FreeBSD Bugzilla – Attachment 177034 Details for
Bug 214532
security/vuxml: Document www/libwww vulnerability
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
vuxml-libwww_v02.patch
vuxml-libwww_v02.patch (text/plain), 2.61 KB, created by
Danilo G. Baio
on 2016-11-15 20:38:52 UTC
(
hide
)
Description:
vuxml-libwww_v02.patch
Filename:
MIME Type:
Creator:
Danilo G. Baio
Created:
2016-11-15 20:38:52 UTC
Size:
2.61 KB
patch
obsolete
>Index: vuln.xml >=================================================================== >--- vuln.xml (revision 426176) >+++ vuln.xml (working copy) >@@ -58,6 +58,53 @@ > * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) > --> > <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> >+ <vuln vid="18449f92-ab39-11e6-8011-005056925db4"> >+ <topic>libwww -- multiple vulnerabilities</topic> >+ <affects> >+ <package> >+ <name>libwww</name> >+ <range><lt>5.4.0_6</lt></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <p>Mitre reports:</p> >+ <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3183"> >+ <p>The HTBoundary_put_block function in HTBound.c for W3C libwww (w3c-libwww) >+ allows remote servers to cause a denial of service (segmentation fault) via a >+ crafted multipart/byteranges MIME message that triggers an out-of-bounds read.</p> >+ </blockquote> >+ <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560"> >+ <p>The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used >+ in the XML-Twig module for Perl, allows context-dependent attackers to cause a >+ denial of service (application crash) via an XML document with malformed UTF-8 >+ sequences that trigger a buffer over-read, related to the doProlog function in >+ lib/xmlparse.c, a different vulnerability than CVE-2009-2625 and CVE-2009-3720.</p> >+ </blockquote> >+ <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720"> >+ <p>The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, >+ as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent >+ attackers to cause a denial of service (application crash) via an XML document with >+ crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability >+ than CVE-2009-2625.</p> >+ </blockquote> >+ </body> >+ </description> >+ <references> >+ <url>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3183</url> >+ <url>https://bugzilla.redhat.com/show_bug.cgi?id=170518</url> >+ <url>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560</url> >+ <url>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720</url> >+ <cvename>CVE-2005-3183</cvename> >+ <cvename>CVE-2009-3560</cvename> >+ <cvename>CVE-2009-3720</cvename> >+ </references> >+ <dates> >+ <discovery>2005-10-12</discovery> >+ <entry>2016-11-15</entry> >+ </dates> >+ </vuln> >+ > <vuln vid="a8e9d834-a916-11e6-b9b4-bcaec524bf84"> > <topic>lives -- insecure files permissions</topic> > <affects>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=177034">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 214532
:
177022
| 177034