Trying to manually apply this patch to 2.4.25. I find that some parts of
it match up well and others don't.
There are three places in the file where similar code can be found. I'm
guessing that the one we're concerned with here is the one beginning
around line 1282, as that's the block where the "1-byte code" most
closely resembles the bottom part of this patch.
But I don't see a close match for the first change in the patch in any
of those areas. Specifically, there is no line reading "if (c == 0xC0)".
The place that most looks like the right place is:
c = *cur;
if (c & 0x80) { <====================
if (cur[1] == 0)
xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
if ((cur[1] & 0xc0) != 0x80)
goto encoding_error;
if ((c & 0xe0) == 0xe0) {
if (cur[2] == 0)
xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
see the line marked with arrow, it looks as if the patch wants to insert
a couple of lines right below there??
I'd be grateful if Daniel (or anyone else who has patched an ancient
version) could advise me on the correct changes to make here.
Thanks!
Fred Smith
Senior Applications Programmer/Analyst
Computrition, Inc.
[EMAIL PROTECTED]
781-275-4488x148
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of
> Daniel Veillard
> Sent: Friday, January 11, 2008 7:05 AM
> To: [email protected]
> Subject: [xml] Security flaw affecting all previous libxml2 releases
>
> Unfortunately, a security flaw was found (originally by Brad
Fitzpatrick
> from Google) and affecting all previous releases of libxml2 when
parsing
> XML. Two specially crafted broken UTF-8 sequences when occuring at the
> wrong place lead the parser to go into an infinite loop. Very
annoying,
> as this lead to a relatively easy Denial of Service attack, the good
part
> being that this is very unlikely to happen just by error, and to
protect
> the community we won't release the way to reproduce this.
>
> But all users are strongly invited to upgrade their libxml2 versions
to
> 2.6.31 [1], or apply the patch [2] (or a derivative for 2.5 or 2.4
> branches)
> to their version. Most OS vendors shipping libxml2 should have updates
> by now or very soon, if needed check your update stream, it is
referenced
> as CVE-2007-6284 .
>
> Sorry for the inconvenience,
>
> Daniel
>
> [1] ftp://xmlsoft.org/libxml/libxml2-2.6.31.tar.gz
> [2] http://veillard.com/libxml2.patch
>
> --
> Red Hat Virtualization group http://redhat.com/virtualization/
> Daniel Veillard | virtualization library http://libvirt.org/
> [EMAIL PROTECTED] | libxml GNOME XML XSLT toolkit
http://xmlsoft.org/
> http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/
> _______________________________________________
> xml mailing list, project page http://xmlsoft.org/
> [email protected]
> http://mail.gnome.org/mailman/listinfo/xml
_______________________________________________
xml mailing list, project page http://xmlsoft.org/
[email protected]
http://mail.gnome.org/mailman/listinfo/xml
