CVE-2008-3529
published 2008-09-12CVE-2008-3529: Heap-based buffer overflow in the xmlParseAttValueComplex function in parser.c in libxml2 before 2.7.0 allows context-dependent attackers to cause a denial of…
PriorityP263critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
23.37%
97.5th percentile
Heap-based buffer overflow in the xmlParseAttValueComplex function in parser.c in libxml2 before 2.7.0 allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via a long XML entity name.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | iphone_os | < 3.0 | 3.0 |
| apple | mac_os_x | < 10.5.7 | 10.5.7 |
| apple | mac_os_x | — | — |
| apple | safari | < 4.0 | 4.0 |
| apple | safari | >= 3.2.0 < 3.2.3 | 3.2.3 |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | libxml2 | < libxml2 2.6.32.dfsg-4 (bookworm) | libxml2 2.6.32.dfsg-4 (bookworm) |
| vmware | esxi | — | — |
| vmware | vmware_workstation | — | — |
| xmlsoft | libxml2 | < 2.7.0 | 2.7.0 |
| xmlsoft | libxml2 | >= 0 < 2.6.32.dfsg-4 | 2.6.32.dfsg-4 |
| xmlsoft | libxml2 | >= 0 < 2.6.32.dfsg-4 | 2.6.32.dfsg-4 |
| xmlsoft | libxml2 | >= 0 < 2.6.32.dfsg-4 | 2.6.32.dfsg-4 |
| xmlsoft | libxml2 | >= 0 < 2.6.32.dfsg-4 | 2.6.32.dfsg-4 |
Detection & IOCsextracted from sources · hover to see the quote
path/System/Library/Frameworks/PubSub.framework/Versions/A/Resources/PubSubAgent.app/Contents/MacOS/PubSubAgent↗
- →The crash is triggered via a specially crafted XML document containing a long XML entity name, exploiting xmlParseAttValueComplex in parser.c. Monitor for XML parsing crashes (SIGSEGV / EXC_BAD_ACCESS) in processes linked against libxml2 before 2.7.0. ↗
- →The PoC exploit delivers a malicious XML payload via HTTP on port 80 at path /pwn with Content-Type text/xml, and redirects the browser via feed:// URI scheme. Inspect HTTP responses serving XML with unusually long entity name definitions. ↗
- →The exploit XML payload uses an internal DTD subset with a long entity name to trigger the overflow. Detect XML documents with DTD entity declarations containing excessively long names (e.g., thousands of repeated characters). ↗
- ·The vulnerability only affects libxml2 versions before 2.7.0. Systems running libxml2 2.7.0 or later are not affected. Verify the installed version before applying detection logic. ↗
- ·When processing extremely large XML documents with valid entities, the vulnerability protections added for CVE-2008-3529 could be incorrectly triggered (false positive), causing legitimate XML processing to fail. Tune entity-length detection thresholds accordingly. ↗
- ·On macOS, exploitation targets the PubSubAgent process via the feed:// URI scheme in Safari RSS. Detection should be scoped to this process and URI scheme on macOS; on Windows, the attack surface is any application linking libxml2.dll. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0CRITICAL
vendor_redhat10.0CRITICAL
vendor_ubuntu10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vgv6-63x3-fm4w: Heap-based buffer overflow in the xmlParseAttValueComplex function in parser
ghsa_unreviewed·2022-05-02
CVE-2008-3529 [HIGH] CWE-119 GHSA-vgv6-63x3-fm4w: Heap-based buffer overflow in the xmlParseAttValueComplex function in parser
Heap-based buffer overflow in the xmlParseAttValueComplex function in parser.c in libxml2 before 2.7.0 allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via a long XML entity name.
OSV
CVE-2008-3529: Heap-based buffer overflow in the xmlParseAttValueComplex function in parser
osv·2008-09-12·CVSS 10.0
CVE-2008-3529 [CRITICAL] CVE-2008-3529: Heap-based buffer overflow in the xmlParseAttValueComplex function in parser
Heap-based buffer overflow in the xmlParseAttValueComplex function in parser.c in libxml2 before 2.7.0 allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via a long XML entity name.
Ubuntu
libxml2 vulnerabilities
vendor_ubuntu·2009-08-11·CVSS 10.0
CVE-2009-2414 [CRITICAL] libxml2 vulnerabilities
Title: libxml2 vulnerabilities
Summary: libxml2 vulnerabilities
It was discovered that libxml2 did not correctly handle root XML document
element DTD definitions. If a user were tricked into processing a specially
crafted XML document, a remote attacker could cause the application linked
against libxml2 to crash, leading to a denial of service. (CVE-2009-2414)
It was discovered that libxml2 did not correctly parse Notation and
Enumeration attribute types. If a user were tricked into processing a
specially crafted XML document, a remote attacker could cause the
application linked against libxml2 to crash, leading to a denial of
service. (CVE-2009-2416)
USN-644-1 fixed a vulnerability in libxml2. This advisory provides the
corresponding update for Ubuntu 9.04.
Original advisory details:
VMware
Updated ESX packages for libxml2, ucd-snmp, libtiff
vendor_vmware·2008-10-31·CVSS 6.5
CVE-2008-0960 [MEDIUM] Updated ESX packages for libxml2, ucd-snmp, libtiff
VMSA-2008-0017: Updated ESX packages for libxml2, ucd-snmp, libtiff
a. Updated ESX Service Console package libxml2 A denial of service flaw was found in the way libxml2 processes certain content. If an application that is linked against libxml2 processes malformed XML content, the XML content might cause the application to stop responding. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-3281 to this issue. Additionally the following was also fixed, but was missing in the security advisory. A heap-based buffer overflow flaw was found in the way libxml2 handled long XML entity names. If an application linked against libxml2 processed untrusted malformed XML content, it could cause the application to crash or, possibly, execute arbitrary code.
Ubuntu
libxml2 vulnerabilities
vendor_ubuntu·2008-09-11·CVSS 6.5
CVE-2008-3281 [MEDIUM] libxml2 vulnerabilities
Title: libxml2 vulnerabilities
Summary: libxml2 vulnerabilities
It was discovered that libxml2 did not correctly handle long entity names.
If a user were tricked into processing a specially crafted XML document,
a remote attacker could execute arbitrary code with user privileges
or cause the application linked against libxml2 to crash, leading to a
denial of service. (CVE-2008-3529)
USN-640-1 fixed vulnerabilities in libxml2. When processing extremely
large XML documents with valid entities, it was possible to incorrectly
trigger the newly added vulnerability protections. This update fixes
the problem. (CVE-2008-3281)
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Red Hat
libxml2: long entity name heap buffer overflow
vendor_redhat·2008-09-11·CVSS 10.0
CVE-2008-3529 [CRITICAL] CWE-122 libxml2: long entity name heap buffer overflow
libxml2: long entity name heap buffer overflow
Heap-based buffer overflow in the xmlParseAttValueComplex function in parser.c in libxml2 before 2.7.0 allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via a long XML entity name.
Debian
CVE-2008-3529: libxml2 - Heap-based buffer overflow in the xmlParseAttValueComplex function in parser.c i...
vendor_debian·2008·CVSS 10.0
CVE-2008-3529 [CRITICAL] CVE-2008-3529: libxml2 - Heap-based buffer overflow in the xmlParseAttValueComplex function in parser.c i...
Heap-based buffer overflow in the xmlParseAttValueComplex function in parser.c in libxml2 before 2.7.0 allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via a long XML entity name.
Scope: local
bookworm: resolved (fixed in 2.6.32.dfsg-4)
bullseye: resolved (fixed in 2.6.32.dfsg-4)
forky: resolved (fixed in 2.6.32.dfsg-4)
sid: resolved (fixed in 2.6.32.dfsg-4)
trixie: resolved (fixed in 2.6.32.dfsg-4)
No detection rules found.
http://lists.apple.com/archives/security-announce/2009/Jun/msg00005.htmlhttp://lists.apple.com/archives/security-announce/2009/May/msg00000.htmlhttp://lists.apple.com/archives/security-announce/2009/jun/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.htmlhttp://secunia.com/advisories/31558http://secunia.com/advisories/31855http://secunia.com/advisories/31860http://secunia.com/advisories/31868http://secunia.com/advisories/31982http://secunia.com/advisories/32265http://secunia.com/advisories/32280http://secunia.com/advisories/32807http://secunia.com/advisories/32974http://secunia.com/advisories/33715http://secunia.com/advisories/33722http://secunia.com/advisories/35056http://secunia.com/advisories/35074http://secunia.com/advisories/35379http://secunia.com/advisories/36173http://secunia.com/advisories/36235http://security.gentoo.org/glsa/glsa-200812-06.xmlhttp://securitytracker.com/id?1020855http://sunsolve.sun.com/search/document.do?assetkey=1-21-126356-03-1http://sunsolve.sun.com/search/document.do?assetkey=1-21-141243-01-1http://sunsolve.sun.com/search/document.do?assetkey=1-26-247346-1http://sunsolve.sun.com/search/document.do?assetkey=1-66-261688-1http://sunsolve.sun.com/search/document.do?assetkey=1-66-265329-1http://support.apple.com/kb/HT3549http://support.apple.com/kb/HT3550http://support.apple.com/kb/HT3613http://support.apple.com/kb/HT3639http://support.avaya.com/elmodocs2/security/ASA-2008-400.htmhttp://support.avaya.com/elmodocs2/security/ASA-2009-025.htmhttp://wiki.rpath.com/Advisories:rPSA-2008-0325http://www.debian.org/security/2008/dsa-1654http://www.mandriva.com/security/advisories?name=MDVSA-2008:192http://www.redhat.com/support/errata/RHSA-2008-0884.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0886.htmlhttp://www.securityfocus.com/bid/31126http://www.ubuntu.com/usn/USN-815-1http://www.us-cert.gov/cas/techalerts/TA09-133A.htmlhttp://www.vupen.com/english/advisories/2008/2822http://www.vupen.com/english/advisories/2009/1297http://www.vupen.com/english/advisories/2009/1298http://www.vupen.com/english/advisories/2009/1522http://www.vupen.com/english/advisories/2009/1621http://xmlsoft.org/news.htmlhttps://bugzilla.redhat.com/show_bug.cgi?id=461015https://exchange.xforce.ibmcloud.com/vulnerabilities/45085https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11760https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6103https://usn.ubuntu.com/644-1/https://www.exploit-db.com/exploits/8798http://lists.apple.com/archives/security-announce/2009/Jun/msg00005.htmlhttp://lists.apple.com/archives/security-announce/2009/May/msg00000.htmlhttp://lists.apple.com/archives/security-announce/2009/jun/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.htmlhttp://secunia.com/advisories/31558http://secunia.com/advisories/31855http://secunia.com/advisories/31860http://secunia.com/advisories/31868http://secunia.com/advisories/31982http://secunia.com/advisories/32265http://secunia.com/advisories/32280http://secunia.com/advisories/32807http://secunia.com/advisories/32974http://secunia.com/advisories/33715http://secunia.com/advisories/33722http://secunia.com/advisories/35056http://secunia.com/advisories/35074http://secunia.com/advisories/35379http://secunia.com/advisories/36173http://secunia.com/advisories/36235http://security.gentoo.org/glsa/glsa-200812-06.xmlhttp://securitytracker.com/id?1020855http://sunsolve.sun.com/search/document.do?assetkey=1-21-126356-03-1http://sunsolve.sun.com/search/document.do?assetkey=1-21-141243-01-1http://sunsolve.sun.com/search/document.do?assetkey=1-26-247346-1http://sunsolve.sun.com/search/document.do?assetkey=1-66-261688-1http://sunsolve.sun.com/search/document.do?assetkey=1-66-265329-1http://support.apple.com/kb/HT3549http://support.apple.com/kb/HT3550http://support.apple.com/kb/HT3613http://support.apple.com/kb/HT3639http://support.avaya.com/elmodocs2/security/ASA-2008-400.htmhttp://support.avaya.com/elmodocs2/security/ASA-2009-025.htmhttp://wiki.rpath.com/Advisories:rPSA-2008-0325http://www.debian.org/security/2008/dsa-1654http://www.mandriva.com/security/advisories?name=MDVSA-2008:192http://www.redhat.com/support/errata/RHSA-2008-0884.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0886.htmlhttp://www.securityfocus.com/bid/31126http://www.ubuntu.com/usn/USN-815-1http://www.us-cert.gov/cas/techalerts/TA09-133A.htmlhttp://www.vupen.com/english/advisories/2008/2822http://www.vupen.com/english/advisories/2009/1297http://www.vupen.com/english/advisories/2009/1298http://www.vupen.com/english/advisories/2009/1522http://www.vupen.com/english/advisories/2009/1621http://xmlsoft.org/news.html
+ 6 more references
2008-09-12
Published