Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <4AE05FBE.7000202@redhat.com>
Date: Thu, 22 Oct 2009 15:35:58 +0200
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
CC: oss-security <oss-security@...ts.openwall.com>,
        Marc Schoenefeld <mschoene@...hat.com>, Joe Orton <jorton@...hat.com>,
        Ondrej Vasik <ovasik@...hat.com>, Roman Rakus <rrakus@...hat.com>,
        CERT-FI Vulnerability Co-ordination <vulncoord@...ora.fi>
Subject: Regarding expat bug 1990430

Hello Steve, vendors,

   this is due:

    [1] http://thread.gmane.org/gmane.comp.security.oss.general/2025/focus=2032

1, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2473
    Patch: https://bugzilla.redhat.com/attachment.cgi?id=357950

2, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955
    Patch: http://marc.info/?l=apr-dev&m=124396021826125&w=2

    When looking at the patches, while the source code bases (patches)
    are different, the XML reproducer is the same - so is different
    source code sufficient to distinguish the CVE ids, or should
    they be merged?

3, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1885
    Patch: 
http://svn.apache.org/viewvc/xerces/c/trunk/src/xercesc/validators/DTD/DTDScanner.cpp?r1=709149&r2=781488&pathrev=781488

    The testcases here were provided by CERT-FI and are the
    same as for:

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2414
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2416

    But different CVE identifiers needed to be used, due the
    fact, CVE-2009-1885 issue was disclosed earlier, than
    other vendors were prepared to release libxml2 updates.

    They also affect different code bases: CVE-2009-1885
    Apache Xerces C++, while CVE-2009-2414, CVE-2009-2416 libxml / libxml2.

4, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625
    CVE originally assigned to Apache Xerces2 Java (does it embed
    its own copy of expat), but also reported as expat issue here:
      http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?view=log

    Expat patch:
      http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15&view=patch

    The expat library is embedded also in:
      a, w3c-libwww http://www.w3.org/Library
      b, PyXML http://pyxml.sourceforge.net/

    And probably also in other packages (still need to get the complete list). In this case,
    the reproducer, code base and patch are the same, just the expat library is embedded
    in multiple other products. Two questions remain to be answered here:

    a, Does Apache Xerces2 Java contain embedded copy ot the expat library (i.e. it's
       completely the same issue as in expat, w3c-libwww, PyXML and others) - Marc
       could you help to reply this question?

    b, Can we use CVE-2009-2625 to reference expat, w3c-libwww(expat), PyXML (expat)
       issues too or another one need to be assigned for these? (But the decision
       depends on the answer to previous question).

Hoping this will bring at least a little bit more light into above [1] doubts

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.