__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Updated "libxml" Packages for Versions Prior to 2.6.14 [Red Hat Advisory: RHSA-2004:650-08] December 17, 2004 19:00 GMT Number P-073 [REVISED 18 Jan 2005] [REVISED 26 May 2005] [REVISED 23 Jun 2005] ______________________________________________________________________________ PROBLEM: Multiple buffer overflow issues have been found in "libxml" versions prior to version 2.6.14. PLATFORM: Red Hat Enterprise Linux AS, ES, and WS (all v.3) Red Hat Enterprise Linux AS, ES, and WS (all v.2.1) Red Hat Desktop (v.3) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor SGI ProPack 3 Service Pack 3 for SGI Altix family of systems SGI ProPack 3 Service Pack 5 for SGI Altix family of systems DAMAGE: An attacker could execute arbitrary code. SOLUTION: Upgrade to Red Hat's latest packages. ______________________________________________________________________________ VULNERABILITY The risk is LOW. "libxml" has been superceded by "libxml2" as ASSESSMENT: the default xml library. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-073.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2004-650.html ADDITIONAL LINKS: Also see CIAC BULLETINS O-086 and P-029. SGI Security Advisory Number 20050101-01-U ftp://patches.sgi.com/support/free/security/advisories/ 20050101-01-U.asc SGI Security Advisory Number 20050602-01-U ftp://patches.sgi.com/support/free/security/advisories/ 20050602-01-U.asc CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-0110 CAN-2004-0989 ______________________________________________________________________________ REVISION HISTORY: 01/18/2005 - added link to updated packages available on SGI Security Advisory Number 20050101-01-U for SGI ProPack 3 Service Pack 3 for SGI Altix family of systems. 05/26/2005 - revised to replace the Red Hat bulletin, RHSA-2004:650-03 with a revised RHSA-2004:650-08. 06/23/2005 - added link to SGI Advanced Linux Environment security update #39, Number: 20050602-01-U that provides patches for SGI ProPack 3 Service Pack 5 for SGI Altix family of systems. [***** Start Red Hat Advisory: RHSA-2004:650-08 *****] Updated libxml package fixes security vulnerabilities Advisory: RHSA-2004:650-08 Type: Security Advisory Issued on: 2005-05-26 Last updated on: 2005-05-26 Affected Products: Red Hat Desktop (v. 3) Red Hat Enterprise Linux AS (v. 2.1) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux ES (v. 2.1) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux WS (v. 2.1) Red Hat Enterprise Linux WS (v. 3) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor CVEs (cve.mitre.org): CAN-2004-0110 CAN-2004-0989 Details An updated libxml package that fixes multiple buffer overflows is now available. [Updated 24 May 2005] Multilib packages have been added to this advisory The libxml package contains a library for manipulating XML files. Multiple buffer overflow bugs have been found in libxml versions prior to 2.6.14. If an attacker can trick a user into passing a specially crafted FTP URL or FTP proxy URL to an application that uses the vulnerable functions of libxml, it could be possible to execute arbitrary code. Additionally, if an attacker can return a specially crafted DNS request to libxml, it could be possible to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0989 to this issue. Yuuichi Teranishi discovered a flaw in libxml versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0110 to this issue. All users are advised to upgrade to this updated package, which contains backported patches and is not vulnerable to these issues. Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ Updated packages Red Hat Desktop (v. 3) -------------------------------------------------------------------------------- SRPMS: libxml-1.8.17-9.2.src.rpm 0d8ee723cc5bfb46adedf334be96dcbe IA-32: libxml-1.8.17-9.2.i386.rpm 1fa0e7d164a4d3d5432732060c67f985 libxml-devel-1.8.17-9.2.i386.rpm 6747de74e075db51e9a40c02ea0905fa x86_64: libxml-1.8.17-9.2.i386.rpm 1fa0e7d164a4d3d5432732060c67f985 libxml-1.8.17-9.2.x86_64.rpm 140e93f6366ba860a6301629bfe71c08 libxml-devel-1.8.17-9.2.x86_64.rpm c3e4b6e36068b0a2ecfbe75491f2b967 Red Hat Enterprise Linux AS (v. 2.1) -------------------------------------------------------------------------------- SRPMS: libxml-1.8.14-3.src.rpm 8d1802bcdd2a7085e7158a7ca68ab523 IA-32: libxml-1.8.14-3.i386.rpm e2ee01c57caf52c62b1ac9a229fc58f0 libxml-devel-1.8.14-3.i386.rpm fd04239db40f4c2d9de4cf76791c409e IA-64: libxml-1.8.14-3.ia64.rpm 907f1c8f10e96b6c785d4cb5b7f7c399 libxml-devel-1.8.14-3.ia64.rpm a9ca532078e6b35f2d01584453a3a6fe Red Hat Enterprise Linux AS (v. 3) -------------------------------------------------------------------------------- SRPMS: libxml-1.8.17-9.2.src.rpm 0d8ee723cc5bfb46adedf334be96dcbe IA-32: libxml-1.8.17-9.2.i386.rpm 1fa0e7d164a4d3d5432732060c67f985 libxml-devel-1.8.17-9.2.i386.rpm 6747de74e075db51e9a40c02ea0905fa IA-64: libxml-1.8.17-9.2.i386.rpm 1fa0e7d164a4d3d5432732060c67f985 libxml-1.8.17-9.2.ia64.rpm 6e7730063c22539fb40658cc763a2bd3 libxml-devel-1.8.17-9.2.ia64.rpm 594c3955d725c7aad2c3ad89194d0f4b PPC: libxml-1.8.17-9.2.ppc.rpm e04cb28f14a0381a7d92aa9b57b3b43a libxml-1.8.17-9.2.ppc64.rpm f6b5d2c9dee68c6d2a63cc8f4d02648b libxml-devel-1.8.17-9.2.ppc.rpm b52b8e7f667842bbcb319e0c5cb9132e s390: libxml-1.8.17-9.2.s390.rpm f8cb54901760145e5123832d27bf7334 libxml-devel-1.8.17-9.2.s390.rpm 88ace5024d54b0f7a104bb6310974fd6 s390x: libxml-1.8.17-9.2.s390.rpm f8cb54901760145e5123832d27bf7334 libxml-1.8.17-9.2.s390x.rpm 7d268017ddac87e213b1b9e0d22be27b libxml-devel-1.8.17-9.2.s390x.rpm eda80205b0afd05ca6aafce032a1072f x86_64: libxml-1.8.17-9.2.i386.rpm 1fa0e7d164a4d3d5432732060c67f985 libxml-1.8.17-9.2.x86_64.rpm 140e93f6366ba860a6301629bfe71c08 libxml-devel-1.8.17-9.2.x86_64.rpm c3e4b6e36068b0a2ecfbe75491f2b967 Red Hat Enterprise Linux ES (v. 2.1) -------------------------------------------------------------------------------- SRPMS: libxml-1.8.14-3.src.rpm 8d1802bcdd2a7085e7158a7ca68ab523 IA-32: libxml-1.8.14-3.i386.rpm e2ee01c57caf52c62b1ac9a229fc58f0 libxml-devel-1.8.14-3.i386.rpm fd04239db40f4c2d9de4cf76791c409e Red Hat Enterprise Linux ES (v. 3) -------------------------------------------------------------------------------- SRPMS: libxml-1.8.17-9.2.src.rpm 0d8ee723cc5bfb46adedf334be96dcbe IA-32: libxml-1.8.17-9.2.i386.rpm 1fa0e7d164a4d3d5432732060c67f985 libxml-devel-1.8.17-9.2.i386.rpm 6747de74e075db51e9a40c02ea0905fa IA-64: libxml-1.8.17-9.2.i386.rpm 1fa0e7d164a4d3d5432732060c67f985 libxml-1.8.17-9.2.ia64.rpm 6e7730063c22539fb40658cc763a2bd3 libxml-devel-1.8.17-9.2.ia64.rpm 594c3955d725c7aad2c3ad89194d0f4b x86_64: libxml-1.8.17-9.2.i386.rpm 1fa0e7d164a4d3d5432732060c67f985 libxml-1.8.17-9.2.x86_64.rpm 140e93f6366ba860a6301629bfe71c08 libxml-devel-1.8.17-9.2.x86_64.rpm c3e4b6e36068b0a2ecfbe75491f2b967 Red Hat Enterprise Linux WS (v. 2.1) -------------------------------------------------------------------------------- SRPMS: libxml-1.8.14-3.src.rpm 8d1802bcdd2a7085e7158a7ca68ab523 IA-32: libxml-1.8.14-3.i386.rpm e2ee01c57caf52c62b1ac9a229fc58f0 libxml-devel-1.8.14-3.i386.rpm fd04239db40f4c2d9de4cf76791c409e Red Hat Enterprise Linux WS (v. 3) -------------------------------------------------------------------------------- SRPMS: libxml-1.8.17-9.2.src.rpm 0d8ee723cc5bfb46adedf334be96dcbe IA-32: libxml-1.8.17-9.2.i386.rpm 1fa0e7d164a4d3d5432732060c67f985 libxml-devel-1.8.17-9.2.i386.rpm 6747de74e075db51e9a40c02ea0905fa IA-64: libxml-1.8.17-9.2.i386.rpm 1fa0e7d164a4d3d5432732060c67f985 libxml-1.8.17-9.2.ia64.rpm 6e7730063c22539fb40658cc763a2bd3 libxml-devel-1.8.17-9.2.ia64.rpm 594c3955d725c7aad2c3ad89194d0f4b x86_64: libxml-1.8.17-9.2.i386.rpm 1fa0e7d164a4d3d5432732060c67f985 libxml-1.8.17-9.2.x86_64.rpm 140e93f6366ba860a6301629bfe71c08 libxml-devel-1.8.17-9.2.x86_64.rpm c3e4b6e36068b0a2ecfbe75491f2b967 Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor -------------------------------------------------------------------------------- SRPMS: libxml-1.8.14-3.src.rpm 8d1802bcdd2a7085e7158a7ca68ab523 IA-64: libxml-1.8.14-3.ia64.rpm 907f1c8f10e96b6c785d4cb5b7f7c399 libxml-devel-1.8.14-3.ia64.rpm a9ca532078e6b35f2d01584453a3a6fe (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 139090 - CAN-2004-0110 multiple buffer overflows (CAN-2004-0989) References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0110 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0989 -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat Advisory: RHSA-2004:650-08 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat, Inc. for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-063: Adobe Reader Security Vulnerabilities P-064: Adobe Reader 5.0.9 for UNIX "mailListIsPdf" function Vulnerability P-065: Cisco Default Administrative Password in Cisco Guard and Traffic Anomaly Detector P-066: Veritas Backup Exec Buffer Overflow Vulnerability P-067: PHP Multiple Vulnerabilities P-068: Sun Webmail Vulnerability P-069: Sun - Multiple Mozilla Vulnerabilities P-070: Updated Samba Packages P-071: Updated "gd" Packages P-072: Updated ZIP Packages