Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <4A955179.8050808@ficora.fi>
Date: Wed, 26 Aug 2009 18:15:05 +0300
From: CERT-FI Vulnerability Coordination <vulncoord@...ora.fi>
To: oss-security@...ts.openwall.com
CC: Robert Buchholz <rbu@...too.org>
Subject: Re: expat bug 1990430

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> we have learned that expat fixed a crash issue in June 2008, but never 
> released an update. The bug was apparantly intended to be kept private, 
> but the bug changes were mailed to a public mailing list and Python 
> developrs menitoned the bug fix in their public svn (including NEWS 
> file, and reproducers):
> 
> http://mail.python.org/pipermail/expat-bugs/2009-January/002781.html
> http://sourceforge.net/tracker/index.php?func=detail&aid=1990430&group_id=10127&atid=110127
> http://svn.python.org/view?view=rev&revision=74429
> https://bugs.gentoo.org/show_bug.cgi?id=280615
> 
> While the expat bug was reported by Peter Valchev of Google, Python 
> credits Ivan Krstić of Apple with the patch (submission).
> It might also be related to CVE-2009-2625 / FICORA #245608:
> https://www.cert.fi/en/reports/2009/vulnerability2009085.html
> 
> As CERT-FI never released any details or test cases, I have no idea if 
> we need a new CVE of if those two issues are the same.

Sorry for the delay.

A new CVE is not needed. These two issues (the one which was fixed in
expat CVS in June 2008 and the one with the internal copy of expat in
Python) are essentially the same. The issue seems to be first found by
Peter Valchev in June 2008. As Robert mentioned, the issue has been
fixed in expat's CVS in June 2008 but an updated release was not made
for some reason. The issue was also present in the expat bundled with
Python and it was reported to us independent from the original issue
(even though the reason of the crash is the same). CERT-FI reported the
issue to Python in July 2009. Soon after that the issue was reported to
expat maintainers too since initially we did not know that the issue was
already fixed in expat's CVS. Python's patch has been incorporated into
Python 3.1.1 but there is probably more software with an affected
internal copy of expat out there.

Sauli Pahlman
CERT-FI
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqVUW0ACgkQ/64aC2E+yK+b8wCfcJQLpE3f1ccVgg13vzao8IqO
Y+0AoMuuooNdFLiKKi10fVQQCDY0BDOK
=7kag
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.