CERT-FI Advisory on XML libraries

Details

Several vulnerabilities regarding the parsing of XML data have been found in XML library implementations. CERT-FI coordinated the remediation efforts of these vulnerabilities.

The vulnerabilities are related to the parsing of XML elements with unexpected byte values and recursive parentheses, which cause the program to access memory out of bounds, or to loop indefinitely. The effects of the vulnerabilities include denial of service and potentially code execution. The vulnerabilities can be exploited by enticing a user to open a specially modified file, or by submitting it to a server that handles XML content.

Vulnerability Coordination Information and Acknowledgements

CERT-FI has coordinated the release of this vulnerability between the vulnerability researcher and the affected vendors. CERT-FI would like
to thank Jukka Taimisto, Tero Rontti and Rauli Kaksonen from the CROSS project at Codenomicon Ltd for reporting the vulnerability to
us, and the vendors for co-operation in the remediation efforts.

Vendor Information

• Python libexpat, all versions
• Fixed in Python version 3.1.1
  

• Apache Xerces C++, all versions
  
• Fixed in Red Hat versions xerces-c27-2.7.0-8, xerces-c-2.7.0-8 and xerces-c-2.8.0-5
• libxml2, all versions
  
• Fixed in libxml2 version 2.7.4
  
• Fixed in Red Hat versions libxml2-2.6.26-2.1.2.8, libxml-1.8.17-9.3, libxml2-2.5.10-15 and libxml2-2.6.16-12.7
• Fixed in Ubuntu versions 2.6.24.dfsg-1ubuntu1.5, 2.6.31.dfsg-2ubuntu1.4, 2.6.32.dfsg-4ubuntu1.2 and 2.6.32.dfsg-5ubuntu4.2
• Fixed in Debian versions 2.6.27.dfsg-6+etch1 and 2.6.32.dfsg-5+lenny1
• Fixed in Mandriva versions libxml1-1.8.17-12.1mdv2008.1, libxml2_2-2.6.31-1.5mdv2008.1, libxml1-1.8.17-14.1mdv2009.0, libxml2_2-2.7.1-1.4mdv2009.0, libxml1-1.8.17-14.1mdv2009.1, libxml2_2-2.7.3-2.1mdv2009.1, libxml1-1.8.17-6.2.C30mdk, libxml2-2.6.6-1.7.C30mdk, libxml1-1.8.17-8.1.20060mlcs4, libxml2-2.6.21-3.6.20060mlcs4, libxml1-1.8.17-14.1mdvmes5, libxml2_2-2.7.1-1.4mdvmes5 and in corresponding X86_64-versions
• Fix mentioned in OpenSUSE security announce SUSE-SR:2009:015

• Apache Xerces Java, all versions
  

• Sun JDK and JRE 6 Update 14 and earlier
• Fixed in Sun JDK and JRE 6 Update 15

• Sun JDK and JRE 5.0 Update 19 and earlier
• Fixed in Sun JDK and JRE 6 Update 15

• Apple Java for Mac OS X 10.5, all versions
  
• Fixed in Java for Mac OS X Update 5

• OpenJDK 1.6, all versions
  
• Fixed in Red Hat version java-1.6.0-openjdk-1.6.0.0-1.2.b09
• Fixed in Ubuntu versions 6b12-0ubuntu6.5 and 6b14-1.4.1-0ubuntu11
• OpenOffice
  
• Fixed in version 3.1.1
• Fixed in version 2.4.3
• Sun StarOffice and StarSuite
  
• Fixed in version StarOffice 8 update 14
• Fixed in version StarSuite 8 update 14
• Fixed in version StarOffice 9 update 3
  
• Fixed in version StarSuite 9 update 3
• Oracle BEA JRockit
  
• Fixed in version Oracle JRockit R27.6.5
  
• VMware
  
• Fixed in versions ESXi 4.0, ESX 4.0, vMA 4.0 patch 2, vCenter Server 4.0 Update 1

• XML-RPC for C and C++
• Fixed in Ubuntu version 1.06.27-1ubuntu6.1

Vendor Statements

Python

Fix has been incorporated into Python 3.1.1.

Remediation

Patch the vulnerable software components according to the guidance published by the vendor. Where available, refer to the 'Vendor Information' section of this advisory for platform specific remediation. Most of the library vulnerabilities in this advisory are fixed only in the library vendors' version control systems and in packages distributed by OS vendors. This advisory will be updated as more patch information becomes available.

References

Python Expat

• http://svn.python.org/projects/python/tags/r311/Misc/NEWS
• http://svn.python.org/view?view=rev&revision=74429
• CVE-2009-3720
  

Xerces C++

• http://svn.apache.org/viewvc?view=rev&revision=781488
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1885
  
• CVE-2009-1885

Libxml2

• https://rhn.redhat.com/errata/RHSA-2009-1206.html
• http://www.debian.org/security/2009/dsa-1859
• http://www.ubuntu.com/usn/USN-815-1
• http://lists.mandriva.com/security-announce/2009-08/msg00030.php
  
• CVE-2009-2414
• CVE-2009-2416
  

Sun Java

• http://sunsolve.sun.com/search/document.do?assetkey=1-66-263489-1
• https://rhn.redhat.com/errata/RHSA-2009-1199.html
• https://rhn.redhat.com/errata/RHSA-2009-1200.html
  
• CVE-2009-2625
  

Xerces Java

• http://svn.apache.org/viewvc?view=rev&revision=787353

• http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2011:108

• CVE-2009-2625
  

OpenJDK

• https://rhn.redhat.com/errata/RHSA-2009-1201.html
• http://www.ubuntu.com/usn/usn-814-1
• CVE-2009-2625

Apple

• http://support.apple.com/kb/HT3851
• CVE-2009-2625

Google

• http://googlechromereleases.blogspot.com/2009/08/stable-update-security-fixes.html
  
• CVE-2009-2414
• CVE-2009-2416

OpenOffice

• http://www.openoffice.org/security/cves/CVE-2009-2414-2416.html
• CVE-2009-2414
• CVE-2009-2416

Sun StarOffice and StarSuite

• http://sunsolve.sun.com/search/document.do?assetkey=1-66-266088-1
• CVE-2009-2414
• CVE-2009-2416

Oracle

• http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html
• CVE-2009-2625

VMware

• http://www.vmware.com/security/advisories/VMSA-2009-0016.html
  
• CVE-2009-2414
• CVE-2009-2416
• CVE-2009-2625

XML-RPC for C and C++

• http://www.ubuntu.com/usn/usn-890-5
  

General

• http://www.codenomicon.com/labs/xml/
• http://www.codenomicon.com/labs/cross/
• http://jvn.jp/cert/JVNVU817433/index.html
• http://www.auscert.org.au/render.html?it=11436

Contact Information

CERT-FI Vulnerability Coordination can be contacted as follows:

Email:
vulncoord@ficora.fi
Please quote the advisory reference [FICORA #245608] in the subject line

Telephone:
+358 9 6966 510
Monday - Friday 08:00 - 16:15 (EET: UTC+2)

Fax :
+358 9 6966 515

Post:
Vulnerability Coordination
FICORA/CERT-FI
P.O. Box 313
FI-00181 Helsinki
FINLAND

CERT-FI encourages those who wish to communicate via email to make use of our PGP key. The key is available at
https://www.cert.fi/en/activities/contact/pgp-keys.html

Revision History:

6 August 2009, 00:10: Published
10 August 2009, 14:06: Added OpenJDK
10 August 2009, 17:00: Added libxml2
11 August 2009, 9:50.: Added Debian advisory
12 August 2009, 14:20: Added more references and clarified the Vendor Information section
13 August 2009, 13:30: Added information about fixed versions distributed by Mandriva
25 August 2009, 10:25: Added information about a fixed Python version
4 September 2009, 15:30: Added information about a fixed Java for Mac OS X version
17 September 2009, 15:40: Added information about a fixed Google Chrome version
22 September 2009, 13:00: Added information a fixed OpenOffice and StarOffice version and a fixed libxml2 version distributed by OpenSUSE
21 October 2009, 16:25: Added information about Orache fixes
28 October 2009, 14:45: Added a CVE-reference to Python libexpat bug
2 November 2009, 16.:00: Added information about Apple
4 November 2009, 10:20: Added information about a fixed libxml2 version
23 November 2009, 17:30: Added information about VMware fixes
26 February 2010, 14:30: Added information about XML-RPC for C and C++
16 June 2011, 15:09: Added Mandriva advisory

Page updated 16.06.2011

Print version