OpenPKG Alert: OpenPKG Security Advisory (libxml)

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org [e-mail:openpkg-security@openpkg.org] [e-mail:openpkg@openpkg.org] OpenPKG-SA-2004.003 05-Mar-2004 ________________________________________________________________________

Package: libxml Vulnerability: arbitrary code execution OpenPKG Specific: no

Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= libxml-2.6.5-20040126 >= libxml-2.6.6-20040212 OpenPKG 2.0 none N.A. OpenPKG 1.3 <= libxml-2.5.8-1.3.0 >= libxml-2.5.8-1.3.1

Affected Releases: Dependent Packages: OpenPKG CURRENT apache::with_mod_php_dom perl-xml::with_libxml php::with_dom php5::with_xml php5::with_dom cadaver dia kde-libs libgdome libglade libwmf libxslt neon pan ripe-dbase roadrunner scli scrollkeeper sitecopy subversion wv xmlsec xmlstarlet xmlto xmms OpenPKG 1.3 apache::with_mod_php_dom perl-xml::with_libxml php::with_dom libgdome libwmf libxslt neon sitecopy xmlsec

Description: A flaw in the HTTP and FTP client sub-library of libxml2 [0] found by Yuuichi Teranishi can be exploited to cause a buffer overflow if passed a very long URL [1]. This could be used by an attacker to execute arbitrary code on the host computer. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0110 [2] to the problem.

Please check whether you are affected by running "/bin/rpm -q libxml". If you have the "libxml" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see solution) and any dependent packages (see above). [3][4]

Solution: Select the updated source RPM appropriate for your OpenPKG release [5], fetch it from the OpenPKG FTP service [6] or a mirror location, verify its integrity [7], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the affected release OpenPKG 1.3, perform the following operations to permanently fix the security problem (for other releases adjust accordingly).

$ ftp http://ftp.openpkg.org ftp> bin ftp> cd release/1.3/UPD ftp> get libxml-2.5.8-1.3.1.src.rpm ftp> bye $ /bin/rpm -v --checksig libxml-2.5.8-1.3.1.src.rpm $ /bin/rpm --rebuild libxml-2.5.8-1.3.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/libxml-2.5.8-1.3.1.*.rpm

Additionally, we recommend that you rebuild and reinstall all dependent packages (see above), if any, too. [3][4] ________________________________________________________________________

References: [0] http://xmlsoft.org/ [1] http://xmlsoft.org/news.html [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0110 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.3/UPD/libxml-2.5.8-1.3.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.3/UPD/ [7] http://www.openpkg.org/security.html#signature ________________________________________________________________________

For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________

-----BEGIN PGP SIGNATURE----- Comment: OpenPKG

iD8DBQFASLo3gHWT4GPEy58RAr+bAKDII0jb/BQ94576qHt2KDt7akiqEwCg2aUT IuYPKcQCRD4xwJbjDNj9QHs= =zN3S -----END PGP SIGNATURE----- ______________________________________________________________________ The OpenPKG Project http://www.openpkg.org Project Announcement List [e-mail:openpkg-announce@openpkg.org]