Source: libxml2 Severity: grave Tags: security patch Hi, the following CVE (Common Vulnerabilities & Exposures) ids were published for libxml2.
CVE-2009-2416[0]: | Pointer use-after-free flaws were found in libxml by parsing Notation | and Enumeration attribute types. A remote attacker could provide | a specially-crafted XML file, which once opened by a local, unsuspecting | user would lead to denial of service (application crash). CVE-2009-2414[1]: | A stack overflow flaw was found in libxml by parsing root XML document | element DTD definition. Providing a specially-crafted XML file would | lead to excessive stack growth and denial of service (application crash), | when opened by a victim. If you fix the vulnerabilities please also make sure to include the CVE ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2416 http://security-tracker.debian.net/tracker/CVE-2009-2416 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2414 http://security-tracker.debian.net/tracker/CVE-2009-2414 -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.
--- parser.c.orig 2009-08-03 15:33:12.000000000 +0200
+++ parser.c 2009-08-03 15:36:26.000000000 +0200
@@ -4778,10 +4779,14 @@ xmlParseNotationType(xmlParserCtxtPtr ct
if (name == NULL) {
xmlFatalErrMsg(ctxt, XML_ERR_NAME_REQUIRED,
"Name expected in NOTATION declaration\n");
- return(ret);
+ xmlFreeEnumeration(ret);
+ return(NULL);
}
cur = xmlCreateEnumeration(name);
- if (cur == NULL) return(ret);
+ if (cur == NULL) {
+ xmlFreeEnumeration(ret);
+ return(NULL);
+ }
if (last == NULL) ret = last = cur;
else {
last->next = cur;
@@ -4791,9 +4796,8 @@ xmlParseNotationType(xmlParserCtxtPtr ct
} while (RAW == '|');
if (RAW != ')') {
xmlFatalErr(ctxt, XML_ERR_NOTATION_NOT_FINISHED, NULL);
- if ((last != NULL) && (last != ret))
- xmlFreeEnumeration(last);
- return(ret);
+ xmlFreeEnumeration(ret);
+ return(NULL);
}
NEXT;
return(ret);
@@ -4834,7 +4838,10 @@ xmlParseEnumerationType(xmlParserCtxtPtr
}
cur = xmlCreateEnumeration(name);
xmlFree(name);
- if (cur == NULL) return(ret);
+ if (cur == NULL) {
+ xmlFreeEnumeration(ret);
+ return(NULL);
+ }
if (last == NULL) ret = last = cur;
else {
last->next = cur;
@@ -5232,6 +5239,12 @@ xmlParseElementChildrenContentDecl (xmlP
const xmlChar *elem;
xmlChar type = 0;
+ if (ctxt->depth > 128) {
+ xmlFatalErrMsgInt(ctxt, XML_ERR_ELEMCONTENT_NOT_FINISHED,
+ "xmlParseElementChildrenContentDecl : depth %d too deep\n",
+ ctxt->depth);
+ return(NULL);
+ }
SKIP_BLANKS;
GROW;
if (RAW == '(') {
@@ -5240,7 +5253,9 @@ xmlParseElementChildrenContentDecl (xmlP
/* Recurse on first child */
NEXT;
SKIP_BLANKS;
+ ctxt->depth++;
cur = ret = xmlParseElementChildrenContentDecl(ctxt, inputid);
+ ctxt->depth--;
SKIP_BLANKS;
GROW;
} else {
@@ -5370,7 +5385,9 @@ xmlParseElementChildrenContentDecl (xmlP
/* Recurse on second child */
NEXT;
SKIP_BLANKS;
+ ctxt->depth++;
last = xmlParseElementChildrenContentDecl(ctxt, inputid);
+ ctxt->depth--;
SKIP_BLANKS;
} else {
elem = xmlParseName(ctxt);
pgphQbYIOXffL.pgp
Description: PGP signature

