touch-packages team mailing list archive

Thread
Date

[Bug 983810] Re: libxml2 security update fails to address problem and breaks thread-safety

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>
Date: Wed, 29 Oct 2014 14:50:03 -0000
Reply-to: Bug 983810 <983810@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Introduced by:
https://git.gnome.org/browse/libxml2/commit/?id=8973d58b7498fa5100a876815476b81fd1a2412a

Fixed by:
https://git.gnome.org/browse/libxml2/commit/dict.c?id=379ebc1d774865fa92f2a8d80cc4da65cbe19998
https://git.gnome.org/browse/libxml2/commit/dict.c?id=e7715a5963afebfb027120db6914926ec9a7373d

** Also affects: libxml2 (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Also affects: libxml2 (Ubuntu Lucid)
   Importance: Undecided
       Status: New

** Also affects: libxml2 (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Changed in: libxml2 (Ubuntu Trusty)
       Status: New => Fix Released

** Changed in: libxml2 (Ubuntu)
       Status: Triaged => Fix Released

** Changed in: libxml2 (Ubuntu Lucid)
       Status: New => Confirmed

** Changed in: libxml2 (Ubuntu Precise)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libxml2 in Ubuntu.
https://bugs.launchpad.net/bugs/983810

Title:
  libxml2 security update fails to address problem and breaks thread-
  safety

Status in libxml2:
  New
Status in “libxml2” package in Ubuntu:
  Fix Released
Status in “libxml2” source package in Lucid:
  Confirmed
Status in “libxml2” source package in Precise:
  Confirmed
Status in “libxml2” source package in Trusty:
  Fix Released
Status in “libxml2” package in Debian:
  New

Bug description:
  Using libxml2 2.7.8.dfsg-4ubuntu0.2 from (K)Ubuntu 11.10.

  In an attempt to address oCERT 2011-003, libxml2 now seeds its hash
  table with using rand(). This is broken and lame:

  Firstly, srand() and rand() are not thread-safe, even though libxml2
  is supposed to be thread-safe (when adequately initialized by the
  program). The fix is easy: replace srand() with a variable assignment,
  and replace rand() with rand_r().

  Secondly, using time(NULL) as a seed totally misses the point. It is
  trivial for a potential attacker to guess the value of time(NULL).
  That's the current UTC current time rounded to the second.

To manage notifications about this bug go to:
https://bugs.launchpad.net/libxml2/+bug/983810/+subscriptions