[arch-security] [Arch Linux Security Advisory ASA-201410-12] libxml2: Denial of service
Levente Polyak
anthraxx at archlinux.org
Fri Oct 24 22:15:08 UTC 2014
Arch Linux Security Advisory ASA-201410-12
==========================================
Severity: Medium
Date : 2014-10-24
CVE-ID : CVE-2014-0191, CVE-2014-3660
Package : libxml2
Type : Denial of service
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE-2014
Summary
=======
The package libxml2 before version 2.9.2-1 is vulnerable to denial of
service, even if entity substitution is disabled.
Resolution
==========
Upgrade to 2.9.2-1.
# pacman -Syu "libxml2>=2.9.2-1"
The problems have been fixed upstream [0][1] in version 2.9.2.
Workaround
==========
None.
Description
===========
Daniel Berrange discovered that libxml2 incorrectly performs entity
substitution in the doctype prolog, even if the application using
libxml2 disabled any entity substitution. A remote attacker could
provide a specially crafted XML file that, when processed, leads to the
exhaustion of CPU and memory resources or file descriptors.
Impact
======
A remote attacker is able to exploit this vulnerability using a
specially crafted XML document containing malicious attributes to
consume all available CPU and memory resources or file descriptors.
References
==========
[0] https://git.gnome.org/browse/libxml2/commit/?id=9cd1c
[1] https://git.gnome.org/browse/libxml2/commit/?id=be2a7
https://access.redhat.com/security/cve/CVE-2014-0191
https://access.redhat.com/security/cve/CVE-2014-3660
https://bugs.archlinux.org/task/40790
http://www.openwall.com/lists/oss-security/2014/05/06/4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20141025/cdd1dd4c/attachment.bin>
More information about the arch-security
mailing list