?

Log in

libxml security problem - brad's life [entries|archive|friends|userinfo]
Brad Fitzpatrick

[ website | bradfitz.com ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

libxml security problem [Jan. 11th, 2008|09:48 am]
Brad Fitzpatrick
[Tags|, ]

I found a security problem in libxml. And by "found" I mean "ran into and debugged a bit".

From http://mail.gnome.org/archives/xml/2008-January/msg00036.html :
    * From: Daniel Veillard 
    * Subject: [xml] Security flaw affecting all previous libxml2 releases
    * Date: Fri, 11 Jan 2008 07:05:01 -0500

  Unfortunately, a security flaw was found (originally by Brad Fitzpatrick
from Google) and affecting all previous releases of libxml2 when parsing
XML. Two specially crafted broken UTF-8 sequences when occuring at the
wrong place lead the parser to go into an infinite loop. Very annoying,
as this lead to a relatively easy Denial of Service attack, the good part
being that this is very unlikely to happen just by error, and to protect
the community we won't release the way to reproduce this.

  But all users are strongly invited to upgrade their libxml2 versions to
2.6.31 [1], or apply the patch [2] (or a derivative for 2.5 or 2.4 branches)
to their version. Most OS vendors shipping libxml2 should have updates
by now or very soon, if needed check your update stream, it is referenced
as CVE-2007-6284 .

    Sorry for the inconvenience,

Daniel

[1] ftp://xmlsoft.org/libxml/libxml2-2.6.31.tar.gz
[2] http://veillard.com/libxml2.patch
So, yeah... go update your libxml if you process untrusted XML and don't want your CPUs spinning.

(Amusingly, this might be the only publicly visible thing so far that I've worked on at Google...)
LinkReply

Comments:
[User Picture]From: lakeguy
2008-01-11 06:04 pm (UTC)
when did you start with them? :)
(Reply) (Thread)
[User Picture]From: brad
2008-01-11 06:09 pm (UTC)
Almost 5 months ago.
(Reply) (Parent) (Thread)
From: tom
2008-01-11 06:29 pm (UTC)
NO WONDER, haha, fucking awesome. Don't forget to "misplace" a box of those androids when released, haha.
(Reply) (Parent) (Thread)
[User Picture]From: lakeguy
2008-01-11 09:59 pm (UTC)
amusingly its on http://en.wikipedia.org/wiki/Brad_Fitzpatrick

though would you consider that publicly visible
(Reply) (Parent) (Thread)
From: astawater
2008-01-11 06:17 pm (UTC)

:)

Congrats on the find.
(Reply) (Thread)
From: shamess_the_elf
2008-01-11 07:11 pm (UTC)
One day I'll be as smart as you, and I'll understand way more than I do now. And when I finally do something interesting, and they ask me who inspired me to do it, you'll definitely be in that list.

Thought I'd point that out. I'd love to know if anyone thought of me as something they want to aspire to, so I thought I should do the same for you.
(Reply) (Thread)
(Deleted comment)
[User Picture]From: akale
2008-01-11 08:01 pm (UTC)
Nice find. :)
(Reply) (Thread)
[User Picture]From: dossy
2008-01-12 01:35 pm (UTC)
"[...] and to protect the community we won't release the way to reproduce this."

Who wants to put money down that someone's already running a fuzzer against libxml2 and will publish the UTF-8 sequences that cause older libxml2 versions to infini-spin?

Hours? Days?

Woo. Security through obscurity. At least if the sequences were published, folks who have applications that parse untrusted XML with older versions of libxml2 (who couldn't just upgrade because of longer QA cycles, etc.) could write a pre-processor to strip those bad sequences out.

FAIL.
(Reply) (Thread)
[User Picture]From: brad
2008-01-13 10:36 am (UTC)
256^3 combinations isn't that obscure. Anybody that can do a tiny bit of programming can figure it out in well under 10 minutes. That's not the point. It's just not responsible to advertise publicly, "Hey, run this command against server $X and make it spin."

I kinda shudder at the idea of a "longer QA cycle" preventing the release of a security patch. Look at the release note: they're not even asking you to blindly upgrade to the latest version. They also give you a raw patch fixing just that issue, and not making you get all the new features+bugs, etc that come with jumping 'n' versions forward.



(Reply) (Parent) (Thread)
[User Picture]From: dossy
2008-01-14 02:05 am (UTC)
You're right. Sorry. I must have had teh dumb the day I left that comment.

Either way, thanks a lot for finding this and letting us all know about it.
(Reply) (Parent) (Thread)