[arch-security] [ASA-201606-13] expat: multiple issues
anthraxx at archlinux.org
Sun Jun 12 23:50:29 UTC 2016
Arch Linux Security Advisory ASA-201606-13
Date : 2016-06-13
CVE-ID : CVE-2012-6702 CVE-2016-5300
Package : expat
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
The package expat before version 2.1.1-3 is vulnerable to multiple
issues including predictable random numbers and insufficient hash
entropy leading to denial of service.
Upgrade to 2.1.1-3.
# pacman -Syu "expat>=2.1.1-3"
The problems have been fixed upstream but no release is available yet.
- CVE-2012-6702 (predictable random numbers)
It was found that when calling XML_Parse ahead of rand(), it causes the
pseudo random generator to generate non-random predictable numbers.
- CVE-2016-5300 (denial of service)
It was found that original fix for CVE-2012-0876 used too little
entropy for the hash initialization. This issue can be used to perform
a hash collision based denial of service attack.
A remote attacker is able to predict random numbers from the PRNG or
perform a hash based collision attack resulting in denial of service.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the arch-security