[USN-10-1] XML library vulnerabilities

Martin Pitt martin.pitt at canonical.com
Fri Oct 29 14:52:49 CDT 2004


===========================================================
Ubuntu Security Notice USN-10-1            October 28, 2004
XML library vulnerabilities
CAN-2004-0981
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

libxml2

The problem can be corrected by upgrading the affected package to
version 2.6.11-3ubuntu1.1. In general, a standard system upgrade is
sufficient to effect the necessary changes.

Details follow:

Several buffer overflows have been discovered in libxml2's FTP connection
and DNS resolution functions. Supplying very long FTP URLs or IP
addresses might result in execution of arbitrary code with the
privileges of the process using libxml2.

Since libxml2 is used in packages like php4-imagick, the vulnerability
also might lead to privilege escalation, like executing attacker
supplied code with a web server's privileges.

However, this does not affect the core XML parsing code, which is what
the majority of programs use this library for.

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.11-3ubuntu1.1.diff.gz
      Size/MD5:    81651 eae051ac1100f886cbd8283edf8e5607
    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.11-3ubuntu1.1.dsc
      Size/MD5:      789 918f6210e51f5bc9832ae6c0a1b9b01c
    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.11.orig.tar.gz
      Size/MD5:  3693599 c391173a26ec7c2ac702b54d06420fdb

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-doc_2.6.11-3ubuntu1.1_all.deb
      Size/MD5:   982544 841f55ccc2187805a18e58f13c38a326

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.11-3ubuntu1.1_amd64.deb
      Size/MD5:  1329748 de1f602df0902fdbe933a9642b8a8c69
    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-python2.3_2.6.11-3ubuntu1.1_amd64.deb
      Size/MD5:   489060 f1e515cb1c197e5e560940e235a6a25b
    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.11-3ubuntu1.1_amd64.deb
      Size/MD5:   257016 62c9834d6c4f9f24bc5d8fe95c06a6d3
    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.11-3ubuntu1.1_amd64.deb
      Size/MD5:   672770 7723dbd0c5766dd5ac665b8a136ae424

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.11-3ubuntu1.1_i386.deb
      Size/MD5:  1255242 825d79ae6985fb4b802647f092e9b054
    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-python2.3_2.6.11-3ubuntu1.1_i386.deb
      Size/MD5:   458560 8b1dd60cfadcf398d738747f4c0bc2c7
    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.11-3ubuntu1.1_i386.deb
      Size/MD5:   254420 e98777bd621906359d84d186102ad91b
    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.11-3ubuntu1.1_i386.deb
      Size/MD5:   629992 f5cfca49f3212efaaf58d226ad4bc688

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.11-3ubuntu1.1_powerpc.deb
      Size/MD5:  1416378 ec8500e62980b717e0acfe72a0898770
    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-python2.3_2.6.11-3ubuntu1.1_powerpc.deb
      Size/MD5:   484820 ae0eb37b289128fb64ccf69120437424
    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.11-3ubuntu1.1_powerpc.deb
      Size/MD5:   258252 c605662898a320d67bca0fe082a64110
    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.11-3ubuntu1.1_powerpc.deb
      Size/MD5:   675066 5f9ce27c76c23031b25239b3d3607d71

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20041029/818bba9d/attachment.pgp


More information about the ubuntu-security-announce mailing list