Date: Fri, 23 Oct 2009 15:08:57 +0200 From: Jan Lieskovsky <jlieskov@...hat.com> To: "Steven M. Christey" <coley@...us.mitre.org>, Josh Bressers <bressers@...hat.com> CC: oss-security <oss-security@...ts.openwall.com>, CERT-FI Vulnerability Co-ordination <vulncoord@...ora.fi>, Joe Orton <jorton@...hat.com>, Ondrej Vasik <ovasik@...hat.com>, Roman Rakus <rrakus@...hat.com> Subject: Re: CVE Request -- expat [was: Re: Regarding expat bug 1990430] Hi Steve, Josh, vendors, Michael Gilbert wrote: > On Thu, 22 Oct 2009 16:04:37 +0200 Marc Schoenefeld wrote: > >> Jan Lieskovsky wrote: >>> Hello Steve, vendors, >>> >>> [...] >>> >>> a, Does Apache Xerces2 Java contain embedded copy ot the expat >>> library (i.e. it's >>> completely the same issue as in expat, w3c-libwww, PyXML and >>> others) - Marc >>> could you help to reply this question? >>> >> Hi, >> the upstream patch for CVE-2009-2625 for xerces-j2 is java-only  and >> unrelated to fixes in other native C parsing libraries. Based on the above -^ I would vote for separate CVE identifier for expat flaw (and its embedded copies in dozen of packages): https://bugs.gentoo.org/show_bug.cgi?id=280615#c8 https://bugs.gentoo.org/show_bug.cgi?id=280615#c10 To remember sounding of CVE-2009-2625: --------------------------------------- Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework. Argumentation for new CVE id: ----------------------------- a, CVE-2009-2625 doesn't mention expat (just "other products", this could be fixed though) b, The impact differs on Apache Xerces2 Java (infinite loop and application hang, 100% cpu use -- have checked unpatched java-1.6.0-openjdk) and in expat (clean crash) - gdb output attached for both testcases. Steve, Josh, which way would be easier to follow? i, mention expat in CVE-2009-2625, change impact to DoS (crash) via malformed XML file, which triggers UTF-8 parser crash? or ii. assign new CVE id for expat (and its embedded copies) with clean impact description and note that crash happens in UTF-8 parser? Opinions, ACKs, NACKs appreciated. Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team > > hi, > > mandriva and gentoo used CVE-2009-2625 as their reference CVE for the > expat fixes. debian is also currently tracking the issue with this > CVE for the time being. however, we have not yet released fixed > packages. > > mike View attachment "gdb_output" of type "text/plain" (2477 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ