thanks for the hard work.
> 
> [1] http://lwn.net/Articles/298282/
> [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3529

FWIW, here is the patch.
I'm not very much convinced by the look of it...

Mike
[diff (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#498768; Package libxml2. Full text and rfc822 format available.

Acknowledgement sent to Kees Cook <kees@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #19 received at 498768@bugs.debian.org (full text, mbox):

From: Kees Cook <kees@ubuntu.com>
To: 498768@bugs.debian.org
Cc: Michael Gilbert <michael.s.gilbert@gmail.com>
Subject: ubuntu patch matching upstream
Date: Mon, 15 Sep 2008 08:55:10 -0700
As far as I know, this patch matches the upstream changes for the
problem.  Please see:

https://bugzilla.redhat.com/show_bug.cgi?id=460396

Both backported patches and many test cases are available there.

-Kees

-- 
Kees Cook
Ubuntu Security Team




Information forwarded to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#498768; Package libxml2. (Fri, 19 Sep 2008 19:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Hommey <mh@glandium.org>:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>. (Fri, 19 Sep 2008 19:27:03 GMT) Full text and rfc822 format available.

Message #24 received at 498768@bugs.debian.org (full text, mbox):

From: Mike Hommey <mh@glandium.org>
To: Kees Cook <kees@ubuntu.com>, 498768@bugs.debian.org
Cc: Michael Gilbert <michael.s.gilbert@gmail.com>
Subject: Re: Bug#498768: ubuntu patch matching upstream
Date: Fri, 19 Sep 2008 21:24:30 +0200
On Mon, Sep 15, 2008 at 08:55:10AM -0700, Kees Cook wrote:
> As far as I know, this patch matches the upstream changes for the
> problem.  Please see:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=460396

Actually there are differences between upstream and ubuntu changes:
(a is ubuntu, b is upstream)

diff -u a/parser.c b/parser.c
--- a/parser.c
+++ b/parser.c
@@ -2390,7 +2390,6 @@
  */
 #define growBuffer(buffer) {						\
     xmlChar *tmp;							\
-    buffer##_size += XML_PARSER_BUFFER_SIZE ;				\
     buffer##_size *= 2;							\
     tmp = (xmlChar *)							\
 		xmlRealloc(buffer, buffer##_size * sizeof(xmlChar));	\
@@ -3451,7 +3450,7 @@
 		     * Just output the reference
 		     */
 		    buf[len++] = '&';
-		    while (len > buf_size - i - 10) {
+		    if (len > buf_size - i - 10) {
 			growBuffer(buf);
 		    }
 		    for (;i > 0;i--)
@@ -6476,8 +6475,6 @@
 		    } else if (list != NULL) {
 			xmlFreeNodeList(list);
 			list = NULL;
-		    } else if (ent->owner != 1) {
-			ctxt->nbentities += ent->owner;
 		    }
 		}
 		ent->checked = 1;
@@ -6668,6 +6665,8 @@
 		    ctxt->nodelen = 0;
 		    return;
 		}
+	    } else if (ent->owner != 1) {
+		ctxt->nbentities += ent->owner;
 	    }
 	} else {
 	    val = ent->content;




Reply sent to Mike Hommey <glandium@debian.org>:
You have taken responsibility. (Fri, 19 Sep 2008 23:18:15 GMT) Full text and rfc822 format available.

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Fri, 19 Sep 2008 23:18:15 GMT) Full text and rfc822 format available.

Message #29 received at 498768-close@bugs.debian.org (full text, mbox):

From: Mike Hommey <glandium@debian.org>
To: 498768-close@bugs.debian.org
Subject: Bug#498768: fixed in libxml2 2.6.32.dfsg-4
Date: Fri, 19 Sep 2008 21:17:56 +0000
Source: libxml2
Source-Version: 2.6.32.dfsg-4

We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive:

libxml2-dbg_2.6.32.dfsg-4_amd64.deb
  to pool/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-4_amd64.deb
libxml2-dev_2.6.32.dfsg-4_amd64.deb
  to pool/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-4_amd64.deb
libxml2-doc_2.6.32.dfsg-4_all.deb
  to pool/main/libx/libxml2/libxml2-doc_2.6.32.dfsg-4_all.deb
libxml2-utils_2.6.32.dfsg-4_amd64.deb
  to pool/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-4_amd64.deb
libxml2_2.6.32.dfsg-4.diff.gz
  to pool/main/libx/libxml2/libxml2_2.6.32.dfsg-4.diff.gz
libxml2_2.6.32.dfsg-4.dsc
  to pool/main/libx/libxml2/libxml2_2.6.32.dfsg-4.dsc
libxml2_2.6.32.dfsg-4_amd64.deb
  to pool/main/libx/libxml2/libxml2_2.6.32.dfsg-4_amd64.deb
python-libxml2_2.6.32.dfsg-4_amd64.deb
  to pool/main/libx/libxml2/python-libxml2_2.6.32.dfsg-4_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 498768@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Hommey <glandium@debian.org> (supplier of updated libxml2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 19 Sep 2008 21:26:19 +0200
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-dev libxml2-dbg libxml2-doc python-libxml2
Architecture: source all amd64
Version: 2.6.32.dfsg-4
Distribution: unstable
Urgency: high
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Mike Hommey <glandium@debian.org>
Description: 
 libxml2    - GNOME XML library
 libxml2-dbg - Debugging symbols for the GNOME XML library
 libxml2-dev - Development files for the GNOME XML library
 libxml2-doc - Documentation for the GNOME XML library
 libxml2-utils - XML utilities
 python-libxml2 - Python bindings for the GNOME XML library
Closes: 498768
Changes: 
 libxml2 (2.6.32.dfsg-4) unstable; urgency=high
 .
   * Fix regressions due to previous security fixes. Fixes: CVE-2008-3529.
     Closes: #498768.
Checksums-Sha1: 
 eaa9ea2045305beae7fd8eb285fb9265c7a036b8 1316 libxml2_2.6.32.dfsg-4.dsc
 0a9256644d814adf4ab673441d3a7d5eabe1f2a0 81344 libxml2_2.6.32.dfsg-4.diff.gz
 2cce8f0057fbbc26877fbe2bd498e86048042643 1341978 libxml2-doc_2.6.32.dfsg-4_all.deb
 a95033c715dff23f94f3978881d7e6e48456f1ea 859946 libxml2_2.6.32.dfsg-4_amd64.deb
 43ebe9193e4961e6a09a3a375016365622493d43 37402 libxml2-utils_2.6.32.dfsg-4_amd64.deb
 13d088684628e029fe03064daf4a5de56aa52bb9 774870 libxml2-dev_2.6.32.dfsg-4_amd64.deb
 1f9d72e0a170ae8d96c667d8bf64937fc6fec083 988610 libxml2-dbg_2.6.32.dfsg-4_amd64.deb
 cba69f0f9e036207a528b0c4faa958117578297d 295346 python-libxml2_2.6.32.dfsg-4_amd64.deb
Checksums-Sha256: 
 912511d3de7d810707f785d0ec5085ed7c3a954e93a83e0dd7d9cd9e1678f748 1316 libxml2_2.6.32.dfsg-4.dsc
 6ab29c7289a7433c671c86bc0af9d19eb5719ea579d97f61b34b6d10fcc79f38 81344 libxml2_2.6.32.dfsg-4.diff.gz
 b5760c3f06ef1d12ff644544bb8acfe65b26237303acf052861b72d0cffb60a6 1341978 libxml2-doc_2.6.32.dfsg-4_all.deb
 63381999b14c3fd408bf16776ddcb7edc4bba41bc00ca31312a66d524461fde1 859946 libxml2_2.6.32.dfsg-4_amd64.deb
 65c33a1782ee2877fa9d2228b27a26ea88857f94ff64b76ae7516e237f04c575 37402 libxml2-utils_2.6.32.dfsg-4_amd64.deb
 781a1d9cbf2d864f496001ed113a07b9867ab014efb4f6e13fbaeb0024528491 774870 libxml2-dev_2.6.32.dfsg-4_amd64.deb
 d4e17c67558e87626950d49510760ad3e134457367fb160cf0f563564aa2adf0 988610 libxml2-dbg_2.6.32.dfsg-4_amd64.deb
 f9798e5fad09cdb2216ad03d983c8ff85cc885f8c842ca6da0b991015437b901 295346 python-libxml2_2.6.32.dfsg-4_amd64.deb
Files: 
 64016cf25d9d841f7bc7a85382e7036b 1316 libs optional libxml2_2.6.32.dfsg-4.dsc
 79ff739e2e7f98fb9524eaf143d35530 81344 libs optional libxml2_2.6.32.dfsg-4.diff.gz
 829888da253c4ce128eb70fcef9094ae 1341978 doc optional libxml2-doc_2.6.32.dfsg-4_all.deb
 92ca46d1e7a47b1206bef14ca61a04c3 859946 libs optional libxml2_2.6.32.dfsg-4_amd64.deb
 0370e904723b3a36d096cdfa9791323e 37402 text optional libxml2-utils_2.6.32.dfsg-4_amd64.deb
 6e69bf924e4993cf1f0cb0eb1917650c 774870 libdevel optional libxml2-dev_2.6.32.dfsg-4_amd64.deb
 4f2409e67361de0f44be20e45ec57707 988610 libdevel extra libxml2-dbg_2.6.32.dfsg-4_amd64.deb
 61c2ba8c54c83ba7ce2f0bb2b6e797fd 295346 python optional python-libxml2_2.6.32.dfsg-4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFI1Adu3kvaLFT9KlgRAgdSAKCQcpUmLTtwp7/t8QXwJgeey7dnmgCfYJ8B
vCgkXmfFlBYObl4REEGT/JM=
=FLXP
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#498768; Package libxml2. (Sat, 20 Sep 2008 03:30:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kees Cook <kees@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>. (Sat, 20 Sep 2008 03:30:03 GMT) Full text and rfc822 format available.

Message #34 received at 498768@bugs.debian.org (full text, mbox):

From: Kees Cook <kees@ubuntu.com>
To: Mike Hommey <mh@glandium.org>
Cc: 498768@bugs.debian.org, Michael Gilbert <michael.s.gilbert@gmail.com>
Subject: Re: Bug#498768: ubuntu patch matching upstream
Date: Fri, 19 Sep 2008 19:10:14 -0700
Hi,

On Fri, Sep 19, 2008 at 09:24:30PM +0200, Mike Hommey wrote:
> On Mon, Sep 15, 2008 at 08:55:10AM -0700, Kees Cook wrote:
> > As far as I know, this patch matches the upstream changes for the
> > problem.  Please see:
> > 
> > https://bugzilla.redhat.com/show_bug.cgi?id=460396
> 
> Actually there are differences between upstream and ubuntu changes:
> (a is ubuntu, b is upstream)
> 
> diff -u a/parser.c b/parser.c
> --- a/parser.c
> +++ b/parser.c
> @@ -2390,7 +2390,6 @@
>   */
>  #define growBuffer(buffer) {						\
>      xmlChar *tmp;							\
> -    buffer##_size += XML_PARSER_BUFFER_SIZE ;				\
>      buffer##_size *= 2;							\
>      tmp = (xmlChar *)							\
>  		xmlRealloc(buffer, buffer##_size * sizeof(xmlChar));	\
> @@ -3451,7 +3450,7 @@
>  		     * Just output the reference
>  		     */
>  		    buf[len++] = '&';
> -		    while (len > buf_size - i - 10) {
> +		    if (len > buf_size - i - 10) {
>  			growBuffer(buf);
>  		    }
>  		    for (;i > 0;i--)

The above changes are for CVE-2008-3529.  BTW, would it be possible to
add a patch system to libxml2?  It's much easier to split up the patches
over time, and is nice for anyone doing post-release updates. :)

> @@ -6476,8 +6475,6 @@
>  		    } else if (list != NULL) {
>  			xmlFreeNodeList(list);
>  			list = NULL;
> -		    } else if (ent->owner != 1) {
> -			ctxt->nbentities += ent->owner;
>  		    }
>  		}
>  		ent->checked = 1;
> @@ -6668,6 +6665,8 @@
>  		    ctxt->nodelen = 0;
>  		    return;
>  		}
> +	    } else if (ent->owner != 1) {
> +		ctxt->nbentities += ent->owner;
>  	    }
>  	} else {
>  	    val = ent->content;

Was this just interdiff output?  There were some changes to this area of
code that needed some by-hand backporting, so the versions used to
compare might not end up looking clean.  Or, I could have messed up the
backport, but I put them through a bunch of xml regression tests and
things seemed to be behaving.

-Kees

-- 
Kees Cook
Ubuntu Security Team




Information forwarded to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#498768; Package libxml2. (Sat, 20 Sep 2008 07:42:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Hommey <mh@glandium.org>:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>. (Sat, 20 Sep 2008 07:42:04 GMT) Full text and rfc822 format available.

Message #39 received at 498768@bugs.debian.org (full text, mbox):

From: Mike Hommey <mh@glandium.org>
To: Kees Cook <kees@ubuntu.com>
Cc: 498768@bugs.debian.org, Michael Gilbert <michael.s.gilbert@gmail.com>
Subject: Re: Bug#498768: ubuntu patch matching upstream
Date: Sat, 20 Sep 2008 09:06:21 +0200
On Fri, Sep 19, 2008 at 07:10:14PM -0700, Kees Cook wrote:
> Hi,
> 
> On Fri, Sep 19, 2008 at 09:24:30PM +0200, Mike Hommey wrote:
> > On Mon, Sep 15, 2008 at 08:55:10AM -0700, Kees Cook wrote:
> > > As far as I know, this patch matches the upstream changes for the
> > > problem.  Please see:
> > > 
> > > https://bugzilla.redhat.com/show_bug.cgi?id=460396
> > 
> > Actually there are differences between upstream and ubuntu changes:
> > (a is ubuntu, b is upstream)
> > 
> > diff -u a/parser.c b/parser.c
> > --- a/parser.c
> > +++ b/parser.c
> > @@ -2390,7 +2390,6 @@
> >   */
> >  #define growBuffer(buffer) {						\
> >      xmlChar *tmp;							\
> > -    buffer##_size += XML_PARSER_BUFFER_SIZE ;				\
> >      buffer##_size *= 2;							\
> >      tmp = (xmlChar *)							\
> >  		xmlRealloc(buffer, buffer##_size * sizeof(xmlChar));	\
> > @@ -3451,7 +3450,7 @@
> >  		     * Just output the reference
> >  		     */
> >  		    buf[len++] = '&';
> > -		    while (len > buf_size - i - 10) {
> > +		    if (len > buf_size - i - 10) {
> >  			growBuffer(buf);
> >  		    }
> >  		    for (;i > 0;i--)
> 
> The above changes are for CVE-2008-3529.

Certainly not. It's not in upstream patch.

> BTW, would it be possible to
> add a patch system to libxml2?  It's much easier to split up the patches
> over time, and is nice for anyone doing post-release updates. :)

There is a (D)VCS.

> > @@ -6476,8 +6475,6 @@
> >  		    } else if (list != NULL) {
> >  			xmlFreeNodeList(list);
> >  			list = NULL;
> > -		    } else if (ent->owner != 1) {
> > -			ctxt->nbentities += ent->owner;
> >  		    }
> >  		}
> >  		ent->checked = 1;
> > @@ -6668,6 +6665,8 @@
> >  		    ctxt->nodelen = 0;
> >  		    return;
> >  		}
> > +	    } else if (ent->owner != 1) {
> > +		ctxt->nbentities += ent->owner;
> >  	    }
> >  	} else {
> >  	    val = ent->content;
> 
> Was this just interdiff output?  There were some changes to this area of
> code that needed some by-hand backporting, so the versions used to
> compare might not end up looking clean.  Or, I could have messed up the
> backport, but I put them through a bunch of xml regression tests and
> things seemed to be behaving.

There was only 1 conflict when applying upstream patch for RHEL5, and
only because of tabulations/spaces, on my end...

Mike




Information forwarded to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#498768; Package libxml2. (Mon, 22 Sep 2008 17:21:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kees Cook <kees@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>. (Mon, 22 Sep 2008 17:21:02 GMT) Full text and rfc822 format available.

Message #44 received at 498768@bugs.debian.org (full text, mbox):

From: Kees Cook <kees@ubuntu.com>
To: Mike Hommey <mh@glandium.org>
Cc: 498768@bugs.debian.org, Michael Gilbert <michael.s.gilbert@gmail.com>
Subject: Re: Bug#498768: ubuntu patch matching upstream
Date: Mon, 22 Sep 2008 10:18:35 -0700
Hi,

On Sat, Sep 20, 2008 at 09:06:21AM +0200, Mike Hommey wrote:
> On Fri, Sep 19, 2008 at 07:10:14PM -0700, Kees Cook wrote:
> > The above changes are for CVE-2008-3529.
> 
> Certainly not. It's not in upstream patch.

This is where I was getting details:
https://bugzilla.redhat.com/show_bug.cgi?id=461015

> > BTW, would it be possible to
> > add a patch system to libxml2?  It's much easier to split up the patches
> > over time, and is nice for anyone doing post-release updates. :)
> 
> There is a (D)VCS.

True, though I prefer in-package patch systems for doing stable updates.

> > > @@ -6476,8 +6475,6 @@
> > >  		    } else if (list != NULL) {
> > >  			xmlFreeNodeList(list);
> > >  			list = NULL;
> > > -		    } else if (ent->owner != 1) {
> > > -			ctxt->nbentities += ent->owner;
> > >  		    }
> > >  		}
> > >  		ent->checked = 1;
> > > @@ -6668,6 +6665,8 @@
> > >  		    ctxt->nodelen = 0;
> > >  		    return;
> > >  		}
> > > +	    } else if (ent->owner != 1) {
> > > +		ctxt->nbentities += ent->owner;
> > >  	    }
> > >  	} else {
> > >  	    val = ent->content;
> > 
> > Was this just interdiff output?  There were some changes to this area of
> > code that needed some by-hand backporting, so the versions used to
> > compare might not end up looking clean.  Or, I could have messed up the
> > backport, but I put them through a bunch of xml regression tests and
> > things seemed to be behaving.
> 
> There was only 1 conflict when applying upstream patch for RHEL5, and
> only because of tabulations/spaces, on my end...

I'm not sure which version of the patch you're quoting, but I had 5
versions to do backports for:

libxml2 | 2.6.32.dfsg-2ubuntu3   | intrepid/main
libxml2 | 2.6.31.dfsg-2ubuntu1.2 | hardy-security/main
libxml2 | 2.6.30.dfsg-2ubuntu1.3 | gutsy-security/main
libxml2 | 2.6.27.dfsg-1ubuntu3.3 | feisty-security/main
libxml2 | 2.6.24.dfsg-1ubuntu1.3 | dapper-security/main

They all tested out fine for me.

-Kees

-- 
Kees Cook
Ubuntu Security Team




Reply sent to Mike Hommey <glandium@debian.org>:
You have taken responsibility. (Tue, 14 Oct 2008 20:03:11 GMT) Full text and rfc822 format available.

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Tue, 14 Oct 2008 20:03:11 GMT) Full text and rfc822 format available.

Message #49 received at 498768-close@bugs.debian.org (full text, mbox):

From: Mike Hommey <glandium@debian.org>
To: 498768-close@bugs.debian.org
Subject: Bug#498768: fixed in libxml2 2.6.27.dfsg-5
Date: Tue, 14 Oct 2008 19:52:39 +0000
Source: libxml2
Source-Version: 2.6.27.dfsg-5

We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive:

libxml2-dbg_2.6.27.dfsg-5_amd64.deb
  to pool/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_amd64.deb
libxml2-dev_2.6.27.dfsg-5_amd64.deb
  to pool/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_amd64.deb
libxml2-doc_2.6.27.dfsg-5_all.deb
  to pool/main/libx/libxml2/libxml2-doc_2.6.27.dfsg-5_all.deb
libxml2-utils_2.6.27.dfsg-5_amd64.deb
  to pool/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_amd64.deb
libxml2_2.6.27.dfsg-5.diff.gz
  to pool/main/libx/libxml2/libxml2_2.6.27.dfsg-5.diff.gz
libxml2_2.6.27.dfsg-5.dsc
  to pool/main/libx/libxml2/libxml2_2.6.27.dfsg-5.dsc
libxml2_2.6.27.dfsg-5_amd64.deb
  to pool/main/libx/libxml2/libxml2_2.6.27.dfsg-5_amd64.deb
python-libxml2_2.6.27.dfsg-5_amd64.deb
  to pool/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 498768@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Hommey <glandium@debian.org> (supplier of updated libxml2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 19 Sep 2008 21:58:33 +0200
Source: libxml2
Binary: python-libxml2 libxml2-dbg libxml2-utils libxml2-doc libxml2-dev libxml2
Architecture: source amd64 all
Version: 2.6.27.dfsg-5
Distribution: stable-security
Urgency: low
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Mike Hommey <glandium@debian.org>
Description: 
 libxml2    - GNOME XML library
 libxml2-dbg - Debugging symbols for the GNOME XML library
 libxml2-dev - Development files for the GNOME XML library
 libxml2-doc - Documentation for the GNOME XML library
 libxml2-utils - XML utilities
 python-libxml2 - Python bindings for the GNOME XML library
Closes: 498768
Changes: 
 libxml2 (2.6.27.dfsg-5) stable-security; urgency=low
 .
   * Fix regressions due to previous security fixes. Fixes: CVE-2008-3529.
     Closes: #498768.
Files: 
 0dc1f183dd20741e5b4e26a7f8e1c652 893 libs optional libxml2_2.6.27.dfsg-5.dsc
 48cafbb8d1bd2c6093339fea3f14e4a0 220443 libs optional libxml2_2.6.27.dfsg-5.diff.gz
 c1c5f0ceb391893a94e61c074b677ee9 1328144 doc optional libxml2-doc_2.6.27.dfsg-5_all.deb
 6019e59020269cca8fa8fea40f83c118 796194 libs optional libxml2_2.6.27.dfsg-5_amd64.deb
 8a0265229bebf9245dc7bb7cc6f41d36 36684 text optional libxml2-utils_2.6.27.dfsg-5_amd64.deb
 95bd39eb2818772c43c3351b22326fcd 745758 libdevel optional libxml2-dev_2.6.27.dfsg-5_amd64.deb
 606fc28448bead2709c39a1d3e529a25 891922 libdevel extra libxml2-dbg_2.6.27.dfsg-5_amd64.deb
 a13372752d162d0fb2ccd58da6b73e20 184130 python optional python-libxml2_2.6.27.dfsg-5_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFI1Aoc3kvaLFT9KlgRAsISAJ4vUFofsoYKf9b5TZQFnLkuXdgrSgCeOyv7
wbNwmQQnqhbOIyDiznKvoKI=
=ipjl
-----END PGP SIGNATURE-----





Reply sent to Mike Hommey <glandium@debian.org>:
You have taken responsibility. (Thu, 23 Oct 2008 16:06:04 GMT) Full text and rfc822 format available.

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Thu, 23 Oct 2008 16:06:05 GMT) Full text and rfc822 format available.

Message #54 received at 498768-close@bugs.debian.org (full text, mbox):

From: Mike Hommey <glandium@debian.org>
To: 498768-close@bugs.debian.org
Subject: Bug#498768: fixed in libxml2 2.6.27.dfsg-5
Date: Thu, 23 Oct 2008 15:27:59 +0000
Source: libxml2
Source-Version: 2.6.27.dfsg-5

We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive:

libxml2-dbg_2.6.27.dfsg-5_amd64.deb
  to pool/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_amd64.deb
libxml2-dev_2.6.27.dfsg-5_amd64.deb
  to pool/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_amd64.deb
libxml2-doc_2.6.27.dfsg-5_all.deb
  to pool/main/libx/libxml2/libxml2-doc_2.6.27.dfsg-5_all.deb
libxml2-utils_2.6.27.dfsg-5_amd64.deb
  to pool/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_amd64.deb
libxml2_2.6.27.dfsg-5.diff.gz
  to pool/main/libx/libxml2/libxml2_2.6.27.dfsg-5.diff.gz
libxml2_2.6.27.dfsg-5.dsc
  to pool/main/libx/libxml2/libxml2_2.6.27.dfsg-5.dsc
libxml2_2.6.27.dfsg-5_amd64.deb
  to pool/main/libx/libxml2/libxml2_2.6.27.dfsg-5_amd64.deb
python-libxml2_2.6.27.dfsg-5_amd64.deb
  to pool/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 498768@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Hommey <glandium@debian.org> (supplier of updated libxml2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 19 Sep 2008 21:58:33 +0200
Source: libxml2
Binary: python-libxml2 libxml2-dbg libxml2-utils libxml2-doc libxml2-dev libxml2
Architecture: source amd64 all
Version: 2.6.27.dfsg-5
Distribution: stable-security
Urgency: low
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Mike Hommey <glandium@debian.org>
Description: 
 libxml2    - GNOME XML library
 libxml2-dbg - Debugging symbols for the GNOME XML library
 libxml2-dev - Development files for the GNOME XML library
 libxml2-doc - Documentation for the GNOME XML library
 libxml2-utils - XML utilities
 python-libxml2 - Python bindings for the GNOME XML library
Closes: 498768
Changes: 
 libxml2 (2.6.27.dfsg-5) stable-security; urgency=low
 .
   * Fix regressions due to previous security fixes. Fixes: CVE-2008-3529.
     Closes: #498768.
Files: 
 0dc1f183dd20741e5b4e26a7f8e1c652 893 libs optional libxml2_2.6.27.dfsg-5.dsc
 48cafbb8d1bd2c6093339fea3f14e4a0 220443 libs optional libxml2_2.6.27.dfsg-5.diff.gz
 c1c5f0ceb391893a94e61c074b677ee9 1328144 doc optional libxml2-doc_2.6.27.dfsg-5_all.deb
 6019e59020269cca8fa8fea40f83c118 796194 libs optional libxml2_2.6.27.dfsg-5_amd64.deb
 8a0265229bebf9245dc7bb7cc6f41d36 36684 text optional libxml2-utils_2.6.27.dfsg-5_amd64.deb
 95bd39eb2818772c43c3351b22326fcd 745758 libdevel optional libxml2-dev_2.6.27.dfsg-5_amd64.deb
 606fc28448bead2709c39a1d3e529a25 891922 libdevel extra libxml2-dbg_2.6.27.dfsg-5_amd64.deb
 a13372752d162d0fb2ccd58da6b73e20 184130 python optional python-libxml2_2.6.27.dfsg-5_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFI1Aoc3kvaLFT9KlgRAsISAJ4vUFofsoYKf9b5TZQFnLkuXdgrSgCeOyv7
wbNwmQQnqhbOIyDiznKvoKI=
=ipjl
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 21 Nov 2008 07:29:00 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 00:28:31 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.