[USN-89-1] XML library vulnerabilities

Martin Pitt martin.pitt at canonical.com
Mon Feb 28 08:33:19 CST 2005


===========================================================
Ubuntu Security Notice USN-89-1		  February 28, 2005
libxml vulnerabilities
CAN-2004-0989
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

libxml1

The problem can be corrected by upgrading the affected package to
version 1:1.8.17-8ubuntu0.1.  In general, a standard system upgrade is
sufficient to effect the necessary changes.

Details follow:

Several buffer overflows have been discovered in libxml's FTP
connection and DNS resolution functions. Supplying very long FTP URLs
or IP addresses might result in execution of arbitrary code with the
privileges of the process using libxml.

This does not affect the core XML parsing code, which is what the
majority of programs use this library for.

Note: The same vulnerability was already fixed for libxml2 in
USN-10-1.

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml/libxml_1.8.17-8ubuntu0.1.diff.gz
      Size/MD5:   361144 49c17811be2abc30c48984e0f46454fb
    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml/libxml_1.8.17-8ubuntu0.1.dsc
      Size/MD5:      756 5d9e3b59a2d624d52af231926a84fb1d
    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml/libxml_1.8.17.orig.tar.gz
      Size/MD5:  1016403 b8f01e43e1e03dec37dfd6b4507a9568

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml/libxml-dev_1.8.17-8ubuntu0.1_amd64.deb
      Size/MD5:   385860 672acd61cde9389539ea2e8d68a1d2db
    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml/libxml1_1.8.17-8ubuntu0.1_amd64.deb
      Size/MD5:   225922 e1f0cdc93c32b6bd256070dc45d5e2a7

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml/libxml-dev_1.8.17-8ubuntu0.1_i386.deb
      Size/MD5:   361434 41037748a8cb40a6bd26b0d0d5ee3387
    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml/libxml1_1.8.17-8ubuntu0.1_i386.deb
      Size/MD5:   212158 7f149fcc590aa2162810fdae5a47cd29

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml/libxml-dev_1.8.17-8ubuntu0.1_powerpc.deb
      Size/MD5:   392636 b445671f31603b7e12b8c47fd7ea6697
    http://security.ubuntu.com/ubuntu/pool/main/libx/libxml/libxml1_1.8.17-8ubuntu0.1_powerpc.deb
      Size/MD5:   220004 e3cd12326fae6972a44ac59a8af97697
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20050228/4e99898a/attachment.pgp


More information about the ubuntu-security-announce mailing list