Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 23 Oct 2009 15:08:57 +0200
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>,
        Josh Bressers <bressers@...hat.com>
CC: oss-security <oss-security@...ts.openwall.com>,
        CERT-FI Vulnerability Co-ordination <vulncoord@...ora.fi>,
        Joe Orton <jorton@...hat.com>, Ondrej Vasik <ovasik@...hat.com>,
        Roman Rakus <rrakus@...hat.com>
Subject: Re: CVE Request -- expat [was: Re: Regarding expat
 bug 1990430]

Hi Steve, Josh, vendors,

Michael Gilbert wrote:
> On Thu, 22 Oct 2009 16:04:37 +0200 Marc Schoenefeld wrote:
> 
>> Jan Lieskovsky wrote:
>>> Hello Steve, vendors,
>>>
>>> [...]
>>>
>>>    a, Does Apache Xerces2 Java contain embedded copy ot the expat
>>> library (i.e. it's
>>>       completely the same issue as in expat, w3c-libwww, PyXML and
>>> others) - Marc
>>>       could you help to reply this question?
>>>
>> Hi,
>> the upstream patch for CVE-2009-2625 for xerces-j2 is  java-only [1] and
>> unrelated to fixes in other native C parsing libraries.

Based on the above -^ I would vote for separate CVE identifier for expat flaw
(and its embedded copies in dozen of packages):

https://bugs.gentoo.org/show_bug.cgi?id=280615#c8
https://bugs.gentoo.org/show_bug.cgi?id=280615#c10

To remember sounding of CVE-2009-2625:
---------------------------------------

Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK
and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and
in other products, allows remote attackers to cause a denial of service
(infinite loop and application hang) via malformed XML input, as
demonstrated by the Codenomicon XML fuzzing framework.

Argumentation for new CVE id:
-----------------------------
a, CVE-2009-2625 doesn't mention expat (just "other products", this could
    be fixed though)
b, The impact differs on Apache Xerces2 Java (infinite loop and application
    hang, 100% cpu use -- have checked unpatched java-1.6.0-openjdk) and in expat
    (clean crash) - gdb output attached for both testcases.

Steve, Josh, which way would be easier to follow?
i, mention expat in CVE-2009-2625, change impact to DoS (crash)
    via malformed XML file, which triggers UTF-8 parser crash? or
ii. assign new CVE id for expat (and its embedded copies) with
     clean impact description and note that crash happens in UTF-8
     parser?

Opinions, ACKs, NACKs appreciated.

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

> 
> hi,
> 
> mandriva and gentoo used CVE-2009-2625 as their reference CVE for the
> expat fixes.  debian is also currently tracking the issue with this
> CVE for the time being.  however, we have not yet released fixed
> packages.
> 
> mike


View attachment "gdb_output" of type "text/plain" (2477 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.