Log in

No account? Create an account
libxml security problem - brad's life [entries|archive|friends|userinfo]
Brad Fitzpatrick

[ website | bradfitz.com ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

libxml security problem [Jan. 11th, 2008|09:48 am]
Brad Fitzpatrick
[Tags|, ]

I found a security problem in libxml. And by "found" I mean "ran into and debugged a bit".

From http://mail.gnome.org/archives/xml/2008-January/msg00036.html :
    * From: Daniel Veillard 
    * Subject: [xml] Security flaw affecting all previous libxml2 releases
    * Date: Fri, 11 Jan 2008 07:05:01 -0500

  Unfortunately, a security flaw was found (originally by Brad Fitzpatrick
from Google) and affecting all previous releases of libxml2 when parsing
XML. Two specially crafted broken UTF-8 sequences when occuring at the
wrong place lead the parser to go into an infinite loop. Very annoying,
as this lead to a relatively easy Denial of Service attack, the good part
being that this is very unlikely to happen just by error, and to protect
the community we won't release the way to reproduce this.

  But all users are strongly invited to upgrade their libxml2 versions to
2.6.31 [1], or apply the patch [2] (or a derivative for 2.5 or 2.4 branches)
to their version. Most OS vendors shipping libxml2 should have updates
by now or very soon, if needed check your update stream, it is referenced
as CVE-2007-6284 .

    Sorry for the inconvenience,


[1] ftp://xmlsoft.org/libxml/libxml2-2.6.31.tar.gz
[2] http://veillard.com/libxml2.patch
So, yeah... go update your libxml if you process untrusted XML and don't want your CPUs spinning.

(Amusingly, this might be the only publicly visible thing so far that I've worked on at Google...)

From: astawater
2008-01-11 06:17 pm (UTC)


Congrats on the find.
(Reply) (Thread)