Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 22 Oct 2009 15:35:58 +0200
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
CC: oss-security <oss-security@...ts.openwall.com>,
        Marc Schoenefeld <mschoene@...hat.com>, Joe Orton <jorton@...hat.com>,
        Ondrej Vasik <ovasik@...hat.com>, Roman Rakus <rrakus@...hat.com>,
        CERT-FI Vulnerability Co-ordination <vulncoord@...ora.fi>
Subject: Regarding expat bug 1990430

Hello Steve, vendors,

   this is due:

    [1] http://thread.gmane.org/gmane.comp.security.oss.general/2025/focus=2032

1, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2473
    Patch: https://bugzilla.redhat.com/attachment.cgi?id=357950

2, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955
    Patch: http://marc.info/?l=apr-dev&m=124396021826125&w=2

    When looking at the patches, while the source code bases (patches)
    are different, the XML reproducer is the same - so is different
    source code sufficient to distinguish the CVE ids, or should
    they be merged?

3, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1885
    Patch: 
http://svn.apache.org/viewvc/xerces/c/trunk/src/xercesc/validators/DTD/DTDScanner.cpp?r1=709149&r2=781488&pathrev=781488

    The testcases here were provided by CERT-FI and are the
    same as for:

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2414
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2416

    But different CVE identifiers needed to be used, due the
    fact, CVE-2009-1885 issue was disclosed earlier, than
    other vendors were prepared to release libxml2 updates.

    They also affect different code bases: CVE-2009-1885
    Apache Xerces C++, while CVE-2009-2414, CVE-2009-2416 libxml / libxml2.

4, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625
    CVE originally assigned to Apache Xerces2 Java (does it embed
    its own copy of expat), but also reported as expat issue here:
      http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?view=log

    Expat patch:
      http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15&view=patch

    The expat library is embedded also in:
      a, w3c-libwww http://www.w3.org/Library
      b, PyXML http://pyxml.sourceforge.net/

    And probably also in other packages (still need to get the complete list). In this case,
    the reproducer, code base and patch are the same, just the expat library is embedded
    in multiple other products. Two questions remain to be answered here:

    a, Does Apache Xerces2 Java contain embedded copy ot the expat library (i.e. it's
       completely the same issue as in expat, w3c-libwww, PyXML and others) - Marc
       could you help to reply this question?

    b, Can we use CVE-2009-2625 to reference expat, w3c-libwww(expat), PyXML (expat)
       issues too or another one need to be assigned for these? (But the decision
       depends on the answer to previous question).

Hoping this will bring at least a little bit more light into above [1] doubts

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.