Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 27 Aug 2009 18:06:23 +0300
From: CERT-FI Vulnerability Coordination <>
CC: Robert Buchholz <>,
Subject: Re: Re: expat bug 1990430

Hash: SHA1

Steven M. Christey wrote:
> Glad to see CERT-FI join the discussion.  A big factor in all this
> confusion was that the original advisory did not explicitly state which
> CVE was associated with which issue.  The scale of the effort also
> complicates things, as happens with all PROTOS/fuzzing/test-suite projects
> due the size and complexity of those efforts combined with lack of clarity
> of codebase relationships and the stray coordination problem (i.e., "it
> comes with the territory.")

Sorry about that. We will make our future advisories more explicit on
the CVE references and the details. The test-suite/fuzzing tool projects
sometimes make it pretty complicated to handle all the separate issues
in a proper way. I am trying to clarify some of the confusion in my
answers here.

> 3) CVE-2009-1885 is for a stack consumption problem in Xerces C++
>    involving nested parentheses and invalid byte values.  It appears that
>    expat and Xerces are distinct libraries, i.e. they don't have any
>    significant shared code?

The expat and/or Xerces -maintainers are probably the right people to
give a comprehensive answer for questions 1-3. However, based on the
code I have been reading during the coordination, I think that expat and
Xerces do not share much code.

> 4) CVE-2009-2625 is for Xerces Java which is used in JRE/JDK and
>    presumably others.  The impact here is an infinite loop.  Is this
>    really a distinct problem than whatever CVE-2009-1885 is talking about?

Yes, these are two distinct issues with significantly different reproducers.

> 5) CERT-FI's response to the inquiry about the Python "libexpat"
>    being the same as the "expat" issue seemed to imply that CVE-2009-2625
>    is about expat... since that's the CVE that was used in the inquiry.
>    However, I thought from point 3 that expat and Xerces are distinct
>    libraries, which means the CVEs *wouldn't* be the same, because
>    CVE-2009-2625 explicitly names Xerces.  Also, for CVE-2009-2625, *none*
>    of the primary sources (Fedora, Red Hat, Mandriva, Sun) mention expat
>    in their advisories.

I managed to misunderstand the only question Robert had for us. Even
though the question was pretty clear. There probably is not a CVE for
the expat crash (which affected Python expat too) yet. As the original
issue was not handled by us and it was found already back in 2008, we
did not allocate a CVE for the Python expat issue. So we probably need a
CVE for the expat crash. I assume we could use this CVE for the Python
expat crash too since the root cause is the same.

> 6) The only recent CVE assignment that focuses on expat seems to be
>    related to the billion laughs attack (CVE-2009-1955).  So does this
>    mean that there weren't any other problems related to "infinite loop"
>    or "unexpected byte values and recursive parentheses" with memory
>    corruption?  If there were, then what are their CVEs?  (Distinct CVEs
>    would be needed because corruption/infinite-loop/"unexpected byte
>    values" suggest different vuln types than billion-laughs?)

We are not aware of any other problems. In addition to the billion
laughs issue with some code using expat, the only recent expat issue we
are aware of is this segfault in expat's updatePosition -function when
parsing multibyte characters. Our advisory does not cover any other
expat issues than the Python expat -related part of the latter one.

> bonus) Is Xerces vulnerable to the billion laughs attack?  If so, was this
>    covered in the CERT-FI advisory and does it map to any of the
>    previously-provided CVE names?

The billion laughs attack was not covered in the CERT-FI advisory.

I hope this clarifies the situation. I am sorry for the confusion for
our part.


Sauli Pahlman

Version: GnuPG v1.4.9 (GNU/Linux)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.