LNSA-#2004-0004: libxml2 buffer overflow
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
************************************************************************************
Netwosix Linux Security Advisory #2004-0004 <http://www.netwosix.org>
-
-----------------------------------------------------------------------------------
Package name: libxml2
Summary: Buffer overflow in the nanohttp or nanoftp modules in
XMLSoft Libxml2 2.6.0
Date: 2004-03-04
Affected versions: Netwosix 1.0
************************************************************************************
- -> Package description:
- ------------------------
Libxml2 is the XML C parser and toolkit developed for the Gnome project.
- -> Problem description:
- ------------------------
A flaw in libxml2 versions prior to 2.6.6 was found by Yuuichi
Teranishi. When fetching a remote source via FTP or HTTP, libxml2
uses special parsing routines that can overflow a buffer if passed a
very long URL. In the event that the attacker can find a program that
uses libxml2 which parses remote resources and allows them to
influence the URL, this flaw could be used to execute arbitrary code.
- -> Action:
- ------------------------
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.
- -> Location:
- ---------------------
You can download the latest version of this package in NEPOTE format from:
<http://download.netwosix.org/0004/nepote>
- -> Nepote Update (Nepote has been updated with new ports on 25 February 2004.
Update your portage tree from http://nepote.netwosix.org, first):
- ---------------------
See this instructions to update the port of this package:
# cd /usr/ports/lib/libxml
# rm nepote
# wget http://download.netwosix.org/0004/nepote
# sh nepote (to install the new and updated package)
- -> References
- ---------------------
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0110
- -> About Linux Netwosix:
- ---------------------------------
Linux Netwosix is a powerful and optimized Linux distribution for servers
and Network Security related jobs. It can also be used for special operations
such as penetration testing with its big collection of security oriented
software and sources. It's a light distribution created for the requirements
of every SysAdmin and it's very portable and highly configurable. Our
philosophy is to give greater liberty for configuration to the SysAdmin.
Only in this way can he/she configure a powerful and stable server machine.
Linux Netwosix also has a powerful ports system (Nepote) similar to the xBSD
systems but more flexible and usable.
- -> Questions?
- ---------------------
Check out our mailing lists:
<http://www.netwosix.org/mailing.html>
The advisory itself is available at
<http://www.netwosix.org/adv04.html>
- --------------------------------------------------
MD5sums of the packages:
- - --------------------------------------------------------------------------
60cb43bdcc312a611178df10c52a19c6 0004/nepote
- - --------------------------------------------------------------------------
Vincenzo Ciaglia - Linux Netwosix Security Advisories
<ciaglia@xxxxxxxxxxxx> - <http://www.netwosix.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAR6JP6jz9pGuz4koRAvzeAJ98LXBB30rNXDdkoTjW20FLCVuDmwCeOqsh
0JB1uL92Ux7adp2bz+uf/0c=
=ySSs
-----END PGP SIGNATURE-----