CVE-2007-6284
First published: Mon Dec 17 2007(Updated: )
Description: There exists a denial of service problem in libxml's UTF-8 decoding functions. The xmlCurrentChar() function does not check UTF-8 correctness and certain multibyte combinations can cause the library to enter an infinite loop and hang, consuming system resources. It is strongly recommended to upgrade if your application accepts arbitrary xml user input. Provided by: The issue was originally discovered at Google by Brad Fitzpatrick and further investigated by Peter Valchev and Will Drewry. Patch and debugging by Daniel Veillard (libxml). Acknowledgements: Red Hat would like to thank the Google Security Team for responsibly disclosing this issue.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mandrakesoft Mandrake Linux Corporate Server | =4.0 | |
| Debian Debian Linux | =3.1 | |
| Debian Debian Linux | =4.0 | |
| Debian Debian Linux | =3.1 | |
| Debian Debian Linux | =3.1 | |
| Debian Debian Linux | =3.1 | |
| Redhat Fedora | =7 | |
| Mandrakesoft Mandrake Linux | =2007 | |
| Redhat Fedora | =8 | |
| Debian Debian Linux | =4.0 | |
| Debian Debian Linux | =3.1 | |
| Debian Debian Linux | =3.1 | |
| Debian Debian Linux | =3.1 | |
| Debian Debian Linux | =4.0 | |
| Mandrakesoft Mandrake Linux | =2007.1 | |
| Debian Debian Linux | =4.0 | |
| Debian Debian Linux | =4.0 | |
| Debian Debian Linux | =3.1 | |
| Debian Debian Linux | =4.0 | |
| Mandrakesoft Mandrake Linux Corporate Server | =3.0 | |
| Debian Debian Linux | =4.0 | |
| Debian Debian Linux | =4.0 | |
| Mandrakesoft Mandrake Linux Corporate Server | =4.0 | |
| Mandrakesoft Mandrake Linux | =2008.0 | |
| Mandrakesoft Mandrake Linux Corporate Server | =3.0 | |
| Debian Debian Linux | =3.1 | |
| Debian Debian Linux | =3.1 | |
| Mandrakesoft Mandrake Linux | =2007 | |
| Debian Debian Linux | =3.1 | |
| Mandrakesoft Mandrake Linux | =2007.1 | |
| Debian Debian Linux | =4.0 | |
| Debian Debian Linux | =4.0 | |
| Debian Debian Linux | =4.0 | |
| Mandrakesoft Mandrake Linux | =2008.0 | |
| Debian Debian Linux | =4.0 | |
| Debian Debian Linux | =3.1 | |
| Debian Debian Linux | =4.0 | |
| Debian Debian Linux | =3.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=425927
- http://www.redhat.com/support/errata/RHSA-2008-0032.html
- http://www.securityfocus.com/bid/27248
- http://secunia.com/advisories/28439
- http://secunia.com/advisories/28444
- http://mail.gnome.org/archives/xml/2008-January/msg00036.html
- http://www.xmlsoft.org/news.html
- https://issues.rpath.com/browse/RPL-2121
- http://www.debian.org/security/2008/dsa-1461
- https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00379.html
- https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00396.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:010
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-103201-1
- http://securitytracker.com/id?1019181
- http://secunia.com/advisories/28452
- http://secunia.com/advisories/28458
- http://secunia.com/advisories/28470
- http://secunia.com/advisories/28466
- http://secunia.com/advisories/28475
- http://secunia.com/advisories/28450
- http://www.novell.com/linux/security/advisories/suse_security_summary_report.html
- http://bugs.gentoo.org/show_bug.cgi?id=202628
- http://security.gentoo.org/glsa/glsa-200801-20.xml
- http://secunia.com/advisories/28636
- http://secunia.com/advisories/28716
- http://support.avaya.com/elmodocs2/security/ASA-2008-047.htm
- http://support.avaya.com/elmodocs2/security/ASA-2008-050.htm
- http://secunia.com/advisories/28740
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-201514-1
- http://lists.vmware.com/pipermail/security-announce/2008/000009.html
- http://secunia.com/advisories/29591
- http://secunia.com/advisories/31074
- http://lists.apple.com/archives/security-announce/2008//Jul/msg00001.html
- http://www.vupen.com/english/advisories/2008/0144
- http://www.vupen.com/english/advisories/2008/0117
- http://www.vupen.com/english/advisories/2008/1033/references
- http://www.vupen.com/english/advisories/2008/2094/references
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5216
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11594
- https://usn.ubuntu.com/569-1/
- http://www.securityfocus.com/archive/1/490306/100/0/threaded
- http://www.securityfocus.com/archive/1/486410/100/0/threaded
- collector/nvd-historical
- collector/nvd-index
- agent/weakness
- agent/author
- agent/type
- agent/event
- agent/first-publish-date
- agent/softwarecombine
- agent/remedy
- agent/tags
- agent/severity
- agent/last-modified-date
- agent/references
- agent/description
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2007-6284
- vendor/mandrakesoft
- canonical/mandrakesoft mandrake linux corporate server
- version/mandrakesoft mandrake linux corporate server/4.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/3.1
- version/debian debian linux/4.0
- vendor/redhat
- canonical/redhat fedora
- version/redhat fedora/7
- canonical/mandrakesoft mandrake linux
- version/mandrakesoft mandrake linux/2007
- version/redhat fedora/8
- version/mandrakesoft mandrake linux/2007.1
- version/mandrakesoft mandrake linux corporate server/3.0
- version/mandrakesoft mandrake linux/2008.0