Skip to navigation

Security Advisory libxml security update

Advisory: RHSA-2004:650-09
Type: Security Advisory
Severity: Moderate
Issued on: 2004-12-16
Last updated on: 2005-05-26
Affected Products: Red Hat Desktop (v. 3)
Red Hat Enterprise Linux AS (v. 2.1)
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux ES (v. 2.1)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux WS (v. 2.1)
Red Hat Enterprise Linux WS (v. 3)
Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor
CVEs (cve.mitre.org): CVE-2004-0110
CVE-2004-0989

Details

An updated libxml package that fixes multiple buffer overflows is now
available.

[Updated 24 May 2005]
Multilib packages have been added to this advisory

The libxml package contains a library for manipulating XML files.

Multiple buffer overflow bugs have been found in libxml versions prior to
2.6.14. If an attacker can trick a user into passing a specially crafted
FTP URL or FTP proxy URL to an application that uses the vulnerable
functions of libxml, it could be possible to execute arbitrary code.
Additionally, if an attacker can return a specially crafted DNS request to
libxml, it could be possible to execute arbitrary code. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0989 to this issue.

Yuuichi Teranishi discovered a flaw in libxml versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. The Common Vulnerabilities
and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0110
to this issue.

All users are advised to upgrade to this updated package, which contains
backported patches and is not vulnerable to these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

Updated packages

Red Hat Desktop (v. 3)

IA-32:
libxml-1.8.17-9.2.i386.rpm
File outdated by:  RHSA-2009:1206
    MD5: 1fa0e7d164a4d3d5432732060c67f985
libxml-devel-1.8.17-9.2.i386.rpm
File outdated by:  RHSA-2009:1206
    MD5: 6747de74e075db51e9a40c02ea0905fa
 
x86_64:
libxml-1.8.17-9.2.i386.rpm
File outdated by:  RHSA-2009:1206
    MD5: 1fa0e7d164a4d3d5432732060c67f985
libxml-1.8.17-9.2.x86_64.rpm
File outdated by:  RHSA-2009:1206
    MD5: 140e93f6366ba860a6301629bfe71c08
libxml-devel-1.8.17-9.2.x86_64.rpm
File outdated by:  RHSA-2009:1206
    MD5: c3e4b6e36068b0a2ecfbe75491f2b967
 
Red Hat Enterprise Linux AS (v. 2.1)

IA-32:
ftp://updates.redhat.com/rhn/repository/NULL/libxml/1.8.14-3/i386/libxml-1.8.14-3.i386.rpm
Missing file
    MD5: e2ee01c57caf52c62b1ac9a229fc58f0
ftp://updates.redhat.com/rhn/repository/NULL/libxml-devel/1.8.14-3/i386/libxml-devel-1.8.14-3.i386.rpm
Missing file
    MD5: fd04239db40f4c2d9de4cf76791c409e
 
IA-64:
ftp://updates.redhat.com/rhn/repository/NULL/libxml/1.8.14-3/ia64/libxml-1.8.14-3.ia64.rpm
Missing file
    MD5: 907f1c8f10e96b6c785d4cb5b7f7c399
ftp://updates.redhat.com/rhn/repository/NULL/libxml-devel/1.8.14-3/ia64/libxml-devel-1.8.14-3.ia64.rpm
Missing file
    MD5: a9ca532078e6b35f2d01584453a3a6fe
 
Red Hat Enterprise Linux AS (v. 3)

IA-32:
libxml-1.8.17-9.2.i386.rpm
File outdated by:  RHSA-2009:1206
    MD5: 1fa0e7d164a4d3d5432732060c67f985
libxml-devel-1.8.17-9.2.i386.rpm
File outdated by:  RHSA-2009:1206
    MD5: 6747de74e075db51e9a40c02ea0905fa
 
IA-64:
libxml-1.8.17-9.2.i386.rpm
File outdated by:  RHSA-2009:1206
    MD5: 1fa0e7d164a4d3d5432732060c67f985
libxml-1.8.17-9.2.ia64.rpm
File outdated by:  RHSA-2009:1206
    MD5: 6e7730063c22539fb40658cc763a2bd3
libxml-devel-1.8.17-9.2.ia64.rpm
File outdated by:  RHSA-2009:1206
    MD5: 594c3955d725c7aad2c3ad89194d0f4b
 
PPC:
libxml-1.8.17-9.2.ppc.rpm
File outdated by:  RHSA-2009:1206
    MD5: e04cb28f14a0381a7d92aa9b57b3b43a
libxml-1.8.17-9.2.ppc64.rpm
File outdated by:  RHSA-2009:1206
    MD5: f6b5d2c9dee68c6d2a63cc8f4d02648b
libxml-devel-1.8.17-9.2.ppc.rpm
File outdated by:  RHSA-2009:1206
    MD5: b52b8e7f667842bbcb319e0c5cb9132e
 
s390:
libxml-1.8.17-9.2.s390.rpm
File outdated by:  RHSA-2009:1206
    MD5: f8cb54901760145e5123832d27bf7334
libxml-devel-1.8.17-9.2.s390.rpm
File outdated by:  RHSA-2009:1206
    MD5: 88ace5024d54b0f7a104bb6310974fd6
 
s390x:
libxml-1.8.17-9.2.s390.rpm
File outdated by:  RHSA-2009:1206
    MD5: f8cb54901760145e5123832d27bf7334
libxml-1.8.17-9.2.s390x.rpm
File outdated by:  RHSA-2009:1206
    MD5: 7d268017ddac87e213b1b9e0d22be27b
libxml-devel-1.8.17-9.2.s390x.rpm
File outdated by:  RHSA-2009:1206
    MD5: eda80205b0afd05ca6aafce032a1072f
 
x86_64:
libxml-1.8.17-9.2.i386.rpm
File outdated by:  RHSA-2009:1206
    MD5: 1fa0e7d164a4d3d5432732060c67f985
libxml-1.8.17-9.2.x86_64.rpm
File outdated by:  RHSA-2009:1206
    MD5: 140e93f6366ba860a6301629bfe71c08
libxml-devel-1.8.17-9.2.x86_64.rpm
File outdated by:  RHSA-2009:1206
    MD5: c3e4b6e36068b0a2ecfbe75491f2b967
 
Red Hat Enterprise Linux ES (v. 2.1)

IA-32:
ftp://updates.redhat.com/rhn/repository/NULL/libxml/1.8.14-3/i386/libxml-1.8.14-3.i386.rpm
Missing file
    MD5: e2ee01c57caf52c62b1ac9a229fc58f0
ftp://updates.redhat.com/rhn/repository/NULL/libxml-devel/1.8.14-3/i386/libxml-devel-1.8.14-3.i386.rpm
Missing file
    MD5: fd04239db40f4c2d9de4cf76791c409e
 
Red Hat Enterprise Linux ES (v. 3)

IA-32:
libxml-1.8.17-9.2.i386.rpm
File outdated by:  RHSA-2009:1206
    MD5: 1fa0e7d164a4d3d5432732060c67f985
libxml-devel-1.8.17-9.2.i386.rpm
File outdated by:  RHSA-2009:1206
    MD5: 6747de74e075db51e9a40c02ea0905fa
 
IA-64:
libxml-1.8.17-9.2.i386.rpm
File outdated by:  RHSA-2009:1206
    MD5: 1fa0e7d164a4d3d5432732060c67f985
libxml-1.8.17-9.2.ia64.rpm
File outdated by:  RHSA-2009:1206
    MD5: 6e7730063c22539fb40658cc763a2bd3
libxml-devel-1.8.17-9.2.ia64.rpm
File outdated by:  RHSA-2009:1206
    MD5: 594c3955d725c7aad2c3ad89194d0f4b
 
x86_64:
libxml-1.8.17-9.2.i386.rpm
File outdated by:  RHSA-2009:1206
    MD5: 1fa0e7d164a4d3d5432732060c67f985
libxml-1.8.17-9.2.x86_64.rpm
File outdated by:  RHSA-2009:1206
    MD5: 140e93f6366ba860a6301629bfe71c08
libxml-devel-1.8.17-9.2.x86_64.rpm
File outdated by:  RHSA-2009:1206
    MD5: c3e4b6e36068b0a2ecfbe75491f2b967
 
Red Hat Enterprise Linux WS (v. 2.1)

IA-32:
ftp://updates.redhat.com/rhn/repository/NULL/libxml/1.8.14-3/i386/libxml-1.8.14-3.i386.rpm
Missing file
    MD5: e2ee01c57caf52c62b1ac9a229fc58f0
ftp://updates.redhat.com/rhn/repository/NULL/libxml-devel/1.8.14-3/i386/libxml-devel-1.8.14-3.i386.rpm
Missing file
    MD5: fd04239db40f4c2d9de4cf76791c409e
 
Red Hat Enterprise Linux WS (v. 3)

IA-32:
libxml-1.8.17-9.2.i386.rpm
File outdated by:  RHSA-2009:1206
    MD5: 1fa0e7d164a4d3d5432732060c67f985
libxml-devel-1.8.17-9.2.i386.rpm
File outdated by:  RHSA-2009:1206
    MD5: 6747de74e075db51e9a40c02ea0905fa
 
IA-64:
libxml-1.8.17-9.2.i386.rpm
File outdated by:  RHSA-2009:1206
    MD5: 1fa0e7d164a4d3d5432732060c67f985
libxml-1.8.17-9.2.ia64.rpm
File outdated by:  RHSA-2009:1206
    MD5: 6e7730063c22539fb40658cc763a2bd3
libxml-devel-1.8.17-9.2.ia64.rpm
File outdated by:  RHSA-2009:1206
    MD5: 594c3955d725c7aad2c3ad89194d0f4b
 
x86_64:
libxml-1.8.17-9.2.i386.rpm
File outdated by:  RHSA-2009:1206
    MD5: 1fa0e7d164a4d3d5432732060c67f985
libxml-1.8.17-9.2.x86_64.rpm
File outdated by:  RHSA-2009:1206
    MD5: 140e93f6366ba860a6301629bfe71c08
libxml-devel-1.8.17-9.2.x86_64.rpm
File outdated by:  RHSA-2009:1206
    MD5: c3e4b6e36068b0a2ecfbe75491f2b967
 
Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor

IA-64:
ftp://updates.redhat.com/rhn/repository/NULL/libxml/1.8.14-3/ia64/libxml-1.8.14-3.ia64.rpm
Missing file
    MD5: 907f1c8f10e96b6c785d4cb5b7f7c399
ftp://updates.redhat.com/rhn/repository/NULL/libxml-devel/1.8.14-3/ia64/libxml-devel-1.8.14-3.ia64.rpm
Missing file
    MD5: a9ca532078e6b35f2d01584453a3a6fe
 

Bugs fixed (see bugzilla for more information)

139090 - CAN-2004-0110 multiple buffer overflows (CAN-2004-0989)


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/