Bug#460292: marked as done (libxml2: CVE-2007-6284 denial of service via crafted UTF-8 sequence)

Mon, 14 Jan 2008 05:10:32 -0800 

Your message dated Mon, 14 Jan 2008 13:02:05 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#460292: fixed in libxml2 2.6.30.dfsg-3.1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: libxml2
Version: 2.6.30.dfsg-3
Severity: normal

A vulnerability has been reported in libxml2, prior to version 2.6.31, from
Daniel Veillard:
"Two specially crafted broken UTF-8 sequences when occuring at the wrong
place lead the parser to go into an infinite loop."
The report is available at:
    http://mail.gnome.org/archives/xml/2008-January/msg00036.html

A patch can be found at:
    http://veillard.com/libxml2.patch
The fixed source code can be downloaded from:
    ftp://xmlsoft.org/libxml/libxml2-2.6.31.tar.gz


Regards
Pascal

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing'), (50, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.22-3-k7 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libxml2 depends on:
ii  libc6                   2.7-5            GNU C Library: Shared libraries
ii  zlib1g                  1:1.2.3.3.dfsg-8 compression library - runtime

Versions of packages libxml2 recommends:
ii  xml-core                      0.11       XML infrastructure and XML catalog

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: libxml2
Source-Version: 2.6.30.dfsg-3.1

We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive:

libxml2-dbg_2.6.30.dfsg-3.1_i386.deb
  to pool/main/libx/libxml2/libxml2-dbg_2.6.30.dfsg-3.1_i386.deb
libxml2-dev_2.6.30.dfsg-3.1_i386.deb
  to pool/main/libx/libxml2/libxml2-dev_2.6.30.dfsg-3.1_i386.deb
libxml2-doc_2.6.30.dfsg-3.1_all.deb
  to pool/main/libx/libxml2/libxml2-doc_2.6.30.dfsg-3.1_all.deb
libxml2-utils_2.6.30.dfsg-3.1_i386.deb
  to pool/main/libx/libxml2/libxml2-utils_2.6.30.dfsg-3.1_i386.deb
libxml2_2.6.30.dfsg-3.1.diff.gz
  to pool/main/libx/libxml2/libxml2_2.6.30.dfsg-3.1.diff.gz
libxml2_2.6.30.dfsg-3.1.dsc
  to pool/main/libx/libxml2/libxml2_2.6.30.dfsg-3.1.dsc
libxml2_2.6.30.dfsg-3.1_i386.deb
  to pool/main/libx/libxml2/libxml2_2.6.30.dfsg-3.1_i386.deb
python-libxml2_2.6.30.dfsg-3.1_i386.deb
  to pool/main/libx/libxml2/python-libxml2_2.6.30.dfsg-3.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated libxml2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 13 Jan 2008 15:15:04 +0100
Source: libxml2
Binary: python-libxml2 libxml2-dbg libxml2-utils libxml2-doc libxml2-dev libxml2
Architecture: source all i386
Version: 2.6.30.dfsg-3.1
Distribution: unstable
Urgency: high
Maintainer: Debian XML/SGML Group <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description: 
 libxml2    - GNOME XML library
 libxml2-dbg - Debugging symbols for the GNOME XML library
 libxml2-dev - Development files for the GNOME XML library
 libxml2-doc - Documentation for the GNOME XML library
 libxml2-utils - XML utilities
 python-libxml2 - Python bindings for the GNOME XML library
Closes: 460292
Changes: 
 libxml2 (2.6.30.dfsg-3.1) unstable; urgency=high
 .
   * Non-maintainer upload by security team.
   * This update addresses the following security issue:
     - CVE-2007-6284: The xmlCurrentChar function allows context-dependent
       attackers to cause a denial of service (infinite loop) via XML
       containing invalid UTF-8 sequences (Closes: #460292).
Files: 
 d3be67719a452f09705f63200ddff4d6 917 libs optional libxml2_2.6.30.dfsg-3.1.dsc
 b734d1aabf66051020c56d65e4b5a6d9 185412 libs optional 
libxml2_2.6.30.dfsg-3.1.diff.gz
 8435850f49ff346858e6331d1b7ec5d4 1332676 doc optional 
libxml2-doc_2.6.30.dfsg-3.1_all.deb
 18a25eeac434bde4a5d968cf7a622bd1 779884 libs optional 
libxml2_2.6.30.dfsg-3.1_i386.deb
 33da42e097def81565233cd8993b08ee 33700 text optional 
libxml2-utils_2.6.30.dfsg-3.1_i386.deb
 39db63bdae76c1d00b6e34b7c5d53cb4 673072 libdevel optional 
libxml2-dev_2.6.30.dfsg-3.1_i386.deb
 0d4aa64b013dcc7cabcc4508ef3d7e34 901904 libdevel extra 
libxml2-dbg_2.6.30.dfsg-3.1_i386.deb
 62a303c1827f43c6399e74785812c353 263412 python optional 
python-libxml2_2.6.30.dfsg-3.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHi1qAHYflSXNkfP8RAv4CAJ4uDWhy8vcbLumWZ1y/8508aactYQCgl2Ae
iKEQ20tFS0YKCU0FHcttzUY=
=TzqD
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to