Date: Thu, 22 Oct 2009 15:35:58 +0200 From: Jan Lieskovsky <jlieskov@...hat.com> To: "Steven M. Christey" <coley@...us.mitre.org> CC: oss-security <oss-security@...ts.openwall.com>, Marc Schoenefeld <mschoene@...hat.com>, Joe Orton <jorton@...hat.com>, Ondrej Vasik <ovasik@...hat.com>, Roman Rakus <rrakus@...hat.com>, CERT-FI Vulnerability Co-ordination <vulncoord@...ora.fi> Subject: Regarding expat bug 1990430 Hello Steve, vendors, this is due:  http://thread.gmane.org/gmane.comp.security.oss.general/2025/focus=2032 1, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2473 Patch: https://bugzilla.redhat.com/attachment.cgi?id=357950 2, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955 Patch: http://marc.info/?l=apr-dev&m=124396021826125&w=2 When looking at the patches, while the source code bases (patches) are different, the XML reproducer is the same - so is different source code sufficient to distinguish the CVE ids, or should they be merged? 3, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1885 Patch: http://svn.apache.org/viewvc/xerces/c/trunk/src/xercesc/validators/DTD/DTDScanner.cpp?r1=709149&r2=781488&pathrev=781488 The testcases here were provided by CERT-FI and are the same as for: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2414 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2416 But different CVE identifiers needed to be used, due the fact, CVE-2009-1885 issue was disclosed earlier, than other vendors were prepared to release libxml2 updates. They also affect different code bases: CVE-2009-1885 Apache Xerces C++, while CVE-2009-2414, CVE-2009-2416 libxml / libxml2. 4, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625 CVE originally assigned to Apache Xerces2 Java (does it embed its own copy of expat), but also reported as expat issue here: http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?view=log Expat patch: http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15&view=patch The expat library is embedded also in: a, w3c-libwww http://www.w3.org/Library b, PyXML http://pyxml.sourceforge.net/ And probably also in other packages (still need to get the complete list). In this case, the reproducer, code base and patch are the same, just the expat library is embedded in multiple other products. Two questions remain to be answered here: a, Does Apache Xerces2 Java contain embedded copy ot the expat library (i.e. it's completely the same issue as in expat, w3c-libwww, PyXML and others) - Marc could you help to reply this question? b, Can we use CVE-2009-2625 to reference expat, w3c-libwww(expat), PyXML (expat) issues too or another one need to be assigned for these? (But the decision depends on the answer to previous question). Hoping this will bring at least a little bit more light into above  doubts Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.