SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#493966

Libxml2 URI parsing errors in nanohttp and nanoftp

Overview

Libxml is the XML parser for Gnome, a desktop suite and development platform for Linux systems. Libxml2, the latest version of the library as of this writing, has a buffer overflow vulnerability which may allow execution of arbitrary code.

I. Description

Gnome, a desktop suite and development platform for Linux systems, uses Libxml as an XML parser to handle encoding and decoding or URI strings (this is part of the GNOME XML Toolkit). The Libxml2 release of Libxml prior to version 2.6.6 (published Feb 12 2004) contains a buffer overflow vulnerability when parsing URI strings in XML-structrued files. If the URI is over 4096 bytes, it may be possible to crash software using a vulnerable version of Libxml2.

II. Impact

The complete impact of this vulnerability is not yet known. It is reported to cause a SEGV in software using a vulnerable version of Libxml2.

III. Solution

Update to Libxml2 version 2.6.6 or later at http://www.xmlsoft.org/downloads.html

Systems Affected
VendorStatusDate NotifiedDate Updated
DebianVulnerable9-Mar-2004
Fedora ProjectVulnerable9-Mar-2004
Gentoo LinuxVulnerable9-Mar-2004
GNOME ProjectVulnerable9-Mar-2004
Linux NetwosixVulnerable9-Mar-2004
MandrakeSoftVulnerable9-Mar-2004
OpenPKGVulnerable9-Mar-2004
Red Hat Inc.Vulnerable9-Mar-2004
SGIVulnerable9-Mar-2004
Trustix Secure LinuxVulnerable9-Mar-2004

References


http://mail.gnome.org/archives/xml/2004-February/msg00070.html
http://www.gnome.org/softwaremap/projects/libxml
http://www.xmlsoft.org/news.html
http://www.xmlsoft.org/downloads.html
http://secunia.com/advisories/10958/
http://www.securityfocus.com/bid/9718
http://xforce.iss.net/xforce/xfdb/15301
http://xforce.iss.net/xforce/xfdb/15302
http://www.ciac.org/ciac/bulletins/o-086.shtml
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0110

Credit

Thanks to Yuuichi Teranishi for finding this vulnerability.

This document was written by Jeffrey S. Havrilla.

Other Information

Date Public:2004-02-12
Date First Published:2004-03-09
Date Last Updated:2004-03-09
CERT Advisory: 
CVE-ID(s):CAN-2004-0110
NVD-ID(s):CAN-2004-0110
US-CERT Technical Alerts: 
Metric:0.00
Document Revision:7

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2004 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader