Vulnerability Note VU#493966
Libxml2 URI parsing errors in nanohttp and nanoftp
Overview
Libxml is the XML parser for Gnome, a desktop suite and development platform for Linux systems. Libxml2, the latest version of the library as of this writing, has a buffer overflow vulnerability which may allow execution of arbitrary code.
Description
Gnome, a desktop suite and development platform for Linux systems, uses Libxml as an XML parser to handle encoding and decoding or URI strings (this is part of the GNOME XML Toolkit). The Libxml2 release of Libxml prior to version 2.6.6 (published Feb 12 2004) contains a buffer overflow vulnerability when parsing URI strings in XML-structrued files. If the URI is over 4096 bytes, it may be possible to crash software using a vulnerable version of Libxml2. |
Impact
The complete impact of this vulnerability is not yet known. It is reported to cause a SEGV in software using a vulnerable version of Libxml2. |
Solution
Update to Libxml2 version 2.6.6 or later at http://www.xmlsoft.org/downloads.html |
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Debian | Affected | - | 09 Mar 2004 |
| Fedora Project | Affected | - | 09 Mar 2004 |
| Gentoo Linux | Affected | - | 09 Mar 2004 |
| GNOME Project | Affected | - | 09 Mar 2004 |
| Linux Netwosix | Affected | - | 09 Mar 2004 |
| MandrakeSoft | Affected | - | 09 Mar 2004 |
| OpenPKG | Affected | - | 09 Mar 2004 |
| Red Hat Inc. | Affected | - | 09 Mar 2004 |
| SGI | Affected | - | 09 Mar 2004 |
| Trustix Secure Linux | Affected | - | 09 Mar 2004 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://mail.gnome.org/archives/xml/2004-February/msg00070.html
- http://www.gnome.org/softwaremap/projects/libxml
- http://www.xmlsoft.org/news.html
- http://www.xmlsoft.org/downloads.html
- http://secunia.com/advisories/10958/
- http://www.securityfocus.com/bid/9718
- http://xforce.iss.net/xforce/xfdb/15301
- http://xforce.iss.net/xforce/xfdb/15302
- http://www.ciac.org/ciac/bulletins/o-086.shtml
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0110
Credit
Thanks to Yuuichi Teranishi for finding this vulnerability.
This document was written by Jeffrey S. Havrilla.
Other Information
- CVE IDs: CAN-2004-0110
- Date Public: 12 Feb 2004
- Date First Published: 09 Mar 2004
- Date Last Updated: 09 Mar 2004
- Document Revision: 7
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.