Ubuntu
xml-light package

Hash collision vulnerability in xml-light

Bug #1186860 reported by Christian Kuersteiner
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
xml-light (Ubuntu)
Fix Released
Undecided
Unassigned
Lucid
Fix Released
Undecided
Unassigned
Precise
Fix Released
Undecided
Unassigned

Bug Description

OCaml Xml-Light Library before r234 computes hash values without
restricting the ability to trigger hash collisions predictably, which
allows context-dependent attackers to cause a denial of service (CPU
consumption) via unspecified vectors.

Note:
Quantal, Raring and Saucy are already fixed.

Christian Kuersteiner (ckuerste)
information type: Private Security → Public Security
Revision history for this message
Christian Kuersteiner (ckuerste) wrote :

Precise patch

Revision history for this message
Christian Kuersteiner (ckuerste) wrote :

Lucid patch. I'm not sure if the versioning is right, since now precise and lucid have the same version?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for the debdiffs.

For precise, use 2.2-12ubuntu0.12.04.1, and for lucid, use 2.2-12ubuntu0.10.04.1.

Please describe the testing you performed to ensure xml-light still worked after applying the patch.

Revision history for this message
Christian Kuersteiner (ckuerste) wrote :

Precise debdiff with right version.

Revision history for this message
Christian Kuersteiner (ckuerste) wrote :

Lucid debdiff with right version.

Tests done on both debdiffs:
Builds with pbuilder.
Can install and upgrade cleanly.
Parses simple xml files (tests done with included test.ml)

Dmitry Shachnev (mitya57)
Changed in xml-light (Ubuntu):
status: New → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Looks good, ACK.
Thanks for the debdiffs, they will be published today.

Changed in xml-light (Ubuntu Lucid):
status: New → Fix Committed
Changed in xml-light (Ubuntu Precise):
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xml-light - 2.2-12ubuntu0.10.04.1

---------------
xml-light (2.2-12ubuntu0.10.04.1) lucid-security; urgency=low

  * SECURITY-UPDATE: Fix to prevent hash collision attack (LP: #1186860)
    - debian/patches/05_CVE_2012_3514.dpatch: dtd.ml: Use Map(String) instead
      of Hash for DTD proof. Based on upstream patch.
    - CVE-2012-3514
 -- Christian Kuersteiner <email address hidden> Wed, 05 Jun 2013 13:53:52 +0700

Changed in xml-light (Ubuntu Lucid):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xml-light - 2.2-12ubuntu0.12.04.1

---------------
xml-light (2.2-12ubuntu0.12.04.1) precise-security; urgency=low

  * SECURITY-UPDATE: Fix to prevent hash collision attack (LP: #1186860)
    - debian/patches/05_CVE_2012_3514.dpatch: dtd.ml: Use Map(String) instead
      of Hash for DTD proof. Based on upstream patch.
    - CVE-2012-3514
 -- Christian Kuersteiner <email address hidden> Wed, 05 Jun 2013 13:38:23 +0700

Changed in xml-light (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.