From openpkg@openpkg.org Fri Mar 5 22:10:32 2004 From: OpenPKG To: bugtraq@securityfocus.com Date: Fri, 5 Mar 2004 18:35:10 +0100 Subject: [OpenPKG-SA-2004.003] OpenPKG Security Advisory (libxml) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.003 05-Mar-2004 ________________________________________________________________________ Package: libxml Vulnerability: arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= libxml-2.6.5-20040126 >= libxml-2.6.6-20040212 OpenPKG 2.0 none N.A. OpenPKG 1.3 <= libxml-2.5.8-1.3.0 >= libxml-2.5.8-1.3.1 Affected Releases: Dependent Packages: OpenPKG CURRENT apache::with_mod_php_dom perl-xml::with_libxml php::with_dom php5::with_xml php5::with_dom cadaver dia kde-libs libgdome libglade libwmf libxslt neon pan ripe-dbase roadrunner scli scrollkeeper sitecopy subversion wv xmlsec xmlstarlet xmlto xmms OpenPKG 1.3 apache::with_mod_php_dom perl-xml::with_libxml php::with_dom libgdome libwmf libxslt neon sitecopy xmlsec Description: A flaw in the HTTP and FTP client sub-library of libxml2 [0] found by Yuuichi Teranishi can be exploited to cause a buffer overflow if passed a very long URL [1]. This could be used by an attacker to execute arbitrary code on the host computer. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0110 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q libxml". If you have the "libxml" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see solution) and any dependent packages (see above). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5], fetch it from the OpenPKG FTP service [6] or a mirror location, verify its integrity [7], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the affected release OpenPKG 1.3, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.3/UPD ftp> get libxml-2.5.8-1.3.1.src.rpm ftp> bye $ /bin/rpm -v --checksig libxml-2.5.8-1.3.1.src.rpm $ /bin/rpm --rebuild libxml-2.5.8-1.3.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/libxml-2.5.8-1.3.1.*.rpm Additionally, we recommend that you rebuild and reinstall all dependent packages (see above), if any, too. [3][4] ________________________________________________________________________ References: [0] http://xmlsoft.org/ [1] http://xmlsoft.org/news.html [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0110 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.3/UPD/libxml-2.5.8-1.3.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.3/UPD/ [7] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFASLo3gHWT4GPEy58RAr+bAKDII0jb/BQ94576qHt2KDt7akiqEwCg2aUT IuYPKcQCRD4xwJbjDNj9QHs= =zN3S -----END PGP SIGNATURE-----