Debian Bug report logs - #548358
libxerces2-java: CVE-2009-2625 infinite loop denial of service in libxerces2-java

version graph

Package: libxerces2-java; Maintainer for libxerces2-java is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>; Source for libxerces2-java is src:libxerces2-java.

Reported by: Joe Malicki <jmalicki@metacarta.com>

Date: Fri, 25 Sep 2009 19:09:02 UTC

Severity: serious

Tags: security

Found in version libxerces2-java/2.9.1-2

Fixed in versions libxerces2-java/2.9.1-4.1, libxerces2-java/2.8.1-1+etch1, libxerces2-java/2.9.1-2+lenny1

Done: Giuseppe Iuculano <iuculano@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, jmalicki@metacarta.com, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#548358; Package libxerces2-java. (Fri, 25 Sep 2009 19:09:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joe Malicki <jmalicki@metacarta.com>:
New Bug report received and forwarded. Copy sent to jmalicki@metacarta.com, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Fri, 25 Sep 2009 19:09:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Joe Malicki <jmalicki@metacarta.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libxerces2-java: CVE-2009-2625 infinite loop denial of service in libxerces2-java
Date: Fri, 25 Sep 2009 15:04:38 -0400
Package: libxerces2-java
Version: 2.9.1-2
Severity: normal

Discussed here:
http://mail-archives.apache.org/mod_mbox/xerces-j-users/200908.mbox/thread

Michael Glavassevich claims this is fixed in Xerces Java subversion here:
http://marc.info/?l=xerces-cvs&m=124569778024398&w=2


-- System Information:
Debian Release: 5.0.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libxerces2-java depends on:
ii  libjaxp1.3-java             1.3.04-3     Java XML parser and transformer AP
ii  sun-java5-jre [java2-runtim 1.5.0-17-0.1 Sun Java(TM) Runtime Environment (
ii  sun-java6-jre [java2-runtim 6-12-1       Sun Java(TM) Runtime Environment (

Versions of packages libxerces2-java recommends:
ii  libxerces2-java-gcj           2.9.1-2    Validating XML parser for Java wit

Versions of packages libxerces2-java suggests:
pn  libxerces2-java-doc           <none>     (no description available)

-- no debconf information




Added tag(s) security. Request was from Giuseppe Iuculano <iuculano@debian.org> to control@bugs.debian.org. (Thu, 28 Jan 2010 12:51:04 GMT) Full text and rfc822 format available.

Severity set to 'serious' from 'normal' Request was from Giuseppe Iuculano <iuculano@debian.org> to control@bugs.debian.org. (Thu, 28 Jan 2010 12:51:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#548358; Package libxerces2-java. (Fri, 29 Jan 2010 10:57:13 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <iuculano@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Fri, 29 Jan 2010 10:57:13 GMT) Full text and rfc822 format available.

Message #14 received at 548358@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <iuculano@debian.org>
To: 548358@bugs.debian.org
Subject: NMU
Date: Fri, 29 Jan 2010 11:55:56 +0100
[Message part 1 (text/plain, inline)]
Hi,

Attached is a debdiff of the changes I made for 2.9.1-4.1 0-day NMU.

Cheers,
Giuseppe


[libxerces2-java_2.9.1-4.1.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]

Reply sent to Giuseppe Iuculano <iuculano@debian.org>:
You have taken responsibility. (Fri, 29 Jan 2010 11:06:06 GMT) Full text and rfc822 format available.

Notification sent to Joe Malicki <jmalicki@metacarta.com>:
Bug acknowledged by developer. (Fri, 29 Jan 2010 11:06:06 GMT) Full text and rfc822 format available.

Message #19 received at 548358-close@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <iuculano@debian.org>
To: 548358-close@bugs.debian.org
Subject: Bug#548358: fixed in libxerces2-java 2.9.1-4.1
Date: Fri, 29 Jan 2010 11:04:07 +0000
Source: libxerces2-java
Source-Version: 2.9.1-4.1

We believe that the bug you reported is fixed in the latest version of
libxerces2-java, which is due to be installed in the Debian FTP archive:

libxerces2-java-doc_2.9.1-4.1_all.deb
  to main/libx/libxerces2-java/libxerces2-java-doc_2.9.1-4.1_all.deb
libxerces2-java-gcj_2.9.1-4.1_i386.deb
  to main/libx/libxerces2-java/libxerces2-java-gcj_2.9.1-4.1_i386.deb
libxerces2-java_2.9.1-4.1.diff.gz
  to main/libx/libxerces2-java/libxerces2-java_2.9.1-4.1.diff.gz
libxerces2-java_2.9.1-4.1.dsc
  to main/libx/libxerces2-java/libxerces2-java_2.9.1-4.1.dsc
libxerces2-java_2.9.1-4.1_all.deb
  to main/libx/libxerces2-java/libxerces2-java_2.9.1-4.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 548358@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated libxerces2-java package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 29 Jan 2010 11:19:09 +0100
Source: libxerces2-java
Binary: libxerces2-java libxerces2-java-gcj libxerces2-java-doc
Architecture: source all i386
Version: 2.9.1-4.1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description: 
 libxerces2-java - Validating XML parser for Java with DOM level 3 support
 libxerces2-java-doc - Validating XML parser for Java -- Documentation and examples
 libxerces2-java-gcj - Validating XML parser for Java with DOM level 3 support (native c
Closes: 548358
Changes: 
 libxerces2-java (2.9.1-4.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed CVE-2009-2625: denial of service (infinite loop and application hang)
     via malformed XML input (Closes: #548358)
Checksums-Sha1: 
 250b8d442b4acc2a72056eb3fa51e49bdc21ec95 1556 libxerces2-java_2.9.1-4.1.dsc
 e4f312072dc0d374bd55c49a89d248ceea3d8660 8316 libxerces2-java_2.9.1-4.1.diff.gz
 d576a99b17b65a6600d97a247404cdd85c7de6d7 1112874 libxerces2-java_2.9.1-4.1_all.deb
 6bd09068cf5b06d3bbb3426bd363ac889a81081d 2139488 libxerces2-java-doc_2.9.1-4.1_all.deb
 9bd24b7d1cf88bac3e9bdb3f6c8d40292a3ba1ca 1569126 libxerces2-java-gcj_2.9.1-4.1_i386.deb
Checksums-Sha256: 
 12456fb89599a7ecc367e4ae43ff23a9eff99cfd4a7b38deecd01eefcf6007d6 1556 libxerces2-java_2.9.1-4.1.dsc
 6c6f64ceee4ca2ee833dd7dc49bb4ac047fec7dcf08269414dc03d2cf749d398 8316 libxerces2-java_2.9.1-4.1.diff.gz
 f5440a23880cba5cac24d325e60387fe74043312127e2bb35260ce5ccb39ad09 1112874 libxerces2-java_2.9.1-4.1_all.deb
 e7fa6fc0ec46a23ee2927e41ef30cb4654fc9555644cc9e4bf26542a016194f7 2139488 libxerces2-java-doc_2.9.1-4.1_all.deb
 59310d317d7fe41fbe906bf8271e444ca31d37cc9b56eda13280ba92155ab4dd 1569126 libxerces2-java-gcj_2.9.1-4.1_i386.deb
Files: 
 246cfe3afb6caba7e620bd254b210eff 1556 java optional libxerces2-java_2.9.1-4.1.dsc
 4180692a0b3eac4c68d858c5e0fc85a9 8316 java optional libxerces2-java_2.9.1-4.1.diff.gz
 0f391ed85174f7ccf73d0e68d1074a50 1112874 java optional libxerces2-java_2.9.1-4.1_all.deb
 1cbb75d98f6648727c9c670656e4e874 2139488 doc optional libxerces2-java-doc_2.9.1-4.1_all.deb
 c92a9c80f384d108e4813b6246f3417e 1569126 java optional libxerces2-java-gcj_2.9.1-4.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAktivfUACgkQNxpp46476ao2CwCdExpOHH+/hFaJG7aD7AdgJ2PX
ApAAoJdUXa3FRus+KE4ynV4GldyPZnMM
=vQqf
-----END PGP SIGNATURE-----





Reply sent to Giuseppe Iuculano <iuculano@debian.org>:
You have taken responsibility. (Sun, 31 Jan 2010 20:00:05 GMT) Full text and rfc822 format available.

Notification sent to Joe Malicki <jmalicki@metacarta.com>:
Bug acknowledged by developer. (Sun, 31 Jan 2010 20:00:05 GMT) Full text and rfc822 format available.

Message #24 received at 548358-close@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <iuculano@debian.org>
To: 548358-close@bugs.debian.org
Subject: Bug#548358: fixed in libxerces2-java 2.8.1-1+etch1
Date: Sun, 31 Jan 2010 19:57:02 +0000
Source: libxerces2-java
Source-Version: 2.8.1-1+etch1

We believe that the bug you reported is fixed in the latest version of
libxerces2-java, which is due to be installed in the Debian FTP archive:

libxerces2-java_2.8.1-1+etch1.diff.gz
  to main/libx/libxerces2-java/libxerces2-java_2.8.1-1+etch1.diff.gz
libxerces2-java_2.8.1-1+etch1.dsc
  to main/libx/libxerces2-java/libxerces2-java_2.8.1-1+etch1.dsc
libxerces2-java_2.8.1-1+etch1_all.deb
  to main/libx/libxerces2-java/libxerces2-java_2.8.1-1+etch1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 548358@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated libxerces2-java package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 29 Jan 2010 12:08:29 +0100
Source: libxerces2-java
Binary: libxerces2-java
Architecture: source all
Version: 2.8.1-1+etch1
Distribution: oldstable-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description: 
 libxerces2-java - Validating XML parser for Java with DOM level 3 support
Closes: 548358
Changes: 
 libxerces2-java (2.8.1-1+etch1) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed CVE-2009-2625: denial of service (infinite loop and application hang)
     via malformed XML input (Closes: #548358)
Files: 
 755507a0cfcb7e2c83bb5c4a048295ec 908 libs optional libxerces2-java_2.8.1-1+etch1.dsc
 737df086ccae96f77334974617ccb4e0 1691101 libs optional libxerces2-java_2.8.1.orig.tar.gz
 a28511449d840005ba690a19bb6898f0 9951 libs optional libxerces2-java_2.8.1-1+etch1.diff.gz
 51c1bee829550381fccc419ae13d788e 1109884 libs optional libxerces2-java_2.8.1-1+etch1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAktiw50ACgkQNxpp46476ap61QCgndJUFT0ec/RZDBJuJMJfaOEl
AOcAnjycorK3Cl9AvyweBBeBXxQdeRRJ
=5VK9
-----END PGP SIGNATURE-----





Reply sent to Giuseppe Iuculano <iuculano@debian.org>:
You have taken responsibility. (Sun, 31 Jan 2010 20:00:07 GMT) Full text and rfc822 format available.

Notification sent to Joe Malicki <jmalicki@metacarta.com>:
Bug acknowledged by developer. (Sun, 31 Jan 2010 20:00:07 GMT) Full text and rfc822 format available.

Message #29 received at 548358-close@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <iuculano@debian.org>
To: 548358-close@bugs.debian.org
Subject: Bug#548358: fixed in libxerces2-java 2.9.1-2+lenny1
Date: Sun, 31 Jan 2010 19:57:12 +0000
Source: libxerces2-java
Source-Version: 2.9.1-2+lenny1

We believe that the bug you reported is fixed in the latest version of
libxerces2-java, which is due to be installed in the Debian FTP archive:

libxerces2-java-doc_2.9.1-2+lenny1_all.deb
  to main/libx/libxerces2-java/libxerces2-java-doc_2.9.1-2+lenny1_all.deb
libxerces2-java-gcj_2.9.1-2+lenny1_i386.deb
  to main/libx/libxerces2-java/libxerces2-java-gcj_2.9.1-2+lenny1_i386.deb
libxerces2-java_2.9.1-2+lenny1.diff.gz
  to main/libx/libxerces2-java/libxerces2-java_2.9.1-2+lenny1.diff.gz
libxerces2-java_2.9.1-2+lenny1.dsc
  to main/libx/libxerces2-java/libxerces2-java_2.9.1-2+lenny1.dsc
libxerces2-java_2.9.1-2+lenny1_all.deb
  to main/libx/libxerces2-java/libxerces2-java_2.9.1-2+lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 548358@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated libxerces2-java package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 29 Jan 2010 12:15:45 +0100
Source: libxerces2-java
Binary: libxerces2-java libxerces2-java-gcj libxerces2-java-doc
Architecture: source all i386
Version: 2.9.1-2+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description: 
 libxerces2-java - Validating XML parser for Java with DOM level 3 support
 libxerces2-java-doc - Validating XML parser for Java -- Documentation and examples
 libxerces2-java-gcj - Validating XML parser for Java with DOM level 3 support (native c
Closes: 548358
Changes: 
 libxerces2-java (2.9.1-2+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed CVE-2009-2625: denial of service (infinite loop and application hang)
     via malformed XML input (Closes: #548358)
Checksums-Sha1: 
 cc083e32fef53f21c7f01720c9245b87cd9938b9 1564 libxerces2-java_2.9.1-2+lenny1.dsc
 78786a120c10b3d7079384cecbd2860260e47445 1711507 libxerces2-java_2.9.1.orig.tar.gz
 2dabb7c2f0723621510d14c6933030132ed4a350 10682 libxerces2-java_2.9.1-2+lenny1.diff.gz
 19256426fbc3380b2e436c407c903cd14bd8fc38 1127062 libxerces2-java_2.9.1-2+lenny1_all.deb
 35a242fc67ac3bd3ec773386429b310d3cf8a268 2088698 libxerces2-java-doc_2.9.1-2+lenny1_all.deb
 693321ec49dcc318cc324e680f919ff82e4e827d 1552678 libxerces2-java-gcj_2.9.1-2+lenny1_i386.deb
Checksums-Sha256: 
 20170dbfa3b8c447ed8bf05994ae69f44e8265a12943e01273630a0448e7f53b 1564 libxerces2-java_2.9.1-2+lenny1.dsc
 13af0062a72a4a0d541ca5336391eafa4d580258cacf4a5e062ea584ca950592 1711507 libxerces2-java_2.9.1.orig.tar.gz
 6d7b13cf5eccf3b2ee852fa97423312ab3297a149f656fcff89b51f7641234d1 10682 libxerces2-java_2.9.1-2+lenny1.diff.gz
 8a5c70b8dec83f4a741716b593abcd19c7b4587ef0d02f70ff896a0bc25dc89b 1127062 libxerces2-java_2.9.1-2+lenny1_all.deb
 2eee10f7936561ac506cdcfcf9c9b3bc538817fd29c622f01188fd6c401fed6a 2088698 libxerces2-java-doc_2.9.1-2+lenny1_all.deb
 c901eb66c8562ad604929e285d509d34fb5aac9d601e71f85fd9c1646cdae8bf 1552678 libxerces2-java-gcj_2.9.1-2+lenny1_i386.deb
Files: 
 687af8f7589c187b3eb845d56a212e8a 1564 libs optional libxerces2-java_2.9.1-2+lenny1.dsc
 e340cba4a2abf4f0f833488380821153 1711507 libs optional libxerces2-java_2.9.1.orig.tar.gz
 d670183e18c295c02409a4fdefaebce5 10682 libs optional libxerces2-java_2.9.1-2+lenny1.diff.gz
 597c68ab6819ef03af42d61134923d59 1127062 libs optional libxerces2-java_2.9.1-2+lenny1_all.deb
 44509a477751e947333653be05b5ad96 2088698 doc optional libxerces2-java-doc_2.9.1-2+lenny1_all.deb
 a41c909d90a8c374099743cbcb8fc322 1552678 libs optional libxerces2-java-gcj_2.9.1-2+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAktix8kACgkQNxpp46476arrJgCdHWqNEf0OElwrnOX1CocUXMru
/k4AnRpWp89MOZiRUEfT+xJVGVLQPqCL
=h29s
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 27 Jun 2010 07:39:23 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 16:45:44 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.