TUCoPS :: Linux :: Apps A-M :: hack0137.htm

libxml2 buffer overflow LNSA-#2004-0004
LNSA-#2004-0004: libxml2 buffer overflow 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

************************************************************************************
Netwosix Linux Security Advisory #2004-0004  
- -----------------------------------------------------------------------------------

Package name:      libxml2
Summary:              Buffer overflow in the nanohttp or nanoftp  modules in 
XMLSoft Libxml2 2.6.0
Date:                    2004-03-04
Affected versions:  Netwosix 1.0
************************************************************************************

- -> Package description:
- ------------------------
Libxml2 is the XML C parser and toolkit developed for the Gnome project.

- -> Problem description:
- ------------------------
 A flaw in libxml2 versions prior to 2.6.6 was found by Yuuichi
 Teranishi.  When fetching a remote source via FTP or HTTP, libxml2
 uses special parsing routines that can overflow a buffer if passed a
 very long URL.  In the event that the attacker can find a program that
 uses libxml2 which parses remote resources and allows them to
 influence the URL, this flaw could be used to execute arbitrary code.

- -> Action:
- ------------------------
  We recommend that all systems with this package installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.

- -> Location:
- ---------------------

  You can download the latest version of this package in NEPOTE format from:
   

- -> Nepote Update (Nepote has been updated with new ports on 25 February 2004. 
Update your portage tree from http://nepote.netwosix.org, first): 
- ---------------------

See this instructions to update the port of this package:

        # cd /usr/ports/lib/libxml
        # rm nepote
        # wget http://download.netwosix.org/0004/nepote 
        # sh nepote (to install the new and updated package)

- -> References
- ---------------------

        Specific references for this advisory:
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0110 

- -> About Linux Netwosix:
- ---------------------------------
Linux Netwosix is a powerful and optimized Linux distribution for servers
and Network Security related jobs.  It can also be used for special operations
such as penetration testing with its big collection of security oriented
software and sources. It's a light distribution created for the requirements
of every SysAdmin and it's very portable and highly configurable. Our
philosophy is to give greater liberty for  configuration to the SysAdmin.
Only in this way can he/she configure a powerful and stable server machine.
Linux Netwosix also has a powerful ports system (Nepote) similar to the xBSD
systems but more flexible and usable.


- -> Questions?
- ---------------------
  Check out our mailing lists:
   


  The advisory itself is available at
   
- --------------------------------------------------

MD5sums of the packages:
- - --------------------------------------------------------------------------
60cb43bdcc312a611178df10c52a19c6  0004/nepote
- - --------------------------------------------------------------------------

Vincenzo Ciaglia - Linux Netwosix Security Advisories
 -  
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAR6JP6jz9pGuz4koRAvzeAJ98LXBB30rNXDdkoTjW20FLCVuDmwCeOqsh
0JB1uL92Ux7adp2bz+uf/0c=
=ySSs
-----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH