[xml/sgml-pkgs] Bug#498768: libxml2: does not correctly handle long entity names (CVE-2008-3529)

Michael Gilbert michael.s.gilbert at gmail.com
Sat Sep 13 03:29:03 UTC 2008

Package: libxml2
Version: 2.6.32.dfsg-3
Severity: grave
Tags: security
Justification: user security hole

ubuntu just released a fix for a problem in libxml2 [1].  the issue appears
to currently be reserved [2], but since ubuntu has released a fix, other
distributions need to follow suit soon to limit the window of opportunity 
for attacks.  the description of the problem is

    It was discovered that libxml2 did not correctly handle long entity 
    names.   If a user were tricked into processing a specially crafted XML 
    document, a remote attacker could execute arbitrary code with user 
    privileges or cause the application linked against libxml2 to crash, 
    leading to a denial of service.

this likely affects all releases (stable, testing, and unstable).

thanks for the hard work.

[1] http://lwn.net/Articles/298282/
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3529

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-etchnhalf.1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libxml2 depends on:
ii  libc6                  2.7-13            GNU C Library: Shared libraries
ii  zlib1g                 1: compression library - runtime

Versions of packages libxml2 recommends:
ii  xml-core                      0.11       XML infrastructure and XML catalog

libxml2 suggests no packages.

-- no debconf information

More information about the debian-xml-sgml-pkgs mailing list