[Touch-packages] [Bug 983810] Re: libxml2 security update fails to address problem and breaks thread-safety
The Precise Pangolin has reached end of life, so this bug will not be fixed for that release ** Changed in: libxml2 (Ubuntu Precise) Status: Confirmed => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libxml2 in Ubuntu. https://bugs.launchpad.net/bugs/983810 Title: libxml2 security update fails to address problem and breaks thread- safety Status in libxml2: Fix Released Status in libxml2 package in Ubuntu: Fix Released Status in libxml2 source package in Lucid: Won't Fix Status in libxml2 source package in Precise: Won't Fix Status in libxml2 source package in Trusty: Fix Released Status in libxml2 package in Debian: New Bug description: Using libxml2 2.7.8.dfsg-4ubuntu0.2 from (K)Ubuntu 11.10. In an attempt to address oCERT 2011-003, libxml2 now seeds its hash table with using rand(). This is broken and lame: Firstly, srand() and rand() are not thread-safe, even though libxml2 is supposed to be thread-safe (when adequately initialized by the program). The fix is easy: replace srand() with a variable assignment, and replace rand() with rand_r(). Secondly, using time(NULL) as a seed totally misses the point. It is trivial for a potential attacker to guess the value of time(NULL). That's the current UTC current time rounded to the second. To manage notifications about this bug go to: https://bugs.launchpad.net/libxml2/+bug/983810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 983810] Re: libxml2 security update fails to address problem and breaks thread-safety
** Changed in: libxml2 Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libxml2 in Ubuntu. https://bugs.launchpad.net/bugs/983810 Title: libxml2 security update fails to address problem and breaks thread- safety Status in libxml2: Fix Released Status in libxml2 package in Ubuntu: Fix Released Status in libxml2 source package in Lucid: Won't Fix Status in libxml2 source package in Precise: Confirmed Status in libxml2 source package in Trusty: Fix Released Status in libxml2 package in Debian: New Bug description: Using libxml2 2.7.8.dfsg-4ubuntu0.2 from (K)Ubuntu 11.10. In an attempt to address oCERT 2011-003, libxml2 now seeds its hash table with using rand(). This is broken and lame: Firstly, srand() and rand() are not thread-safe, even though libxml2 is supposed to be thread-safe (when adequately initialized by the program). The fix is easy: replace srand() with a variable assignment, and replace rand() with rand_r(). Secondly, using time(NULL) as a seed totally misses the point. It is trivial for a potential attacker to guess the value of time(NULL). That's the current UTC current time rounded to the second. To manage notifications about this bug go to: https://bugs.launchpad.net/libxml2/+bug/983810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 983810] Re: libxml2 security update fails to address problem and breaks thread-safety
** Changed in: libxml2 Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libxml2 in Ubuntu. https://bugs.launchpad.net/bugs/983810 Title: libxml2 security update fails to address problem and breaks thread- safety Status in libxml2: Confirmed Status in libxml2 package in Ubuntu: Fix Released Status in libxml2 source package in Lucid: Won't Fix Status in libxml2 source package in Precise: Confirmed Status in libxml2 source package in Trusty: Fix Released Status in libxml2 package in Debian: New Bug description: Using libxml2 2.7.8.dfsg-4ubuntu0.2 from (K)Ubuntu 11.10. In an attempt to address oCERT 2011-003, libxml2 now seeds its hash table with using rand(). This is broken and lame: Firstly, srand() and rand() are not thread-safe, even though libxml2 is supposed to be thread-safe (when adequately initialized by the program). The fix is easy: replace srand() with a variable assignment, and replace rand() with rand_r(). Secondly, using time(NULL) as a seed totally misses the point. It is trivial for a potential attacker to guess the value of time(NULL). That's the current UTC current time rounded to the second. To manage notifications about this bug go to: https://bugs.launchpad.net/libxml2/+bug/983810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 983810] Re: libxml2 security update fails to address problem and breaks thread-safety
lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as Won't Fix. ** Changed in: libxml2 (Ubuntu Lucid) Status: Confirmed = Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libxml2 in Ubuntu. https://bugs.launchpad.net/bugs/983810 Title: libxml2 security update fails to address problem and breaks thread- safety Status in libxml2: New Status in libxml2 package in Ubuntu: Fix Released Status in libxml2 source package in Lucid: Won't Fix Status in libxml2 source package in Precise: Confirmed Status in libxml2 source package in Trusty: Fix Released Status in libxml2 package in Debian: New Bug description: Using libxml2 2.7.8.dfsg-4ubuntu0.2 from (K)Ubuntu 11.10. In an attempt to address oCERT 2011-003, libxml2 now seeds its hash table with using rand(). This is broken and lame: Firstly, srand() and rand() are not thread-safe, even though libxml2 is supposed to be thread-safe (when adequately initialized by the program). The fix is easy: replace srand() with a variable assignment, and replace rand() with rand_r(). Secondly, using time(NULL) as a seed totally misses the point. It is trivial for a potential attacker to guess the value of time(NULL). That's the current UTC current time rounded to the second. To manage notifications about this bug go to: https://bugs.launchpad.net/libxml2/+bug/983810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 983810] Re: libxml2 security update fails to address problem and breaks thread-safety
This made it's way into Ubuntu LTS. This is becoming a trend with broken packages. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libxml2 in Ubuntu. https://bugs.launchpad.net/bugs/983810 Title: libxml2 security update fails to address problem and breaks thread- safety Status in libxml2: New Status in “libxml2” package in Ubuntu: Triaged Status in “libxml2” package in Debian: New Bug description: Using libxml2 2.7.8.dfsg-4ubuntu0.2 from (K)Ubuntu 11.10. In an attempt to address oCERT 2011-003, libxml2 now seeds its hash table with using rand(). This is broken and lame: Firstly, srand() and rand() are not thread-safe, even though libxml2 is supposed to be thread-safe (when adequately initialized by the program). The fix is easy: replace srand() with a variable assignment, and replace rand() with rand_r(). Secondly, using time(NULL) as a seed totally misses the point. It is trivial for a potential attacker to guess the value of time(NULL). That's the current UTC current time rounded to the second. To manage notifications about this bug go to: https://bugs.launchpad.net/libxml2/+bug/983810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 983810] Re: libxml2 security update fails to address problem and breaks thread-safety
Introduced by: https://git.gnome.org/browse/libxml2/commit/?id=8973d58b7498fa5100a876815476b81fd1a2412a Fixed by: https://git.gnome.org/browse/libxml2/commit/dict.c?id=379ebc1d774865fa92f2a8d80cc4da65cbe19998 https://git.gnome.org/browse/libxml2/commit/dict.c?id=e7715a5963afebfb027120db6914926ec9a7373d ** Also affects: libxml2 (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: libxml2 (Ubuntu Lucid) Importance: Undecided Status: New ** Also affects: libxml2 (Ubuntu Precise) Importance: Undecided Status: New ** Changed in: libxml2 (Ubuntu Trusty) Status: New = Fix Released ** Changed in: libxml2 (Ubuntu) Status: Triaged = Fix Released ** Changed in: libxml2 (Ubuntu Lucid) Status: New = Confirmed ** Changed in: libxml2 (Ubuntu Precise) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libxml2 in Ubuntu. https://bugs.launchpad.net/bugs/983810 Title: libxml2 security update fails to address problem and breaks thread- safety Status in libxml2: New Status in “libxml2” package in Ubuntu: Fix Released Status in “libxml2” source package in Lucid: Confirmed Status in “libxml2” source package in Precise: Confirmed Status in “libxml2” source package in Trusty: Fix Released Status in “libxml2” package in Debian: New Bug description: Using libxml2 2.7.8.dfsg-4ubuntu0.2 from (K)Ubuntu 11.10. In an attempt to address oCERT 2011-003, libxml2 now seeds its hash table with using rand(). This is broken and lame: Firstly, srand() and rand() are not thread-safe, even though libxml2 is supposed to be thread-safe (when adequately initialized by the program). The fix is easy: replace srand() with a variable assignment, and replace rand() with rand_r(). Secondly, using time(NULL) as a seed totally misses the point. It is trivial for a potential attacker to guess the value of time(NULL). That's the current UTC current time rounded to the second. To manage notifications about this bug go to: https://bugs.launchpad.net/libxml2/+bug/983810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
