Hi, Unlike 2.6, wx2.4 does indeed seem to be affected by this. Its exposure seems to be limited to the libwx_gtk_xrc-2.4 lib in the libwxgtk2.4-1-contrib binary package.
Since xrc is a "resource compiler", used to supply random junk that is provided with an app, for the app, without actually embedding those things directly in the app binary -- and isn't used to read random xml supplied by the user or obtained from untrusted sources, the potential to exploit it seems minimal. In terms of Debian, we probably don't have (m)any wx apps actually using this with 2.4 anyhow, so our exposure in terms of distro apps may actually be nil. Further investigation is warranted to confirm these things and the extent to which they are an issue for us, but at present it looks to me like at worst a local user could DOS themselves, iff they already had local root to corrupt an .xrc input file that was supplied in some app package. So it's real, but likely not the most urgent package in need of a security update at this stage, and one option for 'fixing' it once and for all might simply be to drop the libwx_gtk_xrc-2.4 library from this package altogether. Cheers, Ron On Sat, Dec 12, 2009 at 10:46:19PM -0500, Michael Gilbert wrote: > package: wxwindows2.4 > severity: serious > tags: security > > Hi, > > The following CVE (Common Vulnerabilities & Exposures) ids were > published for expat. I have determined that this package embeds a > vulnerable copy of xmlparse.c and xmltok_impl.c. However, since this is > a mass bug filing (due to so many packages embedding expat), I have > not had time to determine whether the vulnerable code is actually > present in any of the binary packages derived from this source package. > Please determine whether this is the case. If the binary packages are > not affected, please feel free to close the bug with a message > containing the details of what you did to check. > > CVE-2009-3560[0]: > | The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, > | as used in the XML-Twig module for Perl, allows context-dependent > | attackers to cause a denial of service (application crash) via an XML > | document with malformed UTF-8 sequences that trigger a buffer > | over-read, related to the doProlog function in lib/xmlparse.c, a > | different vulnerability than CVE-2009-2625 and CVE-2009-3720. > > CVE-2009-3720[1]: > | The updatePosition function in lib/xmltok_impl.c in libexpat in Expat > | 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, > | allows context-dependent attackers to cause a denial of service > | (application crash) via an XML document with crafted UTF-8 sequences > | that trigger a buffer over-read, a different vulnerability than > | CVE-2009-2625. > > These issues also affect old versions of expat, so this package in etch > and lenny is very likely affected. This is a low-severity security > issue, so DSAs will not be issued to correct these problems. However, > you can optionally submit a proposed-update to the release team for > inclusion in the next stable point releases. If you plan to do this, > please open new bugs and include the security tag so we are aware that > you are working on that. > > For further information see [0],[1],[2],[3]. In particular, [2] and [3] > are links to the patches for CVE-2009-3560 and CVE-2009-3720 > respectively. Note that the ideal solution would be to make use of the > system expat so only one package will need to be updated for future > security issues. Preferably in your update to unstable, alter your > package to make use of the system expat. > > If you fix the vulnerability please also make sure to include the > CVE id in your changelog entry. > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560 > http://security-tracker.debian.org/tracker/CVE-2009-3560 > [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720 > http://security-tracker.debian.org/tracker/CVE-2009-3720 > [2] > http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.165 > [3] > http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15&view=patch > > -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
