XML Library Flaw — Sun, Apache, GNOME Affected

← Back to Stories (view on slashdot.org)

XML Library Flaw — Sun, Apache, GNOME Affected

Posted by Soulskill on Wednesday August 5, 2009 @04:27AM from the finding-fast-fixes-for-flaws dept.

bednarz writes with this excerpt from Network World: "Vulnerabilities discovered in XML libraries from Sun, the Apache Software Foundation, the Python Software Foundation and the GNOME Project could result in successful denial-of-service attacks on applications built with them, according to Codenomicon. The security vendor found flaws in XML parsers that made it fairly easy to cause a DoS attack, corruption of data, and delivery of a malicious payload using XML-based content. Codenomicon has shared its findings with industry and the open source groups, and a number of recommendations and patches for the XML-related vulnerabilities are expected to be made available Wednesday. In addition, a general security advisory is expected to be published by the Computer Emergency Response Team in Finland (CERT-FI)."

140 comments

ASCII Delimited Security Issues by Algorithmn · 2009-08-05 04:30 · Score: 2, Insightful

Seems to me that ASCII delimited protocols always have these types of issues. Its quite easy to write fuzzers for human readable protocols compared to binary encoded protocols. Too bad these developers don't know how to write good unit tests... This could have been avoided..
1. Re:ASCII Delimited Security Issues by sys.stdout.write · 2009-08-05 04:39 · Score: 4, Insightful
  
  Too bad these developers don't know how to write good unit tests... This could have been avoided..
  That's unfair. I'm all about unit tests and they do help find bugs, but a unit test isn't going to find a precisely-crafted piece of malicious input.
2. Re:ASCII Delimited Security Issues by Z00L00K · 2009-08-05 04:40 · Score: 3, Informative
  
  XML in itself is sometimes a denial of service with strange side-effects.
  As soon as you insert XML that isn't well-formed into a XML parser it will barf in one way or another. And then you will have to dedicate hours to figure out which tag/data in a 200kB XML request that was the culprit. If you are lucky you get a parsing exception, if not you get a Null pointer exception or an infinite loop in the parser.
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
3. Re:ASCII Delimited Security Issues by morgan_greywolf · 2009-08-05 04:47 · Score: 2, Insightful
  
  It's just as easy to fuzz a binary-encoded protocol, it just doesn't require specialized tools. Ever heard of TCP/IP-based DoS attacks?
  
  --
  My blog
4. Re:ASCII Delimited Security Issues by Anonymous Coward · 2009-08-05 04:54 · Score: 0
  
  Too bad these developers don't know how to write good unit tests
  All 500 billion quintillion unit tests to ensure every possible input EVAR can be parsed?
  I think you're not really clear on what unit tests are capable of achieving in the absence of psychic powers, the presence of which would have invalidated the need for the test in the first place.
5. Re:ASCII Delimited Security Issues by Pulse_Instance · 2009-08-05 04:54 · Score: 1
  
  A properly written unit test might have a chance of finding it if you take the approach of writing your unit tests by looking at how the function can fail. It is still unlikely that you will find it but the most important thing after something like this is found is to add it to your unit tests and look for similar mistakes elsewhere.
6. Re:ASCII Delimited Security Issues by jopsen · 2009-08-05 04:59 · Score: 4, Funny
  
  A properly written unit test might have a chance of finding it if you take the approach of writing your unit tests by looking at how the function can fail.
  I prefer not to find my bugs...
7. Re:ASCII Delimited Security Issues by Anonymous Coward · 2009-08-05 05:21 · Score: 0
  
  I prefer not to find my bugs...
  Who do you work for?
8. Re:ASCII Delimited Security Issues by someone1234 · 2009-08-05 05:29 · Score: 1
  
  Maybe he is in the hotel business.
  
  --
  Patents Drive Free Software as Hurricanes Drive Construction Industry
9. Re:ASCII Delimited Security Issues by $1uck · 2009-08-05 05:31 · Score: 2, Insightful
  
  Just be happy you don't have to play with SGML.
10. Re:ASCII Delimited Security Issues by masshuu · 2009-08-05 05:42 · Score: 1
  
  no, he is most likely in the restaurant business, possibly 3 or 4 Star
  Ive seen more bugs in those places than in Mcdonalds, but i guess even bugs won't touch that stuff.
  
  --
  O.o
11. Re:ASCII Delimited Security Issues by Algorithmn · 2009-08-05 05:53 · Score: 1
  
  I've written both ASCII and Binary fuzzers. Binary is harder. My ASCII fuzzer found over 10 million possible mutations while the Binary fuzzer found less then a million. If I had to argue with myself maybe I should have said "harder to write a successful fuzzer".
12. Re:ASCII Delimited Security Issues by Algorithmn · 2009-08-05 05:54 · Score: 2, Insightful
  
  I hope your not a developer... http://en.wikipedia.org/wiki/Unit_testing
13. Re:ASCII Delimited Security Issues by Anonymous Coward · 2009-08-05 06:02 · Score: 0
  
  All this says to me is that unit-testing as a whole is more of a concept with a 'best practices' than it is a concrete idea that has 'one solid method' of achieving. I sort of fail to see the point, but that's just me.
14. Re:ASCII Delimited Security Issues by Anonymous Coward · 2009-08-05 06:07 · Score: 0
  
  What a dumb question.
  Microsoft, obviously!
15. Re:ASCII Delimited Security Issues by shutdown+-p+now · 2009-08-05 06:32 · Score: 2, Interesting
  
  Refusing to handle invalid input isn't denial of service. Also, I haven't seen any XML parser that would give you a null pointer/reference exception on invalid input. In fact, all that I've used will give the exact line/column number at which error happened.
16. Re:ASCII Delimited Security Issues by Algorithmn · 2009-08-05 07:33 · Score: 1
  
  I disagree. Unit tests are only as good as the author of the code. I like fuzzing. So if I were to unit test my own code I would try millions of possibilities. "Too bad" I just break and not make software.
17. Re:ASCII Delimited Security Issues by GooberToo · 2009-08-05 08:29 · Score: 1
  
  Actually this has been exploited very rarely; excluding MS Windows which had a gambit of well publicized issued of the last decade plus. Most notably being the packet of death which causes Windows boxes to crash/reboot.
  Most of the TCP/IP related DoS attacks stem from exploitation of the protocol, not the binary packet format.
18. Re:ASCII Delimited Security Issues by Anonymous Coward · 2009-08-05 08:43 · Score: 0
  
  Sorry, but if you write this kind of tests, you should test the good, the bad and the ugly cases. You should write tests that prove that your parser rejects wrongly coded data, and fail gracefully.
19. Re:ASCII Delimited Security Issues by k.a.f. · 2009-08-05 09:22 · Score: 1
  
  That's unfair. I'm all about unit tests and they do help find bugs, but a unit test isn't going to find a precisely-crafted piece of malicious input.
  No, probably not. The formal verification would have done that. And yes, I do think code that has the potential to introduce undefined behaviour into high-profile libraries must be verified before you may loose it on the world, why do you ask?
20. Re:ASCII Delimited Security Issues by RegularFry · 2009-08-05 09:40 · Score: 1
  
  Refusing to handle invalid input isn't denial of service.
  It is if the app developer omits to handle it because "oh, that'll never happen." This is not an uncommon attitude, unfortunately.
  
  --
  Reality is the ultimate Rorschach.
21. Re:ASCII Delimited Security Issues by dmmiller2k · 2009-08-05 09:50 · Score: 1
  
  then you will have to dedicate hours to figure out which tag/data in a 200kB XML request that was the culprit
  Refusing to handle invalid input isn't denial of service
  I think he probably meant denial of service from the developer's employer's point of view.
  
  --
  "No matter how cynical you get, it is impossible to keep up." -- Lily Tomlin
22. Re:ASCII Delimited Security Issues by Anonymous Coward · 2009-08-05 10:23 · Score: 0
  
  That I think is only testament to why various means of testing are required! In perfect world programmers would write error free and optimized code. In near perfect world, flawles unit tests would find what may have slipped in. In slightly more flawed world whitebox testing software like Fortify and Coverity with the help of code auditing would rid us from buggy software. Alas - life is inperfect. Vast majority of programmers produce less than perfect code, there are huge differences between individuals and organizations capability and skill to use various forms of test methodologies and tools as part of their software development and deployement processes. In really cruel world there would be broken compilers producing bad executables from perfectly functioning source code, timelines and schedules and market pressure forcing the release of the software made by the lowest bidder within unrealistic schedules.
  So yes - I would not put much faith on any given piece of SW. And if it would be critical to my business, would be willing to test it and invest into testing it, white box, black box, manual, automatic, to find its true qualities and to give at least certain confidence that its doing what its supposed to do, and do just that. And not to e.g crash when someone feels like tampering with XML containers its using! :)
23. Re:ASCII Delimited Security Issues by GumphMaster · 2009-08-05 10:34 · Score: 1
  
  I'll second that!
  
  --
  Patent litigation: A doctrine of Mutually Assured Destruction... in which everyone seems willing to push the button
24. Re:ASCII Delimited Security Issues by lennier · 2009-08-05 11:05 · Score: 1
  
  "As soon as you insert XML that isn't well-formed into a XML parser it will barf in one way or another."
  So don't do that, then?
  "On two occasions I have been asked, 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."
  
  --
  You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
25. Re:ASCII Delimited Security Issues by Anonymous Coward · 2009-08-05 13:14 · Score: 0
  
  Too bad these developers don't know how to write good unit tests... This could have been avoided..
  Unit testing can never prove a piece of code correct, only that it either works for certain inputs or that it fails.
26. Re:ASCII Delimited Security Issues by msuarezalvarez · 2009-08-05 13:52 · Score: 1
  
  But that is 100% independent of XML. Programmers can ignore errors produced by *anything*.
27. Re:ASCII Delimited Security Issues by lennier · 2009-08-05 13:58 · Score: 1
  
  What's worse than finding a bug in your XML parser?
  Finding half a bug.
  
  --
  You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
28. Re:ASCII Delimited Security Issues by LaurensVH · 2009-08-05 20:49 · Score: 1
  
  A properly written unit test might have a chance of finding it if you take the approach of writing your unit tests by looking at how the function can fail. It is still unlikely that you will find it but the most important thing after something like this is found is to add it to your unit tests and look for similar mistakes elsewhere.
  Presumably (especially considering how long the bug has managed to go unnoticed and how prevalent it is), it's obscure and an implementation detail (then again, most bugs are). You can't expect random developers to have this kind of knowledge of an underlying XML library -- especially when the rest of the world had no clue either. Despite being unit tested all around the world, nobody has managed to find and report this bug prior to this person. Doesn't that say anything?
29. Re:ASCII Delimited Security Issues by kudokatz · 2009-08-05 23:03 · Score: 1
  
  Too bad these developers don't know how to write good unit tests... This could have been avoided..
  That's unfair. I'm all about unit tests and they do help find bugs, but a unit test isn't going to find a precisely-crafted piece of malicious input.
  Yes, it could if you're talking about fuzzers. Having made fuzzers for a few programs, it really is amazing how many bugs they catch, how many crashes they cause, and how often they suggest the ability to control execution based on matching up the data in registers with data in the fuzzed input file. There should definitely be some fuzz testing done. I never really thought about it in the context of open-source software-- anybody know what practices are for different projects or where they would get compute time?
30. Re:ASCII Delimited Security Issues by Anonymous Coward · 2009-08-05 23:41 · Score: 0
  
  XML in itself is sometimes a denial of service
  LOL
  ahhh one can find such amusing things in these forums
31. Re:ASCII Delimited Security Issues by Pulse_Instance · 2009-08-06 00:50 · Score: 1
  
  It says plenty which is why I added the second half of what I said.
  
  It is still unlikely that you will find it but the most important thing after something like this is found is to add it to your unit tests and look for similar mistakes elsewhere.
  I've found that unit testing will catch obvious things and things that you have seen before. Now that this has been found if they unit test for it, not just in the location where it happened but anywhere it makes sense, they can be more sure that it does not happen again.
32. Re:ASCII Delimited Security Issues by fulldecent · 2009-08-06 03:32 · Score: 1
  
  >>As soon as you insert XML that isn't well-formed into a XML parser it will barf in one way or another. And then you will have to dedicate hours to figure out which tag/data in a 200kB XML request that was the culprit. If you are lucky you get a parsing exception, if not you get a Null pointer exception or an infinite loop in the parser.
  What are you talking about?
  If by "you will have to dedicate hours to figure out which tag/data in a 200kB XML request that was the culprit...", you mean "reject the data from the source," then yes, I completely agree.
  
  --
  -- I was raised on the command line, bitch
33. Re:ASCII Delimited Security Issues by thePowerOfGrayskull · 2009-08-06 03:58 · Score: 1
  
  But this is the flaw inherent in such unit tests themselves -- they can only think of such unit tests that the developer is able to conceive of. If I look at a function and think of 10 ways for it to fail, you can be there will be an 11th that I missed. Blaming inadequate unit testing in this case (as OP has done) is indicative of a misguided faith in the capability of programmatic unit tests: they're intended to let you catch the things you can think of, and retroactively add coverage for those scenarios you couldn't think of. They can't capture scenarios that you the programmer can't conceive of.
34. Re:ASCII Delimited Security Issues by jopsen · 2009-08-06 05:12 · Score: 1
  
  Nope, never...!
  - I'm a student, and may still have something to learn... :)
35. Re:ASCII Delimited Security Issues by Anonymous Coward · 2009-08-07 07:22 · Score: 0
  
  The formal verification would have done that.
  No. Formal verification has nothing to do with fuzzing.
36. Re:ASCII Delimited Security Issues by Anonymous Coward · 2009-08-07 07:35 · Score: 0
  
  Just the opposite! SGML would be really fun to play with! *evil grin*
37. Re:ASCII Delimited Security Issues by Anonymous Coward · 2009-08-07 07:47 · Score: 0
  
  Oh, come on. It is really too bad, that almost no computer science school teaches nothing about software testing. Even if you look at the book shelf at Amazon, you only find crappy things were at best people try to automate mouse clicking a GUI.
  There are three types of software tests:
  1) Functional: You try to validate functionality, or conformance to some kind of a requirements document or standard. From security perspective, this includes useless stuff like Common Criteria (ISO whatever), PCI (bunch of idiots all of them) and IETF Torture Test (worst of them all).
  2) Performance: Well, I probably do not need to go here, you hopefully have heard of (ex-)Mercury, Ixia, Spirent, Agilent, the rest of the bunch...
  3) Robustness: Validation of the reliability of the software through syntax testing, grammar testing, robustness testing, ... a lot of extremely smart test generation techniques that try out all possible inputs variants through protocols, command line, GUI, APIs. Fuzzing is the cheap way of doing the same, randomly.
  To look at it from other perspective: you have positive tests that try to validate that something acts like it is supposed to, and then negative tests that check that something is absent (a bug, a feature, ...). Fuzzing is a sub-category of negative testing.
  Unfortunately, in real life, 95% of the software projects barely do 1). In some extremely critical places you might see 2). And you know the companies who do 3).
And they said XML was easy to parse by Anonymous Coward · 2009-08-05 04:34 · Score: 0

CSV FTW.
1. Re:And they said XML was easy to parse by ShadowRangerRIT · 2009-08-05 04:44 · Score: 3, Insightful
  
  Except CSV isn't a standard. While the general idea is similar, the details differ greatly from parser to parser. Do you need a trailing comma on the line? Do you allow leading or trailing space on an entry? Since most generators use slightly different conventions, parsers need to be significantly more complex. And CSV is far more limited in scope. I think of CSV as the scripting language to XML's high level OO VM language. Neither is a particularly efficient format, but they're both easier to work with than the alternative (binary coded data), and they're each good for different things. CSV works well for simple data structures, just like scripting languages are appropriate for small utility programs, while XML is good for complex, rigidly defined structures, just like a high level OO language is more appropriate to large projects where maintainability is a concern.
  
  --
  $_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
2. Re:And they said XML was easy to parse by Anonymous Coward · 2009-08-05 04:58 · Score: 1, Insightful
  
  well, I'd like json and bencode for that matter.
3. Re:And they said XML was easy to parse by Timothy+Brownawell · 2009-08-05 05:05 · Score: 1
  
  CSV FTW.
  What happens when your data contains \r or \n characters? (I know Oracle's sqlldr / external tables at least will reject that row, and I don't believe they recognize any escape sequence for this.) What happens if the data has commas in it, and the .csv was generated by something that doesn't add quotes?
  What do you do if your data is more complicated than a simple table?
4. Re:And they said XML was easy to parse by Desler · 2009-08-05 05:19 · Score: 3, Informative
  
  Except CSV isn't a standard.
  The IETF might disagree with you.
5. Re:And they said XML was easy to parse by Timothy+Brownawell · 2009-08-05 05:28 · Score: 2, Informative
  
  Except CSV isn't a standard.
  The IETF might disagree with you.
  "This memo provides information for the Internet community. It does not specify an Internet standard of any kind. "
6. Re:And they said XML was easy to parse by Richard24 · 2009-08-05 05:29 · Score: 1
  
  Most of the things you ask about can be done with CSV as long as it's quoted properly. If it's not quoted properly, then it would be considered invalid. There's a nice RFC spec for it here: http://www.ietf.org/rfc/rfc4180.txt
  
  What happens when your data contains \r or \n characters?
  It's perfectly acceptable as long as you quote it (#6 example of RFC 4180). If Oracle doesn't support that, then I would say their implementation is broken.
  
  What happens if the data has commas in it, and the .csv was generated by something that doesn't add quotes?
  It's invalid
  
  What do you do if your data is more complicated than a simple table?
  I'd need a better example from you, but you can embed a csv record inside a csv field. It starts to get complicated really fast with all the "escaping" that needs to be done with the double-quotes. Such as something like a record containing "Last Name","First Name","Sub-Properties". The Sub-Properties could be embedded data such as sex, age, and height. For example:
  
  "Doe","John","""male"",42,""5-10"""
  
  Clearly, you can represent tree style data with CSV, but it has more flexibility than you think. Too many people roll their own CSV, because it seems so simple. Then they don't quote and escape quotes properly blaming any issues on garbage data.
7. Re:And they said XML was easy to parse by FromFrom · 2009-08-05 05:29 · Score: 1
  
  What do you do if your data is more complicated than a simple table?
  Are you serious? The same thing one would do in a relational database if your data is more complicated than a simple table...
8. Re:And they said XML was easy to parse by ShadowRangerRIT · 2009-08-05 05:32 · Score: 2, Insightful
  
  Interesting. Of course, it was only published in 2005. If they'd written this up 20 years ago, it might have been more helpful. As is, the various CSV writers have been around so long that a lot of non-conformant CSV is out there. So the parsers remain fairly complex, to account for the previously undefined behaviors. And of course, that standard is for a MIME type; non-web focused CSV generators will still ignore parts of it.
  
  --
  $_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
9. Re:And they said XML was easy to parse by Timothy+Brownawell · 2009-08-05 06:35 · Score: 1
  
  If Oracle doesn't support that, then I would say their implementation is broken.
  I'd just suspect it's more than 4 years old (hmm, looks like the 10gR2 we're using was actually released in 2005, and that RFC is dated October 2005). The "standard" is "this seems to be what most people are doing" rather than "here's the definition of a cool new format".
  
  Clearly, you can represent tree style data with CSV, but it has more flexibility than you think.
  Hm, cool. Also, ick.
  
  Too many people roll their own CSV, because it seems so simple. Then they don't quote and escape quotes properly blaming any issues on garbage data.
  ...and then I have to tweak it into the csv dialect that Oracle understands.
10. Re:And they said XML was easy to parse by mzs · 2009-08-05 07:55 · Score: 1
  
  sed has been around for more than 20 years though and I bet a couple of one liners can fix most anything right up.
11. Re:And they said XML was easy to parse by shish · 2009-08-05 21:01 · Score: 1
  
  "This memo provides information for the Internet community. It does not specify an Internet standard of any kind. "
  That's a boilerplate header at the start of every RFC, included for mostly archaic formality reasons -- in reality the RFCs are seen as standards by pretty much anyone working on a project which involves them, and the agreement between RFC users /makes/ them standards, as much as the RFCs themselves would like to object :-P
  
  --
  I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
Open source by heffrey · 2009-08-05 04:35 · Score: -1, Troll

I don't understand. I was led to believe by many reputable slashdot posters that open source software wasn't susceptible to such problems because the open source software development process is inherently so much better than traditional development methods. What am I to think now?
1. Re:Open source by maxume · 2009-08-05 04:39 · Score: 1
  
  I suggest switching to a diet of hay, for the higher protein content.
  
  --
  Nerd rage is the funniest rage.
2. Re:Open source by Anonymous Coward · 2009-08-05 04:39 · Score: 0
  
  you want someone to tell you what to think?
3. Re:Open source by gila_monster · 2009-08-05 04:40 · Score: 2, Interesting
  
  You'll probably getted tagged 'troll' for that, but I'll bite.
  It's not that open source is not susceptible to these things (all software is). But with open source, these things are usually found more quickly, and are generally patched/fixed more quickly. I don't have statistics to support a statement that critical errors like this happen less often with open source, but I would have no trouble believing that.
  Open source is usually more transparent about the problem, too. Many closed source vendors hide these things, so you never know you're vulnerable and thus can't adjust for it.
  
  --
  Ad luna, Alicia! Ad luna!
4. Re:Open source by Anonymous Coward · 2009-08-05 04:42 · Score: 0, Flamebait
  
  Since it's open source, it won't be bashed for days on end like MS would be. That's the only difference.
5. Re:Open source by Anonymous Coward · 2009-08-05 04:43 · Score: -1, Troll
  
  Open sores software has always been shit. Anyone who says otherwise is a bigger propagandist than an M$ marketeer
6. Re:Open source by jpmorgan · 2009-08-05 04:44 · Score: 4, Informative
  
  Someone will undoubtedly say that the bug being found was part of the process, since it's open source and that means the source is auditable by anybody. Reality: it was discovered by the maker of a fuzzing tool. Fuzzing is the process of sending garbage into software to see if it breaks... it works quite well and generally doesn't require the source code.
  
  Also, fuzzing discovers DoSes. But many DoS attacks turn into vulnerabilities in the hands of a skilled hacker, and it's generally not safe to assume that a DoS is unexploitable without extensive code analysis.
7. Re:Open source by Icegryphon · 2009-08-05 04:44 · Score: 1
  
  8/10
8. Re:Open source by ChienAndalu · 2009-08-05 04:47 · Score: 3, Informative
  
  Think "
  I wonder if these vulnerabilites could have been found earlier if the code was open source."
9. Re:Open source by AlphaBit · 2009-08-05 04:50 · Score: 1
  
  Given that perfection is impossible... I believe that the open source process is much less likely to lead to problems such as this. When it goes well. The problem is that being open source defines so little about how the work is actually getting done. I could create an open source math library consisting of: add(a, b){ return a*b; } , make it open source, post it on source-forge and everything, and then simply refuse outside contribution. This is not really a problem for the community since anyone can fork and fix, but if I happen to be a software giant that has integrated my own faulty code into half of my products...
10. Re:Open source by FudRucker · 2009-08-05 04:50 · Score: 1
  
  to the parent & grandparent post, plus with the source available you can check for anything malicious in the code before the binary is built. or rebuild with different parameters making it more secured against flaws by leaving out or changing the parts that are flawed or adding your own patches further hardening the app against vulnerabilities.
  
  to the grandparent only: if you dont see the advantages of Open Source software to all users be it commercial or personal then you are not a user yourself and are just a corporate type with the corportista mindset, i got news for you = money is not everything and people will go out of their way to get your greedy little paws out of their pockets.
  
  --
  Politics is Treachery, Religion is Brainwashing
11. Re:Open source by recoiledsnake · 2009-08-05 04:57 · Score: 1
  
  to the grandparent only: if you dont see the advantages of Open Source software to all users be it commercial or personal then you are not a user yourself and are just a corporate type with the corportista mindset, i got news for you = money is not everything and people will go out of their way to get your greedy little paws out of their pockets.
  So, if I need Photoshop as part of my job to feed my family, I'm just a corporate type with the corportista mindset and I should either switch to Gimp and pull my hair and lose time and clients or let my family starve?
  Whatever happened to using the right tool for the job, instead of letting zealotry take over?
  
  --
  This space for rent.
12. Re:Open source by Volante3192 · 2009-08-05 04:57 · Score: 1
  
  it works quite well and generally doesn't require the source code.
  But here, since it's open source, we don't have to rely on coders in a white tower to patch the code directly or someone to hack an intermediate patch. We can start looking right away.
13. Re:Open source by Anonymous Coward · 2009-08-05 05:00 · Score: 0
  
  "I don't have statistics to support a statement that critical errors like this happen less often with open source"
  Of course you don't.
  "but I would have no trouble believing that."
  What about unicorns?
14. Re:Open source by bberens · 2009-08-05 05:02 · Score: 2, Insightful
  
  Since MS is closed source, it wouldn't be fixed for months on end like open source is. That's the only difference. See? It works both ways, neither is really helpful.
  
  --
  Check out my lame java blog at www.javachopshop.com
15. Re:Open source by quickOnTheUptake · 2009-08-05 05:07 · Score: 1
  
  Way to beat that strawman!
  Couldn't you have at least waited until a linux fanboi didn't understand the summary and made a dumb comment?
  All that aside, the way these projects' being open source will make this better is by making a patch come out sooner. The community knows there is a problem. Someone will get on finding it right away, and in a day or two we will see patches getting pushed out that fix it. There's no sitting around helplessly hoping we don't get DoSed until someone at MegaSoft Corp. decides this is worth fixing and rolls a patch.
  
  --
  Mod points: Guaranteed to remove your sense of humor.
  Side effects may include gullibility and temporary retardation
16. Re:Open source by Anonymous Coward · 2009-08-05 05:11 · Score: 0
  
  So, if I need Photoshop as part of my job to feed my family, I'm just a corporate type with the corportista mindset and I should either switch to Gimp and pull my hair and lose time and clients or let my family starve?
  You're actually trying to make money?!?! Blashphemy!
  
  Whatever happened to using the right tool for the job, instead of letting zealotry take over?
  When have open source fundamentalists ever been about using the right tool for the job? They've always excluded any tool that doesn't match up to their shifting goalposts definition of "free software" as being the wrong tool for the job at every point in time.
17. Re:Open source by Timothy+Brownawell · 2009-08-05 05:13 · Score: 1
  
  All that aside, the way these projects' being open source will make this better is by making a patch come out sooner. The community knows there is a problem. Someone will get on finding it right away, and in a day or two we will see patches getting pushed out that fix it. There's no sitting around helplessly hoping we don't get DoSed until someone at MegaSoft Corp. decides this is worth fixing and rolls a patch.
  This is because the Community has unlimited volunteer resources available on very short notice, and large corporations with many paid full-time employees do not.
18. Re:Open source by Anonymous Coward · 2009-08-05 05:13 · Score: 0
  
  i gotta agree with snake. First of all if you work at a corporation open-source isn't always an option. Second, if a closed source company produces a better piece of software than open, I'll choose close source all day long.
19. Re:Open source by heffrey · 2009-08-05 05:25 · Score: 2, Funny
  
  You think I've come to the right place?
20. Re:Open source by Desler · 2009-08-05 05:29 · Score: 1
  
  So, if I need Photoshop as part of my job to feed my family, I'm just a corporate type with the corportista mindset and I should either switch to Gimp and pull my hair and lose time and clients or let my family starve?
  But with The GIMP you get to waste weeks of your time trying to wade through it's crappy codebase trying to fix it's buginess and try to cram in features that it still doesn't have that Photoshop has had for almost a decade. You non-corportistas just don't understand how this is a benefit and not a flaw of the software!
21. Re:Open source by AceofSpades19 · 2009-08-05 05:39 · Score: 1
  
  If thats the case, then exploits in acrobat reader and flash should be fixed next day, or in a few hours.
22. Re:Open source by Anonymous Coward · 2009-08-05 05:39 · Score: 0
  
  Also, in typical open source fashion, the real developers have no responsibility, and readers are left to ponder which of Sun, Apache, or GNOME are responsible.
  I call this the "Linux is not an operating system" defense. As in, they are quick to claim responsibility for success, but not any failures of a system. For that, they shift into a faceless cloud of ether and we are directed to a name such as RedHat, Sun, Apache, etc. It's as bad as two commercial vendors pointing fingers at each other.
  Go go open source project, oh, but the integration with all that other crap? Don't look at me, they're all f'ing crazy.
  For this, I feel no sorrow when open source doesn't get any recognition or credit. Look how Sun and Apache's necks get stuck out here.
  http://xmlsoft.org/
  Take some responsibility, and /., give it to them.
23. Re:Open source by Desler · 2009-08-05 05:49 · Score: 1
  
  Oops that was supposed to be "corportistas" not "non-corportistas".
24. Re:Open source by Ralish · 2009-08-05 06:20 · Score: 1
  
  Hey man, you did "adobe xml vulnerability" twice!! Admittedly, their security record is appalling, particularly as of late, but still, play fair ;)
  More seriously, an article comes out about multiple XML vulnerabilities in multiple open-source XML libraries and your immediate reaction is to rush out and try and shine the light on XML vulnerabilities in closed-source code?! How about you first wait to find out the severity of the exploits in the open-source software, and equally importantly, how long they have been in the source first, before you try and divert the conversation? Further, the exploits weren't found by the project authors, but by a security vendor who applied protocol fuzzing tools. Fuzzing tools operate on the binaries, and thus, the source code is irrelevant, you can run these tools on any software irrespective of the source-code ideology behind it. Where the open-source aspect may come into play is largely in patch response times, but the argument that they may have been found quicker in closed-source software is in this case unsubstantiated, and especially tenuous considering the mechanism that found them is equally applicable.
  Of course, they might turn out to be entirely mundane, as the specifics of the vulnerabilities have not been disclosed, and security vendors tend to exaggerate the severity of any given vulnerability they find. But still, have you considered fixing your own house before immediately running out to abuse entirely unrelated software? It might not be long before someone is wondering about various vulnerabilities in open-source software. Some restraint is useful considering the complete lack of solid information.
25. Re:Open source by Ralish · 2009-08-05 06:23 · Score: 1
  
  Only just noticed you were replying to a (hidden) troll, which changes the tone of my reply a little, but the point about applicability of fuzzing tools is in my view still entirely valid. Sorry about my remark that you rushed out to change the conversation.
26. Re:Open source by Desler · 2009-08-05 06:54 · Score: 1
  
  Yeah, because there are never bugs in open source software that don't linger for months or years without being fixed. Nope they are all fixed within sheer minutes of the bug report. Oh wait...
27. Re:Open source by AceofSpades19 · 2009-08-05 07:52 · Score: 1
  
  There are always going to be bugs that linger for awhile, but exploits are usually fixed pretty quickly in high-profile F/OSS projects and compared to Adobe or Microsoft, I think they do pretty decent without having tons of paid developers
28. Re:Open source by heffrey · 2009-08-05 07:59 · Score: 1
  
  Do you have any hard evidence of that or is it just faith?
  Don't get me wrong I'm a big fan of open source, free software in the RMS meaning of free. But I just don't really get along with faith. It's quite astonishing how much of the commentary on Slashdot is all about faith with no reference to evidence. I guess we're all human though, even us techie geeks!
29. Re:Open source by JuicyBrain · 2009-08-05 09:48 · Score: 1
  
  What am I to think now?
  That better is not perfect ? Who told you that open source software had absolutely no flaws ? The open source software paradigm does not prevent bugs. It only makes it more likely that those bugs will be caught sooner since so many eyes can peruse the code. If you're not satisfied, ask for a refund...
30. Re:Open source by Kidbro · 2009-08-05 10:51 · Score: 1
  
  What am I to think now?
  Well, you obviously haven't tried before, so why on earth start now?
  
  --
  May we live long and die out
31. Re:Open source by Anonymous Coward · 2009-08-05 11:45 · Score: 0
  
  You simply overreacted. He was talking about the inherent advantages of OSS. Being ten times better than their proprietary counterpart all the time is not one of them.
  And what kind of free software forces you to use it? You may use whatever you like.
32. Re:Open source by heffrey · 2009-08-05 20:48 · Score: 1
  
  It only makes it more likely that those bugs will be caught sooner since so many eyes can peruse the code
  Do you have any evidence for this or is it just your belief? I'm sure there are academic papers that look at this and of course there are sizeable historical repositories of vulnerabilities, e.g. US-CERT. It's actually possible to test your hypothesis.
  What you find when you do this is that some closed source projects have good track records and some have bad track records. Likewise some open source projects have good track records and some have bad track records. You will find, for example, that there's a huge difference in standard between Microsoft (now actually quite good) and Apple and Adobe (very poor at security).
  The only conclusion I can draw from this is that being open source doesn't result in your code being better than closed source code. Likewise vice versa. My belief is that it is the processes and people involved that make the difference.
  Does anyone want to argue against this?
33. Re:Open source by ChienAndalu · 2009-08-05 20:58 · Score: 1
  
  I agree that if these vulnerabilities have been found with fuzzing tools, they would have been detected just as easy in closed source software. But they could have crafted the input data a little according to the structure of the parser code.
  But yes, you are right, I was basically backtrolling a troll and it shouldn't be modded up..
34. Re:Open source by JuicyBrain · 2009-08-06 01:49 · Score: 1
  
  I totally agree with you, hence the word "likely". Of course it's the people that makes the difference, the code won't debug itself on its own. What I meant is that MORE people CAN peruse the code than in a closed source environment. Because an infinite number of people can look at the code doesn't mean that it will.
  
  Do you have any evidence for this or is it just your belief?
  Of course I don't have evidence, and I suspect you knew the answer to your question before you asked it. Would you yourself spend an hour or two of your life doing research for the sake of a two line comment and furthermore for something that is as clear as 2 + 2 = 4 ? Who needs evidence anyway ! :-P
35. Re:Open source by thePowerOfGrayskull · 2009-08-06 04:12 · Score: 1
  
  What am I to think now?
  Start by thinking how nice it would be to wire me some money. Then think about how you don't really need the money. Finally, follow the necessary thought processes that result in action upon these two items.
36. Re:Open source by heffrey · 2009-08-06 07:14 · Score: 1
  
  Well, it may be as clear as 2 + 2 = 4 to you but perhaps I'm not as clever as you. In any case I'm somewhat old fashioned and like to have evidence.
  The particular article I was thinking of is: "Is Linux Better than Windows Software?", Adenekan (Nick) Dedeke, IEEE Software, Vol 26 issue 3.
  The author says:
  
  To investigate vulnerability, I analyzed data from the US National Vulnerability Database (http://nvd.nist.gov/nvd.cfm), which is hosted by the National Cyber Security division of the US Computer Emergency Readiness Team (US-CERT). The database integrates all publicly available US government vulnerability databases. It lists each vulnerability type once. For example, if CERT is notified 300 times of a potentially damaging type of computer vulnerability, it lists that vulnerability only once in the database.
  I aggregated the known vulnerability types for RedHat Linux and Windows systems reported during 1997-2005. The study included 1,048 vulnerability types for Red-Hat Linux and 552 for Windows 2000 and Windows 2003. The types fall into three categories: high, moderate, and low severity. I based each type's scoring on the Common Vulnerability Scoring System (CVSS),10 a global standard. Between 2002 and 2005, the total number of vulnerabilities for Linux rose dramatically from 67 to 333, while that of Windows rose from 69 to 86. I also found that for high severity, Linux experienced a rise from 31 to 126 while Windows experienced a rise from 38 to 53. I found similar results for low and medium severity.
  The author then goes on to conclude:
  
  Therefore, unless someone can show that Windows systems' vulnerabilities are underreported, my study doesn't support the assertion that open source software, represented by Linux, is less vulnerable than Windows systems. It also casts doubt on the global assertion that Linux's quality is better than that of Windows. Could these results hold true for other categories of open source and closedsource software?
  I also recall an article that Diomidis Spinellis (an academic and a keen free software advocate) published I can't remember where. He used automatic code analysis tools to compare the source code for a range of operating systems (Windows research kernel, Linux, some BSDs) and found that no significant difference in quality.
  So, yes it's clearly true that more people CAN look at the code for open source software. But how does that translate into quality is much more interesting. Just because they can doesn't mean that they will.
  I think the "many eyes make all bugs shallow" idea (Linus's rule) has some merit but it's not the only factor. For security the fact that there are such disparate bodies responsible for delivering Linux makes it very hard to get a good security process. Consider the fiasco surrounding the now infamous Debian OpenSSH bug where the bug was introduced by downstream packagers who didn't understand the implications of what they were doing. Where was the security audit? Well there wasn't one.
  Traditional closed source companies appear to be able to have much more control and oversight of cross-cutting issues like security. Doesn't mean they will exercise it (see Microsoft in the time before XP SP2 and SDL). But it's certainly possible for them to do security well (see Microsoft today). Then there's a company like Apple which to my mind is like MS was 10 years ago. Security is just not on their radar - it's an irritation to them.
  I think the open source bazaar approach has been wonderfully successful and has proven to scale fantastically. It's next big challenge though is in the realm of security. As Linux gains ground (which it seems likely to at least in server space) it will increasingly come under heavy attack. Can the bazaar adapt to handle this? I'm positive that it will but it remains to see how it will.
i just built firefox-3.5.2 from the sause by FudRucker · 2009-08-05 04:41 · Score: 1

and anyone that builds their own firefox knows that python is required to build (not to run - just build), i have python-2.6.2 installed, so this means after python patches this flaw i got to re-roll every app that depends on python either just to build or at runtime too? yowza! that does not bode well, looks like i got my work cut out for me...

--
Politics is Treachery, Religion is Brainwashing
1. Re:i just built firefox-3.5.2 from the sause by maxume · 2009-08-05 04:45 · Score: 1
  
  If you are nuts. You would probably be better off spending 20 minutes to first figure out if there are any situations where you are feeding untrusted xml input into python, rather than completely spazzing out.
  
  --
  Nerd rage is the funniest rage.
2. Re:i just built firefox-3.5.2 from the sause by Anonymous Coward · 2009-08-05 04:54 · Score: 0
  
  Firefox would need recompiling (after being fixed) not because of Python used in the build system, but because it would have its own included XML code that would be vulnerable to the flaws.
  This really only applies to applications that statically link libxml... if the updated libraries are binary compatible and an application is dynamically linked to libxml, it would just require a restart of the application. There would be a lot of apps with libxml built right in though.
3. Re:i just built firefox-3.5.2 from the sause by bberens · 2009-08-05 05:06 · Score: 1
  
  Yeah, and I can't imagine that the major distros won't be putting up patched binaries of any applications which need it. So unless you literally roll your own of everything a simple update should suffice.
  
  --
  Check out my lame java blog at www.javachopshop.com
4. Re:i just built firefox-3.5.2 from the sause by Mr.+DOS · 2009-08-05 05:53 · Score: 1
  
  So... Gentoo users are screwed?
  --- Mr. DOS
5. Re:i just built firefox-3.5.2 from the sause by element-o.p. · 2009-08-05 05:59 · Score: 0, Redundant
  
  So unless you literally roll your own of everything a simple update should suffice.
  I'm a Gentoo user, you insensitive clod!
  
  --
  MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
6. Re:i just built firefox-3.5.2 from the sause by Desler · 2009-08-05 06:55 · Score: 1
  
  You should be dynamically linking anyway so you only have to recompile the libs not the entire program.
7. Re:i just built firefox-3.5.2 from the sause by element-o.p. · 2009-08-05 11:29 · Score: 1
  
  That's true. And for binaries, well, if it's a binary, it's a binary from the developer (i.e. firefox-bin or openoffice-bin), so I still don't have to compile the program.
  
  --
  MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
8. Re:i just built firefox-3.5.2 from the sause by iYk6 · 2009-08-05 14:00 · Score: 1
  
  so this means after python patches this flaw i got to re-roll every app that depends on python either just to build or at runtime too?
  No. It sounds like Firefox uses python build scripts. There is no risk from using an exploitable Python with "trusted" input, such as the Firefox build scripts. Additionally, this flaw will not "carry-over" from the build scripts to the Firefox code. As long as your Firefox got built, it didn't really matter which version of Python you used.
  The only way that this flaw could possibly have any bearing on the Firefox build scripts if Mozilla tried to exploit your computer using this flaw in their build scripts, and that wouldn't make any sense.
Article?? by funkatron · 2009-08-05 04:44 · Score: 4, Insightful

There doesn't seem to be much of an article behind this summary. Just some fluff about malicious input and the fact that XML is widely used. Would be interesting to see examples of the malicious XML and an explanation of how the vulnerabilities work.

--
"Welcome to our world. We are the wasted youth. And we are the future too." Yes, I know these are stupid lyrics.
1. Re:Article?? by jpmorgan · 2009-08-05 04:48 · Score: 1
  
  Most responsible security researchers give developers an opportunity to fix and deploy patches to security flaws, before disclosing that kind of information.
2. Re:Article?? by Anonymous Coward · 2009-08-05 04:57 · Score: 2, Informative
  
  I think they infact did it in very responsible way. If you read the CERT advisory and everything, it seems they have worked good part of the year with the industry and CERTs to make sure these problems are actually fixed before letting ppl know!
3. Re:Article?? by RichiP · 2009-08-05 05:14 · Score: 1
  
  I was thinking the same thing. The article was just too light on details. Even if I wanted to test my systems and even fix them, I wouldn't know where to begin. The article also doesn't mention if the people at Sun, Apache, Gnome, etc. were informed of the specifics of the vulnerability.
  Since XML is handled by these projects using libraries (libxml2 in Gnome and Xerces, Xerces2 and Xalan for Apache), wouldn't fixing these libraries effectively fix the "millions of these applications"?
4. Re:Article?? by Odin's+Raven · 2009-08-05 07:18 · Score: 2, Funny
  
  Would be interesting to see examples of the malicious XML and an explanation of how the vulnerabilities work.
  
  I've included a simple demonstration below - if your browser doesn't contain the flaw then you'll just see the literal XML exploit code (all 200+ lines of it), but if it's vulnerable then you'll only see the initial trigger element on either side of Cmdr Taco's favorite topic.
  <\0pwned>OMGPonies!!11one!<\0pwn3d/>
  
  --
  A marriage is always made up of two people who are prepared to swear that only the other one snores.
5. Re:Article?? by Anonymous Coward · 2009-08-05 08:06 · Score: 0
  
  Really? Which cert advisory is that? I've been looking and I can't find one. These guys seem to be trying for publicity. Vague claims about vulnerabilities, no details, no specifics -- and no CERT advisory.
6. Re:Article?? by Anonymous Coward · 2009-08-05 09:43 · Score: 0
  
  Since XML is handled by these projects using libraries (libxml2 in Gnome and Xerces, Xerces2 and Xalan for Apache), wouldn't fixing these libraries effectively fix the "millions of these applications"?
  Yes. Unless you have statically linked them.
  More details are now available:
  http://www.codenomicon.com/labs/xml/
  Also the CERT advisory is finally out:
  https://www.cert.fi/en/reports/2009/vulnerability2009085.html
7. Re:Article?? by dkf · 2009-08-05 22:05 · Score: 1
  
  More details are now available:
  http://www.codenomicon.com/labs/xml/
  Also the CERT advisory is finally out:
  https://www.cert.fi/en/reports/2009/vulnerability2009085.html
  You call that more details?! The first link tells me nothing much other than "OMG! XML is used in lots of places!" and the second is unclear about which libraries actually have the problem (e.g., is expat itself vulnerable or just the version that Python uses?) This is important because it determines who else has to worry about these things. If there are fundamental problems, it's important that they get fixed right back at the root and then the fixes pushed out. Otherwise you just have duplication of effort, warring developers, and people who are vulnerable and don't know it.
  
  --
  "Little does he know, but there is no 'I' in 'Idiot'!"
8. Re:Article?? by Anonymous Coward · 2009-08-07 04:07 · Score: 0
  
  The CERT-FI advisory is here: http://cert.fi/en/reports/2009/vulnerability2009085.html
9. Re:Article?? by Anonymous Coward · 2009-08-07 08:42 · Score: 0
  
  More details are now available:
  http://www.codenomicon.com/labs/xml/
  Also the CERT advisory is finally out:
  https://www.cert.fi/en/reports/2009/vulnerability2009085.html
  You call that more details?!
  I assume you want the dirty details, i.e. full disclosure?
  Come on, this is open source. Read the code. You are not going to get any more help than that from the good guys. There will soon be a wide range of exploits and demos that you can use, though. I am not sure anyone but you actually wants that. ;)
  Check out how many Linux distributions have issued an advisory on this problem. Look at the number of vulnerable software projects. Pick your side guy! Are you working for your own interest and trying to find a way to make your own profit from this flaw or trying to motivate all those open source software projects (that do not have a clue on security) into updating... finally!
  If your comment is not a troll, then nothing here is. There is no other comment here that is more counter-productive, with my quick read of the things discussed here. I am not sure who do you want to help with comments like that.
Why is Python excluded from Title? by neonprimetime · 2009-08-05 04:50 · Score: 4, Insightful

Title = XML Library Flaw -- Sun, Apache, GNOME Affected
1st Line of Summary = Sun, the Apache Software Foundation, the Python Software Foundation and the GNOME Project
1. Re:Why is Python excluded from Title? by recoiledsnake · 2009-08-05 04:59 · Score: 5, Funny
  
  Because pythons are long and big and will not fit the title.
  
  --
  This space for rent.
2. Re:Why is Python excluded from Title? by kill-1 · 2009-08-05 05:17 · Score: 2, Interesting
  
  Also, the linked article and the news on the Codenomicon website don't mention GNOME.
3. Re:Why is Python excluded from Title? by jDeepbeep · 2009-08-05 05:56 · Score: 2, Insightful
  
  Because pythons are long and big and will not fit the title.
  You should get the extra mod point on top of the current 4, just for the fact that your /. name has the word 'snake' in it.
  
  --
  Reply to That ||
4. Re:Why is Python excluded from Title? by JuicyBrain · 2009-08-05 11:25 · Score: 1
  
  That just shows you how sneaky a python can be !
Crying Wolf by Anonymous Coward · 2009-08-05 04:58 · Score: 0

Most security researchers file a CVE number for vulnerabilities, and then go about fixing them.

This article doesn't have one, nor a mention of the bugs filed against the projects, nor any other pointers to the vulnerabilities or details about it besides "it's there".

In any other field, this would be crying wolf. Security researchers shouldn't have it any better.
1. Re:Crying Wolf by Anonymous Coward · 2009-08-07 08:16 · Score: 0
  
  Most security researchers file a CVE number for vulnerabilities, and then go about fixing them.
  Maybe you are missing the point here?
  This is about some guys who love open source, and just happen to work in a company who lets them use extremely expensive tools and techniques to fix open source projects. They do not do this as a "security researcher" (which basically means a self promoting brick), but to actually try to fix real problems in projects everyone loves and wants to keep using in the future also. Then there are (very few) CERT organizations who actually take over the vulnerability handling process and do it professionally, without exposing anyone to the exploitation of the flaws. All credits to CERT-FI in how they handle this and other similar disclosures.
  If you are looking for ways to abuse the problems, you are not going to get it easy from Codenomicon or CERT-FI. Most people will eventually see this flaw as a recommended update from their own preferred operating system vendor, and update because they want to avoid security exposure. I cannot think of any better way of handling an issue of this significance than the way this issue is being handled.
  CVE is built for security vendors that do not even want the flaws fixed but want to sel you crappy stuff that claims to protect you.
Solution by vainvanevein · 2009-08-05 05:00 · Score: 2, Insightful

The solution is clear to me. I would stop using XML.
DoS? by mapinguari · 2009-08-05 05:01 · Score: 1

could result in successful denial-of-service attacks
Ah yes, but could it result in successful denial-of-cellphone-service?
Re:Why is Gnome included in the Title? by karavelov · 2009-08-05 05:21 · Score: -1

Gnome parser is not even mentioned in the article but appears in the /. title...
Example by ebcdic · 2009-08-05 05:22 · Score: 1

Google for "billion laughs".
1. Re:Example by Anonymous Coward · 2009-08-05 08:18 · Score: 0
  
  why? That is an old issue and this is supposedly a new one. As an example of a bug? Sure, but that isn't what the GP was asking for. The "security researchers" appear to be guilty of FUD for the sake of publicity.
Which XML libraries? by wowbagger · 2009-08-05 05:35 · Score: 3, Insightful

Which libraries? libxml2, expat, or some other library?
The last I'd checked, Python could use several XML libraries, and Sun distributed several libraries.
It would be nice if TFA had told us which libraries, or had a link to the actual report listing them.

--
www.eFax.com are spammers
1. Re:Which XML libraries? by inio · 2009-08-05 06:37 · Score: 1
  
  Considering GNOME is affected, it's probably libxml2.
2. Re:Which XML libraries? by Anonymous Coward · 2009-08-05 19:40 · Score: 0
  
  From CERT-FI report:
  
  Vendor Information:
  * Python libexpat
  * Apache Xerces, all versions
  * Sun JDK and JRE 6 Update 14 and earlier
  * Sun JDK and JRE 5.0 Update 19 and earlier
Array bound checking? by Twillerror · 2009-08-05 05:47 · Score: 1

Is this another Array bound check not being performed? Another I'm copying huge chunks of weird characters into memory and overwriting crap?
With all the extra horspower can we not get a something added to C++ to make this happen?
DOSs seems harder to fight against. Is it bad code that loops for ever or is just not optmized. I bet most libraries could be found to have some of that.
1. Re:Array bound checking? by owlstead · 2009-08-05 06:58 · Score: 1
  
  Java (well, at least "Sun" code) and Python are in there, and since at least Java's XML libraries are fully native to the VM which *does* perform bounds checking, this is clearly something else. It's probably more in the semantics than in the syntax; e.g. treating URI's as URL's and following them without checking if they are from the same host.
2. Re:Array bound checking? by HiThere · 2009-08-05 07:17 · Score: 1
  
  Optimization isn't what you want here. It has a tendency to remove expensive checks, like checks that an array boundary isn't being overwritten.
  There are a couple of reasonable ways to handle this, but optimization isn't one of them. (My favorite would be to re-write everything in D. I'd've mentioned Ada also, but gnat, by default, doesn't implement the array bounds checking that Ada includes. [It's there, but you've got to select a special compiler option to get it, because that check is expensive at run-time.] I could also have selected Java as an option, as I believe it defaults to including bounds checking, but an OS written in an interpreted language sort of bothers me...and gcj appears to have stalled [as of the last time I looked, about a year ago].)
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
informative 6naaG8aa by Anonymous Coward · 2009-08-05 05:48 · Score: -1, Offtopic

BSD sux0rs. What show that *BSD has Obssesives and the
bitEch by Anonymous Coward · 2009-08-05 06:14 · Score: -1, Offtopic

cXlearly become The project to or mislead the mutated testicle of are incompatible other members in than make a sincere she had no fear EFNet servers. The mundane chores ink splashes across I type this. as possible? How schemes. Frankly troubles of Walnut Been looking for! of the warring One or the other They are Come deeper into the what provides the all along. *BSD FIRST, YOU HAVE TO ransom for their provide sodas, arrogance was worthwhile. So I Baby take my Support GNAA, to keep up as Creek, abysmal On baby...don't a way to spend population as well AMERICA) might be of OpenBSD versus
XML... by menkhaura · 2009-08-05 06:34 · Score: 1, Interesting

See signature.
random gibberish to make lameness filter happy.

--
Stupidity is an equal opportunity striker.
Fellow slashdotter Bill Dog
1. Re:XML... by owlstead · 2009-08-05 07:34 · Score: 2, Interesting
  
  I would if the slashdot UI would have a link or button on the page to view the signature of individual messages.
2. Re:XML... by Anonymous Coward · 2009-08-05 10:31 · Score: 0
  
  I think you accidentally the whole message.
  --
  GP's sig: "XML is like violence: if it doesn't solve your problem, use more.
  AC"
CSV by DragonWriter · 2009-08-05 06:49 · Score: 1

What happens when your data contains \r or \n characters?

\r or \n aren't problems with proper CSV; \r\n combinations define record breaks, and can be included in data fields by enclosing them in double quotes.

What happens if the data has commas in it, and the .csv was generated by something that doesn't add quotes?
Then you should use something that generates proper CSV (which means it either uses quotes properly or doesn't allow anything that needs quoting in data fields.)

What do you do if your data is more complicated than a simple table?
You use more than one CSV file in some appropriate wrapper.
Re:Unit Tests by trwww · 2009-08-05 06:55 · Score: 2, Insightful

Exactly. Unit tests do not prove the absence of bugs. They prove the existence of bugs.
Handling URI's by owlstead · 2009-08-05 07:03 · Score: 1

If this "security hole" just means that everybody is forgetting to disable the default way these parsers handle URI's for Schema's and DDT's then this is just a big scam. It's a known issue, although I would not be surprised if it isn't well known to many developers. In the worst case it is some kind of way of letting the XML parser perform a random URL request without the developer having the power to stop this from happening.
I must admit that the default behaviour as well as the API documentation leaves a lot to be desired. Even when security is directly involved, say with XML digital signatures, the API does not even mention how to do this in a secure fashion. I've written an application that verifies XML digital signatures in Java and there is at least 10 things you need to do to be slightly secure against forgeries and DoS attacks. At that time none of these were mentioned in the API, they were probably considered public knowledge by the API designers.
Very "funny" if you try verify a message using an URI within the message itself. Even worse with XML digital signatures, the signature could be over a completely different message than the one you are trying to verify if you are not careful.
Re:Array bound checking? P.S, by HiThere · 2009-08-05 07:33 · Score: 1

You may have noticed that two of the three languages that I mentioned are garbage collected (D and Java). This isn't entirely coincidence. Languages that implement garbage collection in their design, and reduce or eliminate the direct use of pointers seem to eliminate an entire raft of security problems. That they tend to have dynamic arrays and arrays that implement bounds checking is merely one bonus.
C++ was at one time going to implement part of this in the new standard...which has now both had features cut, and been pushed further into the future, but those were cut years ago. Add-on libraries like Boost don't solve the problem. It needs to be designed into the language so that one can count on it being in use. For that reason the STL vectors don't count as a solution to this class of problem. For that matter, I note that C (and presumably C++) now allows one to *specify* that an array as an unspecified size. (I forget the syntax, but it's merely the legitimization of an old and very insecure trick used by C programmers to allow them to implement at run-time variable sized arrays. It was always quite dangerous, and making it legitimate doesn't remove the danger.)
I'll agree that one can write dangerous code in ANY language. One doesn't need to choose a language that goes out of it's way to make it the easiest choice. (That's slightly unfair. When C was designed the effort was to get something efficient enough to replace assembler. C did that, and it was, indeed, safer than assembler. And C++ merely copied it's approach from C. Indeed, for a long time it was merely a superset of C. But that was then and this is now.)

--

I think we've pushed this "anyone can grow up to be president" thing too far.
Someone just rediscovered XML Entity Attacks by Rich · 2009-08-05 08:25 · Score: 3, Interesting

It's difficult to say from the information provided, but it sounds like someone just rediscovered XML entity attacks (as I did a few years ago). Assuming it is the same thing, here are some references from 2002 and 2006 with more details:
http://www.securiteam.com/securitynews/6D0100A5PU.html
http://www.sift.com.au/assets/downloads/SIFT-XML-Port-Scanning-v1-00.pdf
I've used these attacks in real-world tests and they are still surprisingly effective - just not new.
1. Re:Someone just rediscovered XML Entity Attacks by Anonymous Coward · 2009-08-05 09:52 · Score: 0
  
  ...it sounds like someone just rediscovered XML entity attacks
  No, nothing to do with this. These are parser flaws that result in crash, hang, buffer overflow; you name it, fuzzers find it. A fuzzer like Codenomicon Defensics would (probably) not find entity attacks... well actually it might but detecting it being triggered might require a bit of work.
Re:Why is Gnome included in the Title? by Anonymous Coward · 2009-08-05 09:12 · Score: 0

OK, normally I love to jump on the idiot Slashdot editors, but in this case I really have to defend them. I mean, come on, the Python key and the Gnome key are right next to each other.
Advisories released by Anonymous Coward · 2009-08-05 09:41 · Score: 2, Informative

CERT-FI advisory: https://www.cert.fi/en/reports/2009/vulnerability2009085.html
Sun advisory: http://sunsolve.sun.com/search/document.do?assetkey=1-66-263489-1
CERT-FI advisory had a link to Codenomicon web page with some more details: http://www.codenomicon.com/labs/xml/
Lucky for me by Anonymous Coward · 2009-08-05 11:48 · Score: 0

I use MS Windows and the .Net framework... I'm safe ;)
1. Re:Lucky for me by Anonymous Coward · 2009-08-07 10:15 · Score: 0
  
  I use MS Windows and the .Net framework... I'm safe ;)
  So it seems, lucky you. I do not know what are you doing here, though. ;)
  But note that:
  "We cannot discuss the security of commercial XML products or library versions within the CROSS project, as the project is intended to benefit the open source community only." (from: (Codenomicon XML Page on the topic)
  No freebies for commercial stuff. These guys are doing a favor for the open source, and need to earn their bread and butter. Lucky us at /. ;)
Source of the changed lines from Java 1.6_15 by Anonymous Coward · 2009-08-06 00:30 · Score: 0

src\com\sun\org\apache\xerces\internal\impl\XMLScanner.java
in scanExternalID(...)
} else if (c != -1 && isInvalidLiteral(c)) {
reportFatalError("InvalidCharInSystemID",
new Object[] {Integer.toString(c, 16)});
Without the else condition the containing do..while loop never exits