LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: August 25th, 2014
Linux Advisory Watch: August 15th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Mandriva: Subject: [Security Announce] [ MDVSA-2008:192 ] libxml2 Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Mandrake A heap-based buffer overflow was found in how libxml2 handled long XML entity names. If an application linked against libxml2 processed untrusted malformed XML content, it could cause the application to crash or possibly execute arbitrary code (CVE-2008-3529).
 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2008:192
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : libxml2
 Date    : September 11, 2008
 Affected: 2007.1, 2008.0, 2008.1, Corporate 3.0, Corporate 4.0
 _______________________________________________________________________

 Problem Description:

 A heap-based buffer overflow was found in how libxml2 handled long
 XML entity names.  If an application linked against libxml2 processed
 untrusted malformed XML content, it could cause the application to
 crash or possibly execute arbitrary code (CVE-2008-3529).
 
 The updated packages have been patched to prevent this issue.
 As well, the patch to fix CVE-2008-3281 has been updated to remove
 the hard-coded entity limit that was set to 5M, instead using XML
 entity density heuristics.  Many thanks to Daniel Veillard of Red Hat
 for his hard work in tracking down and dealing with the edge cases
 discovered with the initial fix to this issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3281
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3529
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2007.1:
 9250adec77a5118119d5000f2305540f  2007.1/i586/libxml2-2.6.27-3.4mdv2007.1.i586.rpm
 103dba08606f0038f3a9f4107ceba442  2007.1/i586/libxml2-devel-2.6.27-3.4mdv2007.1.i586.rpm
 a388bf596ef6725fb5baadb4e056a0bd  2007.1/i586/libxml2-python-2.6.27-3.4mdv2007.1.i586.rpm
 d2333e42a538101e36eab7d12467e08b  2007.1/i586/libxml2-utils-2.6.27-3.4mdv2007.1.i586.rpm 
 94a25c63f54693b7ac289223a6a3a687  2007.1/SRPMS/libxml2-2.6.27-3.4mdv2007.1.src.rpm

 Mandriva Linux 2007.1/X86_64:
 343f8656039b69716fe712eeb2d1bf4e  2007.1/x86_64/lib64xml2-2.6.27-3.4mdv2007.1.x86_64.rpm
 320d8dd8245f5ec6db46bedaf07afb3e  2007.1/x86_64/lib64xml2-devel-2.6.27-3.4mdv2007.1.x86_64.rpm
 fb6f52df6831cda42db46502cc761475  2007.1/x86_64/lib64xml2-python-2.6.27-3.4mdv2007.1.x86_64.rpm
 8440fc08fee99f18a81a32035fac166a  2007.1/x86_64/libxml2-utils-2.6.27-3.4mdv2007.1.x86_64.rpm 
 94a25c63f54693b7ac289223a6a3a687  2007.1/SRPMS/libxml2-2.6.27-3.4mdv2007.1.src.rpm

 Mandriva Linux 2008.0:
 c53b40d9c7ebec036f9175c8f4e87b3b  2008.0/i586/libxml2_2-2.6.30-1.4mdv2008.0.i586.rpm
 4a4ed97086b52cab3bbd34fe4d7003a0  2008.0/i586/libxml2-devel-2.6.30-1.4mdv2008.0.i586.rpm
 d3898465dc2797a2b20be8310dd4f484  2008.0/i586/libxml2-python-2.6.30-1.4mdv2008.0.i586.rpm
 34c524fa03b470093bd0b0c679bcb9c4  2008.0/i586/libxml2-utils-2.6.30-1.4mdv2008.0.i586.rpm 
 2dc2f4732992e27aea4c5a098c631ae8  2008.0/SRPMS/libxml2-2.6.30-1.4mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 20ac98b346a1f18b90504cb623c530d8  2008.0/x86_64/lib64xml2_2-2.6.30-1.4mdv2008.0.x86_64.rpm
 fd5907e801bf4f64ee79d097fcaec2b6  2008.0/x86_64/lib64xml2-devel-2.6.30-1.4mdv2008.0.x86_64.rpm
 20f45401e501b9639a9b53d82a4e031f  2008.0/x86_64/libxml2-python-2.6.30-1.4mdv2008.0.x86_64.rpm
 22be20e194ba2177a47d831ee8c82f47  2008.0/x86_64/libxml2-utils-2.6.30-1.4mdv2008.0.x86_64.rpm 
 2dc2f4732992e27aea4c5a098c631ae8  2008.0/SRPMS/libxml2-2.6.30-1.4mdv2008.0.src.rpm

 Mandriva Linux 2008.1:
 61e96824adc6e61b2764bb3a85e2e76d  2008.1/i586/libxml2_2-2.6.31-1.3mdv2008.1.i586.rpm
 6d0cc51d32c7b6ecd609250aad302034  2008.1/i586/libxml2-devel-2.6.31-1.3mdv2008.1.i586.rpm
 1e7c4ddd30677789de05cc464dde9790  2008.1/i586/libxml2-python-2.6.31-1.3mdv2008.1.i586.rpm
 edd477e34b08f94956eeedd387b5e509  2008.1/i586/libxml2-utils-2.6.31-1.3mdv2008.1.i586.rpm 
 b1078a83185c1c97fada7ea5e97df753  2008.1/SRPMS/libxml2-2.6.31-1.3mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 9d25e809ad31decb111a38301b2a74c1  2008.1/x86_64/lib64xml2_2-2.6.31-1.3mdv2008.1.x86_64.rpm
 f35af82dffc02628edb1ce03113c3ba0  2008.1/x86_64/lib64xml2-devel-2.6.31-1.3mdv2008.1.x86_64.rpm
 5819b393de9ff05be4d670c8e5d36080  2008.1/x86_64/libxml2-python-2.6.31-1.3mdv2008.1.x86_64.rpm
 fb670bfb1a1673f99f3c3fc3a72b7777  2008.1/x86_64/libxml2-utils-2.6.31-1.3mdv2008.1.x86_64.rpm 
 b1078a83185c1c97fada7ea5e97df753  2008.1/SRPMS/libxml2-2.6.31-1.3mdv2008.1.src.rpm

 Corporate 3.0:
 82e733037c09b4b7770f5325c7ed1325  corporate/3.0/i586/libxml2-2.6.6-1.5.C30mdk.i586.rpm
 d66da7916f188883fd164cb250431bba  corporate/3.0/i586/libxml2-devel-2.6.6-1.5.C30mdk.i586.rpm
 5df28181424b19132bbff6afa872475a  corporate/3.0/i586/libxml2-python-2.6.6-1.5.C30mdk.i586.rpm
 f7a86c3be6e4926fa101386a9cbbcbdd  corporate/3.0/i586/libxml2-utils-2.6.6-1.5.C30mdk.i586.rpm 
 c64826e1b31ed0c5d4514780ecd52e2e  corporate/3.0/SRPMS/libxml2-2.6.6-1.5.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 76e631bd88c68085dc2c5702235c2a99  corporate/3.0/x86_64/lib64xml2-2.6.6-1.5.C30mdk.x86_64.rpm
 827f9f5bc3a1b869353e3c09879ea432  corporate/3.0/x86_64/lib64xml2-devel-2.6.6-1.5.C30mdk.x86_64.rpm
 caafa3371f80f084e8a945b3114b4533  corporate/3.0/x86_64/lib64xml2-python-2.6.6-1.5.C30mdk.x86_64.rpm
 e37a70f9cd13a7e00982387a9ba97726  corporate/3.0/x86_64/libxml2-utils-2.6.6-1.5.C30mdk.x86_64.rpm 
 c64826e1b31ed0c5d4514780ecd52e2e  corporate/3.0/SRPMS/libxml2-2.6.6-1.5.C30mdk.src.rpm

 Corporate 4.0:
 74eea161b5519eef6c16b2407126a847  corporate/4.0/i586/libxml2-2.6.21-3.4.20060mlcs4.i586.rpm
 5d8d1e0e487022687c1c61fbaf91707e  corporate/4.0/i586/libxml2-devel-2.6.21-3.4.20060mlcs4.i586.rpm
 d5aa677468c9e8baae074a12f6c63c00  corporate/4.0/i586/libxml2-python-2.6.21-3.4.20060mlcs4.i586.rpm
 d51b4b902bb911be69f6a17aeb07d8cf  corporate/4.0/i586/libxml2-utils-2.6.21-3.4.20060mlcs4.i586.rpm 
 ce28651304236296e59d6d3be5525889  corporate/4.0/SRPMS/libxml2-2.6.21-3.4.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 812f2ae0ffa7a72546b07bd7de174453  corporate/4.0/x86_64/lib64xml2-2.6.21-3.4.20060mlcs4.x86_64.rpm
 23ae06098f957e46affa75220cac50af  corporate/4.0/x86_64/lib64xml2-devel-2.6.21-3.4.20060mlcs4.x86_64.rpm
 93cb252dadfadd4249062f903e604f82  corporate/4.0/x86_64/lib64xml2-python-2.6.21-3.4.20060mlcs4.x86_64.rpm
 aeff512a1b349108017e93633fabcf08  corporate/4.0/x86_64/libxml2-utils-2.6.21-3.4.20060mlcs4.x86_64.rpm 
 ce28651304236296e59d6d3be5525889  corporate/4.0/SRPMS/libxml2-2.6.21-3.4.20060mlcs4.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Mozilla reports user data leak from Bugzilla project
These 3-D Printed Skeleton Keys Can Pick High-Security Locks in Seconds
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.