[xml] Security flaw affecting all previous libxml2 releases

From: Daniel Veillard <veillard redhat com>

To: xml gnome org

Subject: [xml] Security flaw affecting all previous libxml2 releases

Date: Fri, 11 Jan 2008 07:05:01 -0500

Unfortunately, a security flaw was found (originally by Brad Fitzpatrick from Google) and affecting all previous releases of libxml2 when parsing XML. Two specially crafted broken UTF-8 sequences when occuring at the wrong place lead the parser to go into an infinite loop. Very annoying, as this lead to a relatively easy Denial of Service attack, the good part being that this is very unlikely to happen just by error, and to protect the community we won't release the way to reproduce this. But all users are strongly invited to upgrade their libxml2 versions to 2.6.31 [1], or apply the patch [2] (or a derivative for 2.5 or 2.4 branches) to their version. Most OS vendors shipping libxml2 should have updates by now or very soon, if needed check your update stream, it is referenced as CVE-2007-6284 . Sorry for the inconvenience, Daniel [1] ftp://xmlsoft.org/libxml/libxml2-2.6.31.tar.gz [2] http://veillard.com/libxml2.patch -- Red Hat Virtualization group http://redhat.com/virtualization/ Daniel Veillard | virtualization library http://libvirt.org/ veillard redhat com | libxml GNOME XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/