Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 26 Aug 2009 18:15:05 +0300
From: CERT-FI Vulnerability Coordination <vulncoord@...ora.fi>
To: oss-security@...ts.openwall.com
CC: Robert Buchholz <rbu@...too.org>
Subject: Re: expat bug 1990430

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> we have learned that expat fixed a crash issue in June 2008, but never 
> released an update. The bug was apparantly intended to be kept private, 
> but the bug changes were mailed to a public mailing list and Python 
> developrs menitoned the bug fix in their public svn (including NEWS 
> file, and reproducers):
> 
> http://mail.python.org/pipermail/expat-bugs/2009-January/002781.html
> http://sourceforge.net/tracker/index.php?func=detail&aid=1990430&group_id=10127&atid=110127
> http://svn.python.org/view?view=rev&revision=74429
> https://bugs.gentoo.org/show_bug.cgi?id=280615
> 
> While the expat bug was reported by Peter Valchev of Google, Python 
> credits Ivan Krstić of Apple with the patch (submission).
> It might also be related to CVE-2009-2625 / FICORA #245608:
> https://www.cert.fi/en/reports/2009/vulnerability2009085.html
> 
> As CERT-FI never released any details or test cases, I have no idea if 
> we need a new CVE of if those two issues are the same.

Sorry for the delay.

A new CVE is not needed. These two issues (the one which was fixed in
expat CVS in June 2008 and the one with the internal copy of expat in
Python) are essentially the same. The issue seems to be first found by
Peter Valchev in June 2008. As Robert mentioned, the issue has been
fixed in expat's CVS in June 2008 but an updated release was not made
for some reason. The issue was also present in the expat bundled with
Python and it was reported to us independent from the original issue
(even though the reason of the crash is the same). CERT-FI reported the
issue to Python in July 2009. Soon after that the issue was reported to
expat maintainers too since initially we did not know that the issue was
already fixed in expat's CVS. Python's patch has been incorporated into
Python 3.1.1 but there is probably more software with an affected
internal copy of expat out there.

Sauli Pahlman
CERT-FI
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqVUW0ACgkQ/64aC2E+yK+b8wCfcJQLpE3f1ccVgg13vzao8IqO
Y+0AoMuuooNdFLiKKi10fVQQCDY0BDOK
=7kag
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.