Vulnerability Note VU#493966

Libxml2 URI parsing errors in nanohttp and nanoftp

Original Release date: 09 Mar 2004 | Last revised: 09 Mar 2004

Overview

Libxml is the XML parser for Gnome, a desktop suite and development platform for Linux systems. Libxml2, the latest version of the library as of this writing, has a buffer overflow vulnerability which may allow execution of arbitrary code.

Description

Gnome, a desktop suite and development platform for Linux systems, uses Libxml as an XML parser to handle encoding and decoding or URI strings (this is part of the GNOME XML Toolkit). The Libxml2 release of Libxml prior to version 2.6.6 (published Feb 12 2004) contains a buffer overflow vulnerability when parsing URI strings in XML-structrued files. If the URI is over 4096 bytes, it may be possible to crash software using a vulnerable version of Libxml2.

Impact

The complete impact of this vulnerability is not yet known. It is reported to cause a SEGV in software using a vulnerable version of Libxml2.

Solution

Update to Libxml2 version 2.6.6 or later at http://www.xmlsoft.org/downloads.html

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
DebianAffected-09 Mar 2004
Fedora ProjectAffected-09 Mar 2004
Gentoo LinuxAffected-09 Mar 2004
GNOME ProjectAffected-09 Mar 2004
Linux NetwosixAffected-09 Mar 2004
MandrakeSoftAffected-09 Mar 2004
OpenPKGAffected-09 Mar 2004
Red Hat Inc.Affected-09 Mar 2004
SGIAffected-09 Mar 2004
Trustix Secure LinuxAffected-09 Mar 2004
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Yuuichi Teranishi for finding this vulnerability.

This document was written by Jeffrey S. Havrilla.

Other Information

  • CVE IDs: CAN-2004-0110
  • Date Public: 12 Feb 2004
  • Date First Published: 09 Mar 2004
  • Date Last Updated: 09 Mar 2004
  • Document Revision: 7

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.