Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  articles  presentations  /  services  donations  /  wordlists  passwords  /  NEWS  community  lists  Wiki  CVSweb  mirrors  signatures  /  books 
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Fri, 23 Oct 2009 15:08:57 +0200
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>,
        Josh Bressers <bressers@...hat.com>
CC: oss-security <oss-security@...ts.openwall.com>,
        CERT-FI Vulnerability Co-ordination <vulncoord@...ora.fi>,
        Joe Orton <jorton@...hat.com>, Ondrej Vasik <ovasik@...hat.com>,
        Roman Rakus <rrakus@...hat.com>
Subject: Re: CVE Request -- expat [was: Re: Regarding expat
 bug 1990430]

Hi Steve, Josh, vendors,

Michael Gilbert wrote:
> On Thu, 22 Oct 2009 16:04:37 +0200 Marc Schoenefeld wrote:
> 
>> Jan Lieskovsky wrote:
>>> Hello Steve, vendors,
>>>
>>> [...]
>>>
>>>    a, Does Apache Xerces2 Java contain embedded copy ot the expat
>>> library (i.e. it's
>>>       completely the same issue as in expat, w3c-libwww, PyXML and
>>> others) - Marc
>>>       could you help to reply this question?
>>>
>> Hi,
>> the upstream patch for CVE-2009-2625 for xerces-j2 is  java-only [1] and
>> unrelated to fixes in other native C parsing libraries.

Based on the above -^ I would vote for separate CVE identifier for expat flaw
(and its embedded copies in dozen of packages):

https://bugs.gentoo.org/show_bug.cgi?id=280615#c8
https://bugs.gentoo.org/show_bug.cgi?id=280615#c10

To remember sounding of CVE-2009-2625:
---------------------------------------

Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK
and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and
in other products, allows remote attackers to cause a denial of service
(infinite loop and application hang) via malformed XML input, as
demonstrated by the Codenomicon XML fuzzing framework.

Argumentation for new CVE id:
-----------------------------
a, CVE-2009-2625 doesn't mention expat (just "other products", this could
    be fixed though)
b, The impact differs on Apache Xerces2 Java (infinite loop and application
    hang, 100% cpu use -- have checked unpatched java-1.6.0-openjdk) and in expat
    (clean crash) - gdb output attached for both testcases.

Steve, Josh, which way would be easier to follow?
i, mention expat in CVE-2009-2625, change impact to DoS (crash)
    via malformed XML file, which triggers UTF-8 parser crash? or
ii. assign new CVE id for expat (and its embedded copies) with
     clean impact description and note that crash happens in UTF-8
     parser?

Opinions, ACKs, NACKs appreciated.

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

> 
> hi,
> 
> mandriva and gentoo used CVE-2009-2625 as their reference CVE for the
> expat fixes.  debian is also currently tracking the issue with this
> CVE for the time being.  however, we have not yet released fixed
> packages.
> 
> mike


pythontest1.xml:
---------------

Core was generated by `xmlwf pythontest1.xml'.
Program terminated with signal 11, Segmentation fault.
[New process 30314]
#0  big2_updatePosition (enc=0x2a4940, ptr=0x9ff5000 <Address 0x9ff5000 out of bounds>, end=0x9fd4be3 "", pos=0x9fd41a0) at lib/xmltok_impl.c:1748
1748	    switch (BYTE_TYPE(enc, ptr)) {
(gdb) bt
#0  big2_updatePosition (enc=0x2a4940, ptr=0x9ff5000 <Address 0x9ff5000 out of bounds>, end=0x9fd4be3 "", pos=0x9fd41a0) at lib/xmltok_impl.c:1748
#1  0x002808f1 in XML_GetCurrentColumnNumber (parser=0x9fd4008) at lib/xmlparse.c:1803
#2  0x0804b340 in reportError (parser=0x9fd4008, filename=0xbf8f2662 "pythontest1.xml") at xmlwf/xmlfile.c:66
#3  0x0804b6e2 in processFile (data=0xb78fa000, size=3, filename=0xbf8f2662 "pythontest1.xml", args=0xbf8f16f0) at xmlwf/xmlfile.c:83
#4  0x0804b9cf in filemap (name=0xbf8f2662 "pythontest1.xml", processor=0x804b680 <processFile>, arg=0xbf8f16f0) at xmlwf/unixfilemap.c:61
#5  0x0804b5ef in XML_ProcessFile (parser=0x9fd4008, filename=0xbf8f2662 "pythontest1.xml", flags=1) at xmlwf/xmlfile.c:238
#6  0x08049692 in main (argc=2, argv=Cannot access memory at address 0x9ff5004
) at xmlwf/xmlwf.c:847

pythontest2.xml:
---------------

Core was generated by `xmlwf pythontest2.xml'.
Program terminated with signal 11, Segmentation fault.
[New process 30322]
#0  normal_updatePosition (enc=0x2a38a0, ptr=0x8a87000 <Address 0x8a87000 out of bounds>, end=0x8a66bee "\205='1.0'?>\r\n", pos=0x8a661a0)
#    at lib/xmltok_impl.c:1748
#    1748	    switch (BYTE_TYPE(enc, ptr)) {
#    (gdb) bt
#    #0  normal_updatePosition (enc=0x2a38a0, ptr=0x8a87000 <Address 0x8a87000 out of bounds>, end=0x8a66bee "\205='1.0'?>\r\n", pos=0x8a661a0)
#        at lib/xmltok_impl.c:1748
#        #1  0x002808f1 in XML_GetCurrentColumnNumber (parser=0x8a66008) at lib/xmlparse.c:1803
#        #2  0x0804b340 in reportError (parser=0x8a66008, filename=0xbfcc3662 "pythontest2.xml") at xmlwf/xmlfile.c:66
#        #3  0x0804b6e2 in processFile (data=0xb772c000, size=25, filename=0xbfcc3662 "pythontest2.xml", args=0xbfcc3070) at xmlwf/xmlfile.c:83
#        #4  0x0804b9cf in filemap (name=0xbfcc3662 "pythontest2.xml", processor=0x804b680 <processFile>, arg=0xbfcc3070) at xmlwf/unixfilemap.c:61
#        #5  0x0804b5ef in XML_ProcessFile (parser=0x8a66008, filename=0xbfcc3662 "pythontest2.xml", flags=1) at xmlwf/xmlfile.c:238
#        #6  0x08049692 in main (argc=2, argv=0x20407) at xmlwf/xmlwf.c:847

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ