Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.51.0908261205070.15429@faron.mitre.org>
Date: Wed, 26 Aug 2009 12:38:26 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
cc: Robert Buchholz <rbu@...too.org>
Subject: Re: Re: expat bug 1990430


Glad to see CERT-FI join the discussion.  A big factor in all this
confusion was that the original advisory did not explicitly state which
CVE was associated with which issue.  The scale of the effort also
complicates things, as happens with all PROTOS/fuzzing/test-suite projects
due the size and complexity of those efforts combined with lack of clarity
of codebase relationships and the stray coordination problem (i.e., "it
comes with the territory.")

I've been a bit concerned about CVE assignments because the lack of
details may be causing us to assign duplicate CVEs or to combine multiple
problems into a single ID.

I have several questions at this point:

1) neon "when expat is used" was subject to the billion laughs attack
   (recursion during entity expansion).  This was assigned CVE-2009-2473.
   The description for CVE-2009-2473 focuses on neon, and I haven't seen
   it used for other products.  Was this really a problem in expat?  Then
   we may have a dupe.

2) If per (1) this is really a problem in expat, then is the
   neon problem the same as CVE-2009-1955 which is described for Apache
   APR-util?  Or is apr-util an entirely different library/codebase than
   expat?

3) CVE-2009-1885 is for a stack consumption problem in Xerces C++
   involving nested parentheses and invalid byte values.  It appears that
   expat and Xerces are distinct libraries, i.e. they don't have any
   significant shared code?

4) CVE-2009-2625 is for Xerces Java which is used in JRE/JDK and
   presumably others.  The impact here is an infinite loop.  Is this
   really a distinct problem than whatever CVE-2009-1885 is talking about?

5) CERT-FI's response to the inquiry about the Python "libexpat"
   being the same as the "expat" issue seemed to imply that CVE-2009-2625
   is about expat... since that's the CVE that was used in the inquiry.
   However, I thought from point 3 that expat and Xerces are distinct
   libraries, which means the CVEs *wouldn't* be the same, because
   CVE-2009-2625 explicitly names Xerces.  Also, for CVE-2009-2625, *none*
   of the primary sources (Fedora, Red Hat, Mandriva, Sun) mention expat
   in their advisories.

6) The only recent CVE assignment that focuses on expat seems to be
   related to the billion laughs attack (CVE-2009-1955).  So does this
   mean that there weren't any other problems related to "infinite loop"
   or "unexpected byte values and recursive parentheses" with memory
   corruption?  If there were, then what are their CVEs?  (Distinct CVEs
   would be needed because corruption/infinite-loop/"unexpected byte
   values" suggest different vuln types than billion-laughs?)

bonus) Is Xerces vulnerable to the billion laughs attack?  If so, was this
   covered in the CERT-FI advisory and does it map to any of the
   previously-provided CVE names?


I'm sure there's even more confusion than this, but it's a good start.


- Steve

======================================================
Name: CVE-2009-1885
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1885
Reference: MISC:http://www.cert.fi/en/reports/2009/vulnerability2009085.html
Reference: MISC:http://www.codenomicon.com/labs/xml/
Reference: MISC:http://www.networkworld.com/columnists/2009/080509-xml-flaw.html
Reference: CONFIRM:http://svn.apache.org/viewvc/xerces/c/trunk/src/xercesc/validators/DTD/DTDScanner.cpp?r1=781488&r2=781487&pathrev=781488&view=patch
Reference: CONFIRM:http://svn.apache.org/viewvc?view=rev&revision=781488
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=515515
Reference: BID:35986
Reference: URL:http://www.securityfocus.com/bid/35986
Reference: SECUNIA:36201
Reference: URL:http://secunia.com/advisories/36201
Reference: VUPEN:ADV-2009-2196
Reference: URL:http://www.vupen.com/english/advisories/2009/2196
Reference: XF:xerces-c-dtd-dos(52321)
Reference: URL:http://xforce.iss.net/xforce/xfdb/52321

Stack consumption vulnerability in validators/DTD/DTDScanner.cpp in
Apache Xerces C++ 2.7.0 and 2.8.0 allows context-dependent attackers
to cause a denial of service (application crash) via vectors involving
nested parentheses and invalid byte values in "simply nested DTD
structures," as demonstrated by the Codenomicon XML fuzzing framework.


======================================================
Name: CVE-2009-1955
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955
Reference: MILW0RM:8842
Reference: URL:http://www.milw0rm.com/exploits/8842
Reference: MLIST:[apr-dev] 20090602 [PATCH] prevent "billion laughs" attack against expat
Reference: URL:http://marc.info/?l=apr-dev&m=124396021826125&w=2
Reference: MLIST:[oss-security] 20090603 CVE request: "billion laughs" attack against Apache APR
Reference: URL:http://www.openwall.com/lists/oss-security/2009/06/03/4
Reference: CONFIRM:http://svn.apache.org/viewvc?view=rev&revision=781403
Reference: CONFIRM:http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3
Reference: AIXAPAR:PK88342
Reference: URL:http://www-01.ibm.com/support/docview.wss?uid=swg1PK88342
Reference: AIXAPAR:PK91241
Reference: URL:http://www-01.ibm.com/support/docview.wss?uid=swg1PK91241
Reference: DEBIAN:DSA-1812
Reference: URL:http://www.debian.org/security/2009/dsa-1812
Reference: FEDORA:FEDORA-2009-5969
Reference: URL:https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01228.html
Reference: FEDORA:FEDORA-2009-6014
Reference: URL:https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01173.html
Reference: FEDORA:FEDORA-2009-6261
Reference: URL:https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01201.html
Reference: GENTOO:GLSA-200907-03
Reference: URL:http://security.gentoo.org/glsa/glsa-200907-03.xml
Reference: MANDRIVA:MDVSA-2009:131
Reference: URL:http://www.mandriva.com/security/advisories?name=MDVSA-2009:131
Reference: REDHAT:RHSA-2009:1107
Reference: URL:http://www.redhat.com/support/errata/RHSA-2009-1107.html
Reference: REDHAT:RHSA-2009:1108
Reference: URL:http://www.redhat.com/support/errata/RHSA-2009-1108.html
Reference: SLACKWARE:SSA:2009-167-02
Reference: URL:http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.538210
Reference: UBUNTU:USN-786-1
Reference: URL:http://www.ubuntu.com/usn/usn-786-1
Reference: UBUNTU:USN-787-1
Reference: URL:http://www.ubuntu.com/usn/usn-787-1
Reference: BID:35253
Reference: URL:http://www.securityfocus.com/bid/35253
Reference: SECUNIA:35284
Reference: URL:http://secunia.com/advisories/35284
Reference: SECUNIA:35360
Reference: URL:http://secunia.com/advisories/35360
Reference: SECUNIA:34724
Reference: URL:http://secunia.com/advisories/34724
Reference: SECUNIA:35444
Reference: URL:http://secunia.com/advisories/35444
Reference: SECUNIA:35487
Reference: URL:http://secunia.com/advisories/35487
Reference: SECUNIA:35395
Reference: URL:http://secunia.com/advisories/35395
Reference: SECUNIA:35565
Reference: URL:http://secunia.com/advisories/35565
Reference: SECUNIA:35710
Reference: URL:http://secunia.com/advisories/35710
Reference: SECUNIA:35843
Reference: URL:http://secunia.com/advisories/35843
Reference: SECUNIA:35797
Reference: URL:http://secunia.com/advisories/35797
Reference: VUPEN:ADV-2009-1907
Reference: URL:http://www.vupen.com/english/advisories/2009/1907

The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in
Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn
modules in the Apache HTTP Server, allows remote attackers to cause a
denial of service (memory consumption) via a crafted XML document
containing a large number of nested entity references, as demonstrated
by a PROPFIND request, a similar issue to CVE-2003-1564.


======================================================
Name: CVE-2009-2473
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2473
Reference: MLIST:[neon] 20090818 CVE-2009-2473: fix for "billion laughs" attack against expat
Reference: URL:http://lists.manyfish.co.uk/pipermail/neon/2009-August/001045.html
Reference: MLIST:[neon] 20090818 neon: release 0.28.6 (SECURITY)
Reference: URL:http://lists.manyfish.co.uk/pipermail/neon/2009-August/001044.html
Reference: FEDORA:FEDORA-2009-8794
Reference: URL:https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00924.html
Reference: FEDORA:FEDORA-2009-8815
Reference: URL:https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00945.html
Reference: SECUNIA:36371
Reference: URL:http://secunia.com/advisories/36371
Reference: VUPEN:ADV-2009-2341
Reference: URL:http://www.vupen.com/english/advisories/2009/2341
Reference: XF:neon-xml-dos(52633)
Reference: URL:http://xforce.iss.net/xforce/xfdb/52633

neon before 0.28.6, when expat is used, does not properly detect
recursion during entity expansion, which allows context-dependent
attackers to cause a denial of service (memory and CPU consumption)
via a crafted XML document containing a large number of nested entity
references, a similar issue to CVE-2003-1564.


======================================================
Name: CVE-2009-2625
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625
Reference: MISC:http://www.cert.fi/en/reports/2009/vulnerability2009085.html
Reference: MISC:http://www.codenomicon.com/labs/xml/
Reference: MISC:http://www.networkworld.com/columnists/2009/080509-xml-flaw.html
Reference: CONFIRM:http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1
Reference: FEDORA:FEDORA-2009-8329
Reference: URL:https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html
Reference: FEDORA:FEDORA-2009-8337
Reference: URL:https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html
Reference: MANDRIVA:MDVSA-2009:209
Reference: URL:http://www.mandriva.com/security/advisories?name=MDVSA-2009:209
Reference: REDHAT:RHSA-2009:1199
Reference: URL:https://rhn.redhat.com/errata/RHSA-2009-1199.html
Reference: REDHAT:RHSA-2009:1200
Reference: URL:https://rhn.redhat.com/errata/RHSA-2009-1200.html
Reference: REDHAT:RHSA-2009:1201
Reference: URL:https://rhn.redhat.com/errata/RHSA-2009-1201.html
Reference: SUNALERT:263489
Reference: URL:http://sunsolve.sun.com/search/document.do?assetkey=1-66-263489-1
Reference: BID:35958
Reference: URL:http://www.securityfocus.com/bid/35958
Reference: SECTRACK:1022680
Reference: URL:http://www.securitytracker.com/id?1022680
Reference: SECUNIA:36162
Reference: URL:http://secunia.com/advisories/36162
Reference: SECUNIA:36176
Reference: URL:http://secunia.com/advisories/36176
Reference: SECUNIA:36180
Reference: URL:http://secunia.com/advisories/36180
Reference: SECUNIA:36199
Reference: URL:http://secunia.com/advisories/36199

Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in
JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20,
and in other products, allows remote attackers to cause a denial of
service (infinite loop and application hang) via malformed XML input,
as demonstrated by the Codenomicon XML fuzzing framework.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.