Debian Bug report logs - #560928
CVE-2009-3560 and CVE-2009-3720 denial-of-services

version graph

Package: coin3; Maintainer for coin3 is Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>;

Reported by: Michael Gilbert <michael.s.gilbert@gmail.com>

Date: Sun, 13 Dec 2009 04:09:15 UTC

Severity: normal

Tags: security

Merged with 674096

Found in version 3.1.3-2.1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, smr@debian.org (Steve M. Robbins):
Bug#560928; Package coin3. (Sun, 13 Dec 2009 04:09:18 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to smr@debian.org (Steve M. Robbins). (Sun, 13 Dec 2009 04:09:18 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: submit@bugs.debian.org
Subject: CVE-2009-3560 and CVE-2009-3720 denial-of-services
Date: Sat, 12 Dec 2009 22:51:17 -0500
package: coin3
severity: serious
tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) ids were
published for expat.  I have determined that this package embeds a
vulnerable copy of xmlparse.c and xmltok_impl.c.  However, since this is
a mass bug filing (due to so many packages embedding expat), I have
not had time to determine whether the vulnerable code is actually
present in any of the binary packages derived from this source package.
Please determine whether this is the case. If the binary packages are
not affected, please feel free to close the bug with a message
containing the details of what you did to check.

CVE-2009-3560[0]:
| The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1,
| as used in the XML-Twig module for Perl, allows context-dependent
| attackers to cause a denial of service (application crash) via an XML
| document with malformed UTF-8 sequences that trigger a buffer
| over-read, related to the doProlog function in lib/xmlparse.c, a
| different vulnerability than CVE-2009-2625 and CVE-2009-3720.

CVE-2009-3720[1]:
| The updatePosition function in lib/xmltok_impl.c in libexpat in Expat
| 2.0.1, as used in Python, PyXML, w3c-libwww, and other software,
| allows context-dependent attackers to cause a denial of service
| (application crash) via an XML document with crafted UTF-8 sequences
| that trigger a buffer over-read, a different vulnerability than
| CVE-2009-2625.

These issues also affect old versions of expat, so this package in etch
and lenny is very likely affected.  This is a low-severity security
issue, so DSAs will not be issued to correct these problems.  However,
you can optionally submit a proposed-update to the release team for
inclusion in the next stable point releases.  If you plan to do this, 
please open new bugs and include the security tag so we are aware that
you are working on that.

For further information see [0],[1],[2],[3].  In particular, [2] and [3]
are links to the patches for CVE-2009-3560 and CVE-2009-3720
respectively. Note that the ideal solution would be to make use of the
system expat so only one package will need to be updated for future
security issues. Preferably in your update to unstable, alter your
package to make use of the system expat.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560
    http://security-tracker.debian.org/tracker/CVE-2009-3560
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720
    http://security-tracker.debian.org/tracker/CVE-2009-3720
[2]
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.165
[3]
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15&view=patch




Information forwarded to debian-bugs-dist@lists.debian.org, smr@debian.org (Steve M. Robbins):
Bug#560928; Package coin3. (Sun, 13 Dec 2009 15:33:33 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to smr@debian.org (Steve M. Robbins). (Sun, 13 Dec 2009 15:33:33 GMT) Full text and rfc822 format available.

Message #10 received at 560928@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: 560912@bugs.debian.org, 560913@bugs.debian.org, 560914@bugs.debian.org, 560915@bugs.debian.org, 560916@bugs.debian.org, 560917@bugs.debian.org, 560918@bugs.debian.org, 560919@bugs.debian.org, 560920@bugs.debian.org, 560921@bugs.debian.org, 560922@bugs.debian.org, 560923@bugs.debian.org, 560924@bugs.debian.org, 560925@bugs.debian.org, 560926@bugs.debian.org, 560927@bugs.debian.org, 560928@bugs.debian.org, 560929@bugs.debian.org, 560930@bugs.debian.org, 560931@bugs.debian.org, 560932@bugs.debian.org, 560933@bugs.debian.org, 560934@bugs.debian.org, 560935@bugs.debian.org, 560936@bugs.debian.org, 560937@bugs.debian.org, 560938@bugs.debian.org, 560939@bugs.debian.org, 560940@bugs.debian.org, 560941@bugs.debian.org, 560942@bugs.debian.org, 560943@bugs.debian.org, 560944@bugs.debian.org, 560945@bugs.debian.org, 560946@bugs.debian.org, 560947@bugs.debian.org, 560948@bugs.debian.org, 560949@bugs.debian.org, 560950@bugs.debian.org, 560951@bugs.debian.org
Subject: Expat issues update
Date: Sun, 13 Dec 2009 10:29:27 -0500
Hi all,

In order to guarantee that the system expat is used, the
'--with-expat=sys' configure argument must be used.  If you think
your package is already using the system expat, or if you are updating
your package to use the system expat, please check to make sure that
this option is being used. Thanks.

Mike




Information forwarded to debian-bugs-dist@lists.debian.org, smr@debian.org (Steve M. Robbins):
Bug#560928; Package coin3. (Sun, 13 Dec 2009 16:27:44 GMT) Full text and rfc822 format available.

Acknowledgement sent to Matthias Klose <doko@debian.org>:
Extra info received and forwarded to list. Copy sent to smr@debian.org (Steve M. Robbins). (Sun, 13 Dec 2009 16:27:44 GMT) Full text and rfc822 format available.

Message #15 received at 560928@bugs.debian.org (full text, mbox):

From: Matthias Klose <doko@debian.org>
To: Michael Gilbert <michael.s.gilbert@gmail.com>, 560912@bugs.debian.org
Cc: 560913@bugs.debian.org, 560914@bugs.debian.org, 560915@bugs.debian.org, 560916@bugs.debian.org, 560917@bugs.debian.org, 560918@bugs.debian.org, 560919@bugs.debian.org, 560920@bugs.debian.org, 560921@bugs.debian.org, 560922@bugs.debian.org, 560923@bugs.debian.org, 560924@bugs.debian.org, 560925@bugs.debian.org, 560926@bugs.debian.org, 560927@bugs.debian.org, 560928@bugs.debian.org, 560929@bugs.debian.org, 560930@bugs.debian.org, 560931@bugs.debian.org, 560932@bugs.debian.org, 560933@bugs.debian.org, 560934@bugs.debian.org, 560935@bugs.debian.org, 560936@bugs.debian.org, 560937@bugs.debian.org, 560938@bugs.debian.org, 560939@bugs.debian.org, 560940@bugs.debian.org, 560941@bugs.debian.org, 560942@bugs.debian.org, 560943@bugs.debian.org, 560944@bugs.debian.org, 560945@bugs.debian.org, 560946@bugs.debian.org, 560947@bugs.debian.org, 560948@bugs.debian.org, 560949@bugs.debian.org, 560950@bugs.debian.org, 560951@bugs.debian.org
Subject: Re: Bug#560912: Expat issues update
Date: Sun, 13 Dec 2009 17:21:26 +0100
On 13.12.2009 16:29, Michael Gilbert wrote:
> Hi all,
>
> In order to guarantee that the system expat is used, the
> '--with-expat=sys' configure argument must be used.  If you think
> your package is already using the system expat, or if you are updating
> your package to use the system expat, please check to make sure that
> this option is being used. Thanks.

there's no such option for python, which uses a modified copy of expat.





Information forwarded to debian-bugs-dist@lists.debian.org, smr@debian.org (Steve M. Robbins):
Bug#560928; Package coin3. (Mon, 14 Dec 2009 07:57:33 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Hommey <mh@glandium.org>:
Extra info received and forwarded to list. Copy sent to smr@debian.org (Steve M. Robbins). (Mon, 14 Dec 2009 07:57:33 GMT) Full text and rfc822 format available.

Message #20 received at 560928@bugs.debian.org (full text, mbox):

From: Mike Hommey <mh@glandium.org>
To: 560932@bugs.debian.org
Cc: Michael Gilbert <michael.s.gilbert@gmail.com>, 560912@bugs.debian.org, 560913@bugs.debian.org, 560914@bugs.debian.org, 560915@bugs.debian.org, 560916@bugs.debian.org, 560917@bugs.debian.org, 560918@bugs.debian.org, 560919@bugs.debian.org, 560920@bugs.debian.org, 560921@bugs.debian.org, 560922@bugs.debian.org, 560923@bugs.debian.org, 560924@bugs.debian.org, 560925@bugs.debian.org, 560926@bugs.debian.org, 560927@bugs.debian.org, 560928@bugs.debian.org, 560929@bugs.debian.org, 560930@bugs.debian.org, 560931@bugs.debian.org, 560933@bugs.debian.org, 560934@bugs.debian.org, 560935@bugs.debian.org, 560936@bugs.debian.org, 560937@bugs.debian.org, 560938@bugs.debian.org, 560939@bugs.debian.org, 560940@bugs.debian.org, 560941@bugs.debian.org, 560942@bugs.debian.org, 560943@bugs.debian.org, 560944@bugs.debian.org, 560945@bugs.debian.org, 560946@bugs.debian.org, 560947@bugs.debian.org, 560948@bugs.debian.org, 560949@bugs.debian.org, 560950@bugs.debian.org, 560951@bugs.debian.org
Subject: Re: Bug#560932: Bug#560912: Expat issues update
Date: Mon, 14 Dec 2009 08:55:03 +0100
On Sun, Dec 13, 2009 at 05:21:26PM +0100, Matthias Klose wrote:
> On 13.12.2009 16:29, Michael Gilbert wrote:
> >Hi all,
> >
> >In order to guarantee that the system expat is used, the
> >'--with-expat=sys' configure argument must be used.  If you think
> >your package is already using the system expat, or if you are updating
> >your package to use the system expat, please check to make sure that
> >this option is being used. Thanks.
> 
> there's no such option for python, which uses a modified copy of expat.

Likewise with mozilla, which uses a heavily modified copy of expat.




Information forwarded to debian-bugs-dist@lists.debian.org, smr@debian.org (Steve M. Robbins):
Bug#560928; Package coin3. (Mon, 14 Dec 2009 12:15:32 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ove Kaaven <ovek@arcticnet.no>:
Extra info received and forwarded to list. Copy sent to smr@debian.org (Steve M. Robbins). (Mon, 14 Dec 2009 12:15:32 GMT) Full text and rfc822 format available.

Message #25 received at 560928@bugs.debian.org (full text, mbox):

From: Ove Kaaven <ovek@arcticnet.no>
To: Mike Hommey <mh@glandium.org>, 560937@bugs.debian.org
Cc: 560932@bugs.debian.org, 560948@bugs.debian.org, 560945@bugs.debian.org, 560935@bugs.debian.org, 560946@bugs.debian.org, 560921@bugs.debian.org, 560939@bugs.debian.org, 560949@bugs.debian.org, 560917@bugs.debian.org, 560924@bugs.debian.org, 560938@bugs.debian.org, 560919@bugs.debian.org, 560913@bugs.debian.org, 560916@bugs.debian.org, 560943@bugs.debian.org, 560920@bugs.debian.org, 560912@bugs.debian.org, 560931@bugs.debian.org, Michael Gilbert <michael.s.gilbert@gmail.com>, 560918@bugs.debian.org, 560930@bugs.debian.org, 560940@bugs.debian.org, 560951@bugs.debian.org, 560933@bugs.debian.org, 560914@bugs.debian.org, 560922@bugs.debian.org, 560941@bugs.debian.org, 560926@bugs.debian.org, 560923@bugs.debian.org, 560942@bugs.debian.org, 560936@bugs.debian.org, 560915@bugs.debian.org, 560950@bugs.debian.org, 560927@bugs.debian.org, 560928@bugs.debian.org, 560947@bugs.debian.org, 560929@bugs.debian.org, 560944@bugs.debian.org, 560934@bugs.debian.org, 560925@bugs.debian.org
Subject: Re: [pkg-fgfs-crew] Bug#560937: Bug#560932: Bug#560912: Expat issues update
Date: Mon, 14 Dec 2009 12:17:17 +0100
Mike Hommey skrev:
> On Sun, Dec 13, 2009 at 05:21:26PM +0100, Matthias Klose wrote:
>> On 13.12.2009 16:29, Michael Gilbert wrote:
>>> Hi all,
>>>
>>> In order to guarantee that the system expat is used, the
>>> '--with-expat=sys' configure argument must be used.  If you think
>>> your package is already using the system expat, or if you are updating
>>> your package to use the system expat, please check to make sure that
>>> this option is being used. Thanks.
>> there's no such option for python, which uses a modified copy of expat.
> 
> Likewise with mozilla, which uses a heavily modified copy of expat.

And I think the xml parser in simgear was ripped from some version of
mozilla. (Of course, I wouldn't consider a security flaw in a flight
simulator library as critical as one in an actual web browser or
anything, so I'm not sure how much I need to worry...)




Information forwarded to debian-bugs-dist@lists.debian.org, smr@debian.org (Steve M. Robbins):
Bug#560928; Package coin3. (Thu, 24 Dec 2009 06:36:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Steve M. Robbins" <steve@sumost.ca>:
Extra info received and forwarded to list. Copy sent to smr@debian.org (Steve M. Robbins). (Thu, 24 Dec 2009 06:36:04 GMT) Full text and rfc822 format available.

Message #30 received at 560928@bugs.debian.org (full text, mbox):

From: "Steve M. Robbins" <steve@sumost.ca>
To: 560925@bugs.debian.org, 560928@bugs.debian.org
Cc: control@bugs.debian.org
Subject: downgrading
Date: Thu, 24 Dec 2009 00:33:34 -0600
[Message part 1 (text/plain, inline)]
severity 560925 normal
severity 560928 normal
thanks

Even if the bug is present in cableswig or coin3,
exploiting it will not cause a serious security
problem.

-Steve
[signature.asc (application/pgp-signature, inline)]

Severity set to 'normal' from 'serious' Request was from "Steve M. Robbins" <steve@sumost.ca> to control@bugs.debian.org. (Thu, 24 Dec 2009 06:36:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, smr@debian.org (Steve M. Robbins):
Bug#560928; Package coin3. (Mon, 04 Jan 2010 08:33:13 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Leidert <daniel.leidert@wgdd.de>:
Extra info received and forwarded to list. Copy sent to smr@debian.org (Steve M. Robbins). (Mon, 04 Jan 2010 08:33:13 GMT) Full text and rfc822 format available.

Message #37 received at 560928@bugs.debian.org (full text, mbox):

From: Daniel Leidert <daniel.leidert@wgdd.de>
To: 560912@bugs.debian.org, 560913@bugs.debian.org, 560914@bugs.debian.org, 560915@bugs.debian.org, 560916@bugs.debian.org, 560917@bugs.debian.org, 560918@bugs.debian.org, 560919@bugs.debian.org, 560920@bugs.debian.org, 560921@bugs.debian.org, 560922@bugs.debian.org, 560923@bugs.debian.org, 560924@bugs.debian.org, 560925@bugs.debian.org, 560926@bugs.debian.org, 560927@bugs.debian.org, 560928@bugs.debian.org, 560929@bugs.debian.org, 560930@bugs.debian.org, 560931@bugs.debian.org, 560932@bugs.debian.org, 560933@bugs.debian.org, 560934@bugs.debian.org, 560935@bugs.debian.org, 560936@bugs.debian.org, 560937@bugs.debian.org, 560938@bugs.debian.org, 560939@bugs.debian.org, 560940@bugs.debian.org, 560941@bugs.debian.org, 560942@bugs.debian.org, 560943@bugs.debian.org, 560944@bugs.debian.org, 560945@bugs.debian.org, 560946@bugs.debian.org, 560947@bugs.debian.org, 560948@bugs.debian.org, 560949@bugs.debian.org, 560950@bugs.debian.org, 560951@bugs.debian.org
Subject: CVE-2009-3560: Revised patch
Date: Mon, 04 Jan 2010 08:40:26 +0100
[Message part 1 (text/plain, inline)]
Hi,

After fixing CVE-2009-3560 in the expat package [1] I was informed, that
it broke parsing [2] in some documents. After talking to upstream [3],
the fix for CVE-2009-3560 has been adjusted [4][5].

[1] http://bugs.debian.org/560901
[2] http://bugs.debian.org/561658
[3] http://mail.libexpat.org/pipermail/expat-discuss/2009-December/002644.html
[4] http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.166
[5] http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?view=log#rev1.166

Please note, that I just copied the bug-addresses from the mass bug
filing. I did not check, if you already fixed the issue or if this
information applies to you.

Regards, Daniel
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, smr@debian.org (Steve M. Robbins):
Bug#560928; Package coin3. (Sat, 23 Jan 2010 15:30:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Steve M. Robbins" <steve@sumost.ca>:
Extra info received and forwarded to list. Copy sent to smr@debian.org (Steve M. Robbins). (Sat, 23 Jan 2010 15:30:10 GMT) Full text and rfc822 format available.

Message #42 received at 560928@bugs.debian.org (full text, mbox):

From: "Steve M. Robbins" <steve@sumost.ca>
To: 560928@bugs.debian.org
Subject: [coin-support@coin3d.org: [JIRA] Commented: (COINSUPPORT-1151) Add configure option to use system expat library]
Date: Sat, 23 Jan 2010 09:28:52 -0600
[Message part 1 (text/plain, inline)]
Buried in the link to gentoo are links to 2 Coin patches that allow
building against system expat:

 http://hg.sim.no/Coin/coin-3.1/raw-rev/06d276e6894e
 http://hg.sim.no/Coin/coin-3.1/raw-rev/ac55d7d433aa


----- Forwarded message from "Tom Fredrik Klaussen (JIRA)" <coin-support@coin3d.org> -----

Date: Tue, 12 Jan 2010 14:28:28 +0100 (CET)
From: "Tom Fredrik Klaussen (JIRA)" <coin-support@coin3d.org>
To: steve@sumost.ca
Subject: [JIRA] Commented: (COINSUPPORT-1151) Add configure option to use
	system expat library


    [ https://jira.sim.no/browse/COINSUPPORT-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21499#action_21499 ] 

Tom Fredrik Klaussen commented on COINSUPPORT-1151:
---------------------------------------------------

Hi Steve

See
http://bugs.gentoo.org/show_bug.cgi?id=297644

I have solved some similar issues for them.

Best regards
Tom Fredrik

> Add configure option to use system expat library
> ------------------------------------------------
>
>                 Key: COINSUPPORT-1151
>                 URL: https://jira.sim.no/browse/COINSUPPORT-1151
>             Project: Coin Support
>          Issue Type: Improvement
>      Security Level: Private(only inhouse people can see these issues) 
>          Components: GPL
>            Reporter: Steve M. Robbins
>            Assignee: Tom Fredrik Klaussen
>            Priority: Minor
>         Attachments: signature.asc
>
>
> A bug has recently been filed against Coin in Debian (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560928) due to a vulnerability in the expat XML parsing library.  Coin embeds a copy of expat, and may be vulnerable (I haven't checked).
> The question arises: is the Coin version of expat modified in some way, or can Coin safely be linked to a system expat?  If the latter is true, it would be convenient to expose this in a configure option.  This will protect us from patching coin in future if another expat bug is discovered.
> Thanks,
> -Steve

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.sim.no/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        


----- End forwarded message -----
[signature.asc (application/pgp-signature, inline)]

Marked as found in versions 3.1.3-2.1. Request was from "Steve M. Robbins" <steve@sumost.ca> to control@bugs.debian.org. (Wed, 23 May 2012 03:51:08 GMT) Full text and rfc822 format available.

Merged 560928 674096 Request was from "Steve M. Robbins" <steve@sumost.ca> to control@bugs.debian.org. (Wed, 23 May 2012 03:51:09 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 16:58:53 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.