Bug 56833 (CVE-2004-0398)

Summary: VUL-0: CVE-2004-0398: libneon: non-filtered control chars
Product: [Novell Products] SUSE Security Incidents Reporter: Michael Schröder <mls>
Component: IncidentsAssignee: Olaf Hering <ohering>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: mls, security-team, thomas
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0398: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: sitecopy-neon-0.23.7.diff
patchinfo-box.neon

Description Thomas Biege 2004-06-09 17:09:47 UTC 
Hi Olaf. 
see bug 56724 comment #6
Comment 1 Thomas Biege 2004-06-09 17:09:47 UTC 
<!-- SBZ_reproduce  -->
-
Comment 2 Olaf Hering 2004-06-09 22:33:37 UTC 
Created attachment 20965 [details]
sitecopy-neon-0.23.7.diff
Comment 3 Olaf Hering 2004-06-09 22:35:52 UTC 
patches submitted for 9.1, 9.0, 8.2 and 8.1
Comment 4 Marcus Meissner 2004-06-09 22:56:11 UTC 
could you make sure that in STABLE the pakcages requiring libneon link 
against the dynamic lib fromn the system , if possible?
Comment 5 Michael Schröder 2004-06-14 20:27:49 UTC 
patchinfo?
Comment 6 Thomas Biege 2004-06-14 20:50:59 UTC 
Created attachment 21131 [details]
patchinfo-box.neon
Comment 7 Michael Schröder 2004-06-15 03:32:00 UTC 
Hmm, that's the neon patchinfo, I meant the sitecopy patchinfo. Do we need
a neon update too? Olaf?
(And please copy the patchinfo to /work/src/done/PATCHINFO so that we don't
have to poll bugzilla...)
Comment 8 Michael Schröder 2004-06-17 18:50:48 UTC 
Still no sitecopy patchinfo?
Comment 9 Thomas Biege 2004-06-17 19:05:49 UTC 
Because it's the wrong bug entry... :) 
bug 56711 
 
The files in the bugzilla are wrong. I'll attach new ones. 
Olaf can you submit the pacthinfo files after checking in the new packages 
please.
Comment 10 Olaf Hering 2004-06-18 17:14:03 UTC 
hmm, I either forgot to copy updated sitecopy packages or
someone removed them. copied them again with this patch.
Comment 11 Michael Schröder 2004-06-21 18:53:48 UTC 
<!-- SBZ_reopen -->Reopened by mls@suse.de at Mon Jun 21 12:53:48 2004, took initial reporter thomas@suse.de to cc
Comment 12 Michael Schröder 2004-06-21 18:53:48 UTC 
Ok, so what's with the neon package? Don't we need an update for it as well?
(It's not included on SLES.)
And: a ne_xml.c chunk of the #37716 fix seems to be left out by mistake! (At
least in the 8.1 version.) This must be fixed as well.
Comment 13 Olaf Hering 2004-07-07 22:26:44 UTC 
I have submitted updated neon packages for 9.0, 8.2 and 8.1,
they contain the ne_xml.c part.
Comment 14 Thomas Biege 2004-07-08 20:52:40 UTC 
Do we had patchinfo files for it?
Comment 15 Michael Schröder 2004-07-09 22:28:13 UTC 
Okay, packages containing the missing hunk checked in. Now back to my
first question: Olaf, isn't neon also vulerable to the control char attack?
That's what this bugzilla entry is about...
Comment 16 Olaf Hering 2004-07-09 22:31:02 UTC 
this patch is already in 8.2 neon since 2003-03-01
Comment 17 Michael Schröder 2004-07-09 22:49:56 UTC 
Great! Then I need the patchinfo files...
Comment 18 Olaf Hering 2004-07-14 21:30:57 UTC 
I think we already have updated packages on the ftp server:

-------------------------------------------------------------------
Thu Apr  1 13:18:41 CEST 2004 - olh@suse.de

- add CAN-2004-0179-neon-0.23.9.diff (#37716)


Can we reuse the old patchinfo files?
Comment 19 Thomas Biege 2004-07-14 23:15:01 UTC 
Please add a space somewhere to get another md5 hash...
Comment 20 Thomas Biege 2004-07-22 15:40:52 UTC 
Olaf,  
concerning comment #16 we also have the control char path for 8.1 and 8.0? 
 
If you reuse the patchinfo files please add a space somewhere to get a new md5 
hash. 
 
Can this be done ASAP please.... this bug gets a bad smell during the last 
weeks. ;)
Comment 21 Olaf Hering 2004-07-22 21:35:53 UTC 
8.0 has no neon.
The updated packages are already checked in since 2004-07-09
Comment 22 Thomas Biege 2004-07-22 22:57:49 UTC 
Olaf, did you submit some patchinfo files?
Comment 23 Olaf Hering 2004-07-23 15:30:50 UTC 
No, I did not. can we reuse the old ones?
Comment 24 Thomas Biege 2004-07-23 16:59:27 UTC 
Olaf???? 
 
comment #19, comment #20
Comment 25 Olaf Hering 2004-07-23 17:03:31 UTC 
the packages in 8.1 (as example) are already newer than the one on the ftp server.

ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/neon.rpm  | head
* Son Mai 09 2004 - olh@suse.de

- add neon-CAN-2004-0398.patch (#39774)

* Don Apr 01 2004 - olh@suse.de

- add CAN-2004-0179-neon-0.23.9.diff (#37716)


 head neon.changes
-------------------------------------------------------------------
Wed Jul  7 15:53:46 CEST 2004 - olh@suse.de

- update CAN-2004-0179-neon-0.23.9.diff (#41833)
  add missing hunks

-------------------------------------------------------------------
Sun May  9 17:39:21 CEST 2004 - olh@suse.de

- add neon-CAN-2004-0398.patch (#39774)
Comment 26 Thomas Biege 2004-07-23 20:33:00 UTC 
I submitted them on my own!
Comment 27 Michael Schröder 2004-07-23 23:51:10 UTC 
Maybe, but what's the point of including 9.1/SLES9? As far as I can tell they
already have the fix.
Comment 28 Thomas Biege 2004-07-26 19:37:57 UTC 
changed in box file 
removed sles9 patchinfo file
Comment 29 Thomas Biege 2004-07-26 23:30:01 UTC 
packages approved
Comment 30 Thomas Biege 2009-10-13 20:25:03 UTC 
CVE-2004-0398: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)