Arch Linux Security Advisory ASA-201410-12 ========================================== Severity: Medium Date : 2014-10-24 CVE-ID : CVE-2014-0191, CVE-2014-3660 Package : libxml2 Type : Denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package libxml2 before version 2.9.2-1 is vulnerable to denial of service, even if entity substitution is disabled. Resolution ========== Upgrade to 2.9.2-1. # pacman -Syu "libxml2>=2.9.2-1" The problems have been fixed upstream [0][1] in version 2.9.2. Workaround ========== None. Description =========== Daniel Berrange discovered that libxml2 incorrectly performs entity substitution in the doctype prolog, even if the application using libxml2 disabled any entity substitution. A remote attacker could provide a specially crafted XML file that, when processed, leads to the exhaustion of CPU and memory resources or file descriptors. Impact ====== A remote attacker is able to exploit this vulnerability using a specially crafted XML document containing malicious attributes to consume all available CPU and memory resources or file descriptors. References ========== [0] https://git.gnome.org/browse/libxml2/commit/?id=9cd1c [1] https://git.gnome.org/browse/libxml2/commit/?id=be2a7 https://access.redhat.com/security/cve/CVE-2014-0191 https://access.redhat.com/security/cve/CVE-2014-3660 https://bugs.archlinux.org/task/40790 http://www.openwall.com/lists/oss-security/2014/05/06/4