Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 23 Oct 2009 15:08:57 +0200
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>,
        Josh Bressers <bressers@...hat.com>
CC: oss-security <oss-security@...ts.openwall.com>,
        CERT-FI Vulnerability Co-ordination <vulncoord@...ora.fi>,
        Joe Orton <jorton@...hat.com>, Ondrej Vasik <ovasik@...hat.com>,
        Roman Rakus <rrakus@...hat.com>
Subject: Re: CVE Request -- expat [was: Re: Regarding expat
 bug 1990430]

Hi Steve, Josh, vendors,

Michael Gilbert wrote:
> On Thu, 22 Oct 2009 16:04:37 +0200 Marc Schoenefeld wrote:
> 
>> Jan Lieskovsky wrote:
>>> Hello Steve, vendors,
>>>
>>> [...]
>>>
>>>    a, Does Apache Xerces2 Java contain embedded copy ot the expat
>>> library (i.e. it's
>>>       completely the same issue as in expat, w3c-libwww, PyXML and
>>> others) - Marc
>>>       could you help to reply this question?
>>>
>> Hi,
>> the upstream patch for CVE-2009-2625 for xerces-j2 is  java-only [1] and
>> unrelated to fixes in other native C parsing libraries.

Based on the above -^ I would vote for separate CVE identifier for expat flaw
(and its embedded copies in dozen of packages):

https://bugs.gentoo.org/show_bug.cgi?id=280615#c8
https://bugs.gentoo.org/show_bug.cgi?id=280615#c10

To remember sounding of CVE-2009-2625:
---------------------------------------

Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK
and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and
in other products, allows remote attackers to cause a denial of service
(infinite loop and application hang) via malformed XML input, as
demonstrated by the Codenomicon XML fuzzing framework.

Argumentation for new CVE id:
-----------------------------
a, CVE-2009-2625 doesn't mention expat (just "other products", this could
    be fixed though)
b, The impact differs on Apache Xerces2 Java (infinite loop and application
    hang, 100% cpu use -- have checked unpatched java-1.6.0-openjdk) and in expat
    (clean crash) - gdb output attached for both testcases.

Steve, Josh, which way would be easier to follow?
i, mention expat in CVE-2009-2625, change impact to DoS (crash)
    via malformed XML file, which triggers UTF-8 parser crash? or
ii. assign new CVE id for expat (and its embedded copies) with
     clean impact description and note that crash happens in UTF-8
     parser?

Opinions, ACKs, NACKs appreciated.

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

> 
> hi,
> 
> mandriva and gentoo used CVE-2009-2625 as their reference CVE for the
> expat fixes.  debian is also currently tracking the issue with this
> CVE for the time being.  however, we have not yet released fixed
> packages.
> 
> mike


View attachment "gdb_output" of type "text/plain" (2477 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ