lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <m1CP242-000onXC__32308.4418815144$1099430569$gmane$org@finlandia.Infodrom.North.DE>
Date: Tue, 2 Nov 2004 18:03:22 +0100 (CET)
From: joey@...odrom.org (Martin Schulze)
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 582-1] New libxml packages fix arbitrary code execution


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 582-1                     security@...ian.org
http://www.debian.org/security/                             Martin Schulze
November 2nd, 2004                      http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : libxml, libxml2
Vulnerability  : buffer overflow
Problem-Type   : remote
Debian-specific: no
CVE ID         : CAN-2004-0989

"infamous41md" discovered several buffer overflows in libxml and
libxml2, the XML C parser and toolkits for GNOME.  Missing boundary
checks could cause several buffers to be overflown, which may cause
the client to execute arbitrary code.

The following vulnerability matrix lists corrected versions of these
libraries:

For the stable distribution (woody) these problems have been fixed in
version 1.8.17-2woody2 of libxml and in version 2.4.19-4woody2 of
libxml2.

For the unstable distribution (sid) these problems have been fixed in
version 1.8.17-9 of libxml and in version 2.6.11-5 of libxml2.

These problems have also been fixed in version 2.6.15-1 of libxml2 in
the experimental distribution.

We recommend that you upgrade your libxml packages.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/libx/libxml/libxml_1.8.17-2woody2.dsc
      Size/MD5 checksum:      651 2bfffaf40b3784b89a819e878e9626f0
    http://security.debian.org/pool/updates/main/libx/libxml/libxml_1.8.17-2woody2.diff.gz
      Size/MD5 checksum:    34182 6923b92252b9aed67167f04ab236c8e8
    http://security.debian.org/pool/updates/main/libx/libxml/libxml_1.8.17.orig.tar.gz
      Size/MD5 checksum:  1016403 b8f01e43e1e03dec37dfd6b4507a9568

    http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody2.dsc
      Size/MD5 checksum:      654 40c1984cb88763ebd8cc8bfe99de6c80
    http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody2.diff.gz
      Size/MD5 checksum:   344211 7189893e73c9d929205896437c1b1da4
    http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19.orig.tar.gz
      Size/MD5 checksum:  1925487 22e3c043f57e18baaed86c5fff3eafbc

  Alpha architecture:

    http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-2woody2_alpha.deb
      Size/MD5 checksum:   382124 e44313692381e5858f18da6c49d05513
    http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-2woody2_alpha.deb
      Size/MD5 checksum:   208956 83b71540e2c73f03513975b0fb8b105f

    http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody2_alpha.deb
      Size/MD5 checksum:   388892 0c563e7f9514b655a12aa2d064223032
    http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.4.19-4woody2_alpha.deb
      Size/MD5 checksum:   938660 dadea3ca7e50350c2c7ffebe36d05d0f

  ARM architecture:

    http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-2woody2_arm.deb
      Size/MD5 checksum:   392650 9e63519f4811e4ecfe15c9d918b38a3b
    http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-2woody2_arm.deb
      Size/MD5 checksum:   184316 679269786787b9e5acbaedebff18adb7

    http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody2_arm.deb
      Size/MD5 checksum:   346200 803c66b523b9808d15528d54c060a9bd
    http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.4.19-4woody2_arm.deb
      Size/MD5 checksum:   903098 ee22dbc5b403a6e652efe7f15a01fb75

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-2woody2_i386.deb
      Size/MD5 checksum:   330182 1170064a71b1a4e9b74816af4a32475e
    http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-2woody2_i386.deb
      Size/MD5 checksum:   183476 fd63fcad152cfce33e4b1704522ad550

    http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody2_i386.deb
      Size/MD5 checksum:   333104 16c4091c3a23b0e781f56dc319618f8e
    http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.4.19-4woody2_i386.deb
      Size/MD5 checksum:   843196 239c8e4e112dbda6b3c2cd31f8177720

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-2woody2_ia64.deb
      Size/MD5 checksum:   447364 893b7b074f5fa81d5b5c9e26000b29f3
    http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-2woody2_ia64.deb
      Size/MD5 checksum:   285628 879fc3aef1b51620f7e6915292d6a97e

    http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody2_ia64.deb
      Size/MD5 checksum:   507612 a9adbdfd156d3fe84040f408ad125be2
    http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.4.19-4woody2_ia64.deb
      Size/MD5 checksum:  1032762 8d6f6d5d16b2d75bfd76672fa4985a14

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-2woody2_hppa.deb
      Size/MD5 checksum:   439590 425399c89c7eb16137d969a6cef752e4
    http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-2woody2_hppa.deb
      Size/MD5 checksum:   248372 9caf0fcecb21d78d9af74f632b1c8446

    http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody2_hppa.deb
      Size/MD5 checksum:   425520 3ccebdce5fe9b80743253a37316157af
    http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.4.19-4woody2_hppa.deb
      Size/MD5 checksum:   979256 6c22748c33c75b0ee5aeb860efee5a53

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-2woody2_m68k.deb
      Size/MD5 checksum:   318372 0fab68e9e9ba8a2e997573117e9aa0e9
    http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-2woody2_m68k.deb
      Size/MD5 checksum:   178346 4b8cc510bb6437ce8db345eca1839af2

    http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody2_m68k.deb
      Size/MD5 checksum:   337140 82169ea40ae52a9e8d3156a31e360955
    http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.4.19-4woody2_m68k.deb
      Size/MD5 checksum:   828952 4ca7a3f1c179596e437f9dfdcc3f580a

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-2woody2_mips.deb
      Size/MD5 checksum:   376408 365aeb51b9294d81730bc98e0af0d219
    http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-2woody2_mips.deb
      Size/MD5 checksum:   183804 5570e2a54ba089d1f1d8b02c56742089

    http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody2_mips.deb
      Size/MD5 checksum:   349116 6ca2c1d1d79d7333a22406b179c092db
    http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.4.19-4woody2_mips.deb
      Size/MD5 checksum:   921192 ebb90411abef3e858b9de4a3be497c46

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-2woody2_mipsel.deb
      Size/MD5 checksum:   373854 692fbe719929a2874dae659d41bdc77a
    http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-2woody2_mipsel.deb
      Size/MD5 checksum:   183140 e723329953c4a18985f3e7ccd594527d

    http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody2_mipsel.deb
      Size/MD5 checksum:   343810 96a05292b67bfb88b0b297462511633d
    http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.4.19-4woody2_mipsel.deb
      Size/MD5 checksum:   915238 65471cbe63f97759b77cc6909f3e4068

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-2woody2_powerpc.deb
      Size/MD5 checksum:   356772 b9d81bed922444e04b4bb40cd8b6c1da
    http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-2woody2_powerpc.deb
      Size/MD5 checksum:   194196 5bfd2a792665ff67ee95580978cbb190

    http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody2_powerpc.deb
      Size/MD5 checksum:   376604 83bdc195dd946e4f91912e7147ebe903
    http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.4.19-4woody2_powerpc.deb
      Size/MD5 checksum:   917092 61479b1fa13b124a920cceae7e23992a

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-2woody2_s390.deb
      Size/MD5 checksum:   329590 72c14a9b31961174f71af876ddcd53eb
    http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-2woody2_s390.deb
      Size/MD5 checksum:   184392 93eaedce11e29de34f4e4cf7d07a40df

    http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody2_s390.deb
      Size/MD5 checksum:   360384 31084d770e8129aa710513ef56aeb41d
    http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.4.19-4woody2_s390.deb
      Size/MD5 checksum:   857550 6e3186b4f4e81af40390dac27dd0fe2f

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-2woody2_sparc.deb
      Size/MD5 checksum:   347208 5984047996c0c1bfe1bda0813e62f905
    http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-2woody2_sparc.deb
      Size/MD5 checksum:   196282 3214ecae98a445d78aae0aa850403df4

    http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.4.19-4woody2_sparc.deb
      Size/MD5 checksum:   363778 0e6054a515784befb193b4d331f399d5
    http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.4.19-4woody2_sparc.deb
      Size/MD5 checksum:   887178 8ca21974d081b2dd39b1e78dca414547


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBh73aW5ql+IAeqTIRAoVsAJ4y/cIfKFuyTMIRghALGnYFPpUGUgCfZSxt
5ps0VSceDXuevK+FyIxxW3E=
=V246
-----END PGP SIGNATURE-----



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ