[xml/sgml-pkgs] Bug#460292: libxml2: libxml2 UTF-8 parsing denial of service vulnerability
Pascal Volk
user at localhost.localdomain.org
Fri Jan 11 20:48:52 UTC 2008
Package: libxml2
Version: 2.6.30.dfsg-3
Severity: normal
A vulnerability has been reported in libxml2, prior to version 2.6.31, from
Daniel Veillard:
"Two specially crafted broken UTF-8 sequences when occuring at the wrong
place lead the parser to go into an infinite loop."
The report is available at:
http://mail.gnome.org/archives/xml/2008-January/msg00036.html
A patch can be found at:
http://veillard.com/libxml2.patch
The fixed source code can be downloaded from:
ftp://xmlsoft.org/libxml/libxml2-2.6.31.tar.gz
Regards
Pascal
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing'), (50, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.22-3-k7 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libxml2 depends on:
ii libc6 2.7-5 GNU C Library: Shared libraries
ii zlib1g 1:1.2.3.3.dfsg-8 compression library - runtime
Versions of packages libxml2 recommends:
ii xml-core 0.11 XML infrastructure and XML catalog
-- no debconf information
More information about the debian-xml-sgml-pkgs
mailing list