oss-sec mailing list archives

Re: CVE Request -- expat [was: Re: Regarding expat bug 1990430]

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Fri, 23 Oct 2009 15:08:57 +0200

Hi Steve, Josh, vendors,

Michael Gilbert wrote:

On Thu, 22 Oct 2009 16:04:37 +0200 Marc Schoenefeld wrote:

Jan Lieskovsky wrote:

Hello Steve, vendors,

[...]

   a, Does Apache Xerces2 Java contain embedded copy ot the expat
library (i.e. it's
      completely the same issue as in expat, w3c-libwww, PyXML and
others) - Marc
      could you help to reply this question?

Hi,
the upstream patch for CVE-2009-2625 for xerces-j2 is  java-only [1] and
unrelated to fixes in other native C parsing libraries.


Based on the above -^ I would vote for separate CVE identifier for expat flaw
(and its embedded copies in dozen of packages):

https://bugs.gentoo.org/show_bug.cgi?id=280615#c8
https://bugs.gentoo.org/show_bug.cgi?id=280615#c10

To remember sounding of CVE-2009-2625:
---------------------------------------

Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK
and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and
in other products, allows remote attackers to cause a denial of service
(infinite loop and application hang) via malformed XML input, as
demonstrated by the Codenomicon XML fuzzing framework.

Argumentation for new CVE id:
-----------------------------
a, CVE-2009-2625 doesn't mention expat (just "other products", this could
   be fixed though)
b, The impact differs on Apache Xerces2 Java (infinite loop and application
   hang, 100% cpu use -- have checked unpatched java-1.6.0-openjdk) and in expat
   (clean crash) - gdb output attached for both testcases.

Steve, Josh, which way would be easier to follow?
i, mention expat in CVE-2009-2625, change impact to DoS (crash)
   via malformed XML file, which triggers UTF-8 parser crash? or
ii. assign new CVE id for expat (and its embedded copies) with
    clean impact description and note that crash happens in UTF-8
    parser?

Opinions, ACKs, NACKs appreciated.

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team


hi,

mandriva and gentoo used CVE-2009-2625 as their reference CVE for the
expat fixes.  debian is also currently tracking the issue with this
CVE for the time being.  however, we have not yet released fixed
packages.

mike

pythontest1.xml:
---------------

Core was generated by `xmlwf pythontest1.xml'.
Program terminated with signal 11, Segmentation fault.
[New process 30314]
#0  big2_updatePosition (enc=0x2a4940, ptr=0x9ff5000 <Address 0x9ff5000 out of bounds>, end=0x9fd4be3 "", 
pos=0x9fd41a0) at lib/xmltok_impl.c:1748
1748        switch (BYTE_TYPE(enc, ptr)) {
(gdb) bt
#0  big2_updatePosition (enc=0x2a4940, ptr=0x9ff5000 <Address 0x9ff5000 out of bounds>, end=0x9fd4be3 "", 
pos=0x9fd41a0) at lib/xmltok_impl.c:1748
#1  0x002808f1 in XML_GetCurrentColumnNumber (parser=0x9fd4008) at lib/xmlparse.c:1803
#2  0x0804b340 in reportError (parser=0x9fd4008, filename=0xbf8f2662 "pythontest1.xml") at xmlwf/xmlfile.c:66
#3  0x0804b6e2 in processFile (data=0xb78fa000, size=3, filename=0xbf8f2662 "pythontest1.xml", args=0xbf8f16f0) at 
xmlwf/xmlfile.c:83
#4  0x0804b9cf in filemap (name=0xbf8f2662 "pythontest1.xml", processor=0x804b680 <processFile>, arg=0xbf8f16f0) at 
xmlwf/unixfilemap.c:61
#5  0x0804b5ef in XML_ProcessFile (parser=0x9fd4008, filename=0xbf8f2662 "pythontest1.xml", flags=1) at 
xmlwf/xmlfile.c:238
#6  0x08049692 in main (argc=2, argv=Cannot access memory at address 0x9ff5004
) at xmlwf/xmlwf.c:847

pythontest2.xml:
---------------

Core was generated by `xmlwf pythontest2.xml'.
Program terminated with signal 11, Segmentation fault.
[New process 30322]
#0  normal_updatePosition (enc=0x2a38a0, ptr=0x8a87000 <Address 0x8a87000 out of bounds>, end=0x8a66bee 
"\205='1.0'?>\r\n", pos=0x8a661a0)
#    at lib/xmltok_impl.c:1748
#    1748           switch (BYTE_TYPE(enc, ptr)) {
#    (gdb) bt
#    #0  normal_updatePosition (enc=0x2a38a0, ptr=0x8a87000 <Address 0x8a87000 out of bounds>, end=0x8a66bee 
"\205='1.0'?>\r\n", pos=0x8a661a0)
#        at lib/xmltok_impl.c:1748
#        #1  0x002808f1 in XML_GetCurrentColumnNumber (parser=0x8a66008) at lib/xmlparse.c:1803
#        #2  0x0804b340 in reportError (parser=0x8a66008, filename=0xbfcc3662 "pythontest2.xml") at xmlwf/xmlfile.c:66
#        #3  0x0804b6e2 in processFile (data=0xb772c000, size=25, filename=0xbfcc3662 "pythontest2.xml", 
args=0xbfcc3070) at xmlwf/xmlfile.c:83
#        #4  0x0804b9cf in filemap (name=0xbfcc3662 "pythontest2.xml", processor=0x804b680 <processFile>, 
arg=0xbfcc3070) at xmlwf/unixfilemap.c:61
#        #5  0x0804b5ef in XML_ProcessFile (parser=0x8a66008, filename=0xbfcc3662 "pythontest2.xml", flags=1) at 
xmlwf/xmlfile.c:238
#        #6  0x08049692 in main (argc=2, argv=0x20407) at xmlwf/xmlwf.c:847

Current thread:

Regarding expat bug 1990430 Jan Lieskovsky (Oct 22)
- Re: Regarding expat bug 1990430 Marc Schoenefeld (Oct 22)
  - Re: Re: Regarding expat bug 1990430 Michael Gilbert (Oct 22)
    - Re: CVE Request -- expat [was: Re: Regarding expat bug 1990430] Jan Lieskovsky (Oct 23)
    - Re: CVE Request -- expat [was: Re: Regarding expat bug 1990430] CERT-FI Vulnerability Co-ordination (Oct 26)
    - Re: CVE Request -- expat [was: Re: Regarding expat bug 1990430] Mark J Cox (Oct 28)