372739 – <dev-lua/luaexpat-1.2.0: DOS (CVE-2011-2188)

Bug 372739 - <dev-lua/luaexpat-1.2.0: DOS (CVE-2011-2188)

Summary: <dev-lua/luaexpat-1.2.0: DOS (CVE-2011-2188)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial
Assignee:	Gentoo Security

URL:
Whiteboard:	~3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2011-06-24 00:40 UTC by GLSAMaker/CVETool Bot
Modified:	2011-07-03 16:01 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2011-06-24 00:40:56 UTC

CVE-2011-2188 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2188):
  LuaExpat before 1.2.0 does not properly detect recursion during entity
  expansion, which allows remote attackers to cause a denial of service
  (memory and CPU consumption) via a crafted XML document containing a large
  number of nested entity references, a similar issue to CVE-2003-1564.

Comment 1 Dirkjan Ochtman (RETIRED) gentoo-dev

2011-06-24 08:08:39 UTC

The ebuild for this is in the tree, we could just stabilize it.

Comment 2 Stefan Behte (RETIRED) gentoo-dev

2011-06-24 19:07:11 UTC

Stabilization is not needed, as there never was a stable version. Just punt the vulnerable version, then I can close this.

Comment 3 Tim Sammut (RETIRED) gentoo-dev

2011-07-03 16:01:57 UTC

>	24 Jun 2011; Dirkjan Ochtman <djc@gentoo.org> -luaexpat-1.1.ebuild:
> 	Remove vulnerable old version. 

Thanks, Dirkjan. Closing noglsa.