Background Print only logo
Cert logo
suomeksi | på svenska
Home Page | Advice | Reports | Activities |


P.O. Box 313
FI-00181 Helsinki
Phone: +358 295 390 230 (lnf/mcf)

PGP keys

Finnish Communications Regulatory Authority (FICORA):

Itämerenkatu 3 A
P. O. Box 313
Phone: +358 259 390 100 (lnf/mcf)

Detailed contact information

Home Page > Reports > 2009 > CERT-FI Advisory on XML libraries

CERT-FI Advisory on XML libraries

Target - servers and server applications
- workstations and end user applications
- network devices
- embedded systems
- mobile devices
- other

Access Vector - remote

Impact - potential code execution
- denial of service

Remediation - fix provided by vendor


Several vulnerabilities regarding the parsing of XML data have been found in XML library implementations. CERT-FI coordinated the remediation efforts of these vulnerabilities.

The vulnerabilities are related to the parsing of XML elements with unexpected byte values and recursive parentheses, which cause the program to access memory out of bounds, or to loop indefinitely. The effects of the vulnerabilities include denial of service and potentially code execution. The vulnerabilities can be exploited by enticing a user to open a specially modified file, or by submitting it to a server that handles XML content.

Vulnerability Coordination Information and Acknowledgements

CERT-FI has coordinated the release of this vulnerability between the vulnerability researcher and the affected vendors. CERT-FI would like
to thank Jukka Taimisto, Tero Rontti and Rauli Kaksonen from the CROSS project at Codenomicon Ltd for reporting the vulnerability to
us, and the vendors for co-operation in the remediation efforts.

Vendor Information

    • Python libexpat, all versions
      • Fixed in Python version 3.1.1
    • Apache Xerces C++, all versions
      • Fixed in Red Hat versions xerces-c27-2.7.0-8, xerces-c-2.7.0-8 and xerces-c-2.8.0-5
    • libxml2, all versions
      • Fixed in libxml2 version 2.7.4
      • Fixed in Red Hat versions libxml2-2.6.26-, libxml-1.8.17-9.3, libxml2-2.5.10-15 and libxml2-2.6.16-12.7
      • Fixed in Ubuntu versions 2.6.24.dfsg-1ubuntu1.5, 2.6.31.dfsg-2ubuntu1.4, 2.6.32.dfsg-4ubuntu1.2 and 2.6.32.dfsg-5ubuntu4.2
      • Fixed in Debian versions 2.6.27.dfsg-6+etch1 and 2.6.32.dfsg-5+lenny1
      • Fixed in Mandriva versions libxml1-1.8.17-12.1mdv2008.1, libxml2_2-2.6.31-1.5mdv2008.1, libxml1-1.8.17-14.1mdv2009.0, libxml2_2-2.7.1-1.4mdv2009.0, libxml1-1.8.17-14.1mdv2009.1, libxml2_2-2.7.3-2.1mdv2009.1, libxml1-1.8.17-6.2.C30mdk, libxml2-2.6.6-1.7.C30mdk, libxml1-1.8.17-8.1.20060mlcs4, libxml2-2.6.21-3.6.20060mlcs4, libxml1-1.8.17-14.1mdvmes5, libxml2_2-2.7.1-1.4mdvmes5 and in corresponding X86_64-versions
      • Fix mentioned in OpenSUSE security announce SUSE-SR:2009:015
    • Apache Xerces Java, all versions
    • Sun JDK and JRE 6 Update 14 and earlier
    • Fixed in Sun JDK and JRE 6 Update 15
    • Sun JDK and JRE 5.0 Update 19 and earlier
    • Fixed in Sun JDK and JRE 6 Update 15
    • Apple Java for Mac OS X 10.5, all versions
      • Fixed in Java for Mac OS X Update 5
    • OpenJDK 1.6, all versions
      • Fixed in Red Hat version java-1.6.0-openjdk-
      • Fixed in Ubuntu versions 6b12-0ubuntu6.5 and 6b14-1.4.1-0ubuntu11
    • OpenOffice
      • Fixed in version 3.1.1
      • Fixed in version 2.4.3
    • Sun StarOffice and StarSuite
      • Fixed in version StarOffice 8 update 14
      • Fixed in version StarSuite 8 update 14
      • Fixed in version StarOffice 9 update 3
      • Fixed in version StarSuite 9 update 3
    • Oracle BEA JRockit
      • Fixed in version Oracle JRockit R27.6.5
    • VMware
      • Fixed in versions ESXi 4.0, ESX 4.0, vMA 4.0 patch 2, vCenter Server 4.0 Update 1
    • XML-RPC for C and C++
      • Fixed in Ubuntu version 1.06.27-1ubuntu6.1

    Vendor Statements


    Fix has been incorporated into Python 3.1.1.


    Patch the vulnerable software components according to the guidance published by the vendor. Where available, refer to the 'Vendor Information' section of this advisory for platform specific remediation. Most of the library vulnerabilities in this advisory are fixed only in the library vendors' version control systems and in packages distributed by OS vendors. This advisory will be updated as more patch information becomes available.


    Python Expat
    Xerces C++
    Sun Java
    Xerces Java
    Sun StarOffice and StarSuite
    XML-RPC for C and C++

    Contact Information

    CERT-FI Vulnerability Coordination can be contacted as follows:

    Please quote the advisory reference [FICORA #245608] in the subject line

    +358 9 6966 510
    Monday - Friday 08:00 - 16:15 (EET: UTC+2)

    Fax :
    +358 9 6966 515

    Vulnerability Coordination
    P.O. Box 313
    FI-00181 Helsinki

    CERT-FI encourages those who wish to communicate via email to make use of our PGP key. The key is available at

    Revision History:

    6 August 2009, 00:10: Published
    10 August 2009, 14:06: Added OpenJDK
    10 August 2009, 17:00: Added libxml2
    11 August 2009, 9:50.: Added Debian advisory
    12 August 2009, 14:20: Added more references and clarified the Vendor Information section
    13 August 2009, 13:30: Added information about fixed versions distributed by Mandriva
    25 August 2009, 10:25: Added information about a fixed Python version
    4 September 2009, 15:30: Added information about a fixed Java for Mac OS X version
    17 September 2009, 15:40: Added information about a fixed Google Chrome version
    22 September 2009, 13:00: Added information a fixed OpenOffice and StarOffice version and a fixed libxml2 version distributed by OpenSUSE
    21 October 2009, 16:25: Added information about Orache fixes
    28 October 2009, 14:45: Added a CVE-reference to Python libexpat bug
    2 November 2009, 16.:00: Added information about Apple
    4 November 2009, 10:20: Added information about a fixed libxml2 version
    23 November 2009, 17:30: Added information about VMware fixes
    26 February 2010, 14:30: Added information about XML-RPC for C and C++
    16 June 2011, 15:09: Added Mandriva advisory

    Page updated 16.06.2011   Print version Print version