From ${URL} : So here are the CVE's for the two big ones, libxml2 and expat. Both are affected by the expansion of internal entities (which can be used to consume resources) and external entities (which can cause a denial of service against other services, be used to port scan, etc.). To be clear: ==================== Internal entity expansion refers to the exponential/quadratic/fast linear expansion of XML entities, e.g.: ==================== <!DOCTYPE xmlbomb [ <!ENTITY a "1234567890" > <!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;"> <!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;"> <!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;"> ]> <bomb>&d;</bomb> or <!DOCTYPE bomb [ <!ENTITY a "xxxxxxx... a couple of ten thousand chars"> ]> <bomb>&a;&a;&a;... repeat</bomb> Which causes resources to be consumed ==================== External entity expansion refers to the loading of external resources such as XML entities from another server or a local file: ==================== <!DOCTYPE external [ <!ENTITY ee SYSTEM "http://www.example.org/some.xml"> ]> <root>ⅇ</root> <!DOCTYPE external [ <!ENTITY ee SYSTEM "file:///PATH/TO/simple.xml"> ]> <root>ⅇ</root> Which can cause resources to be consumed or can result in port scanning /application scanning information being sent to the attacker. So the CVE's to use: Please use CVE-2013-0338 for libxml2 internal entity expansion Please use CVE-2013-0339 for libxml2 external entities expansion
Isn't this a duplicate of bug #458430?
CVE-2013-0338 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0338): libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, aka "internal entity expansion" with linear complexity.
Both fixed [1] in libxml2-2.9.1. [1] https://git.gnome.org/browse/libxml2/commit/?id=23f05e0c33987d6605387b300c4be5da2120a7ab
>=libxml2-2.9.1 is being stabilized at bug #476438
Added to existing GLSA draft
This issue was resolved and addressed in GLSA 201311-06 at http://security.gentoo.org/glsa/glsa-201311-06.xml by GLSA coordinator Sean Amoss (ackle).