http://secunia.com/advisories/12715/ Critical:Less critical Impact: DoS Where: From remote Solution Status: Vendor Patch Software: Xerces-C++ 2.x Description: Amit Klein has reported a vulnerability in Xerces-C++, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an input validation error in the XML parser. This can be exploited to consume a large amount of CPU resources by supplying a specially crafted XML document containing malicious attributes. The vulnerability has been reported in version 2.5.0. Prior versions may also be affected. Solution: Update to version 2.6.0. ____________________________________________ http://www.securityfocus.com/archive/1/377344 : *** *** Security Advisory *** *** *** Xerces-C++ 2.5.0: Attribute blowup denial-of-service *** *** Author: Amit Klein *** Release Date: October 2nd, 2004 *** Description: An attacker can craft a malicious XML document, which uses XML attributes in a way that inflicts a denial of service condition on the target machine (XML parser). The result of this attack is that the XML parser consumes all the CPU resources for a long period of time (from seconds to minutes, depending on the size of the payload). In our experiments, we were able to send attacks (of few hunderd KBs) that caused the target machines to consume 100% CPU for several minutes. *** Vendor status Vendor was contacted, and a fix was included for the newly released version of Xerces-C++ (2.6.0). *** Solution: Upgrade to Xerces-C++ 2.6.0
John, please bump to 2.6.0. Target KEYWORDS="x86 ~ppc amd64 ~sparc"
bumped to stable on x86 and amd64. unstable keywords for ppc and sparc kept.
i am retarded ;)
Target keywords are met -- ready for a GLSA
Security, please vote on GLSA need
For a remote DoS vulnerability, I don't see why we shouldn't issue a GLSA.
The advisory reads... "...consumes all the CPU resources for a long period of time (from seconds to minutes, depending on the size of the payload). In our experiments, we were able to send attacks (of few hunderd KBs) that caused the target machines to consume 100% CPU for several minutes." that does not sound like too bad of a DoS. I'm pretty unsure about GLSA or no GLSA since there was not much published about this yet. Only saw the advisories on BugTraq, Secunia and OSVDB (ID: 10471) so far. Guess I would put in a quarter vote against an announcement, you may take that as no vote too ;-)
Yes, and you would need to find a program linked with an affected version... I would vote against. Not really a DoS and hardly exploitable. Waiting for more inputs...
I'm in agreement w/ no glsa. doesn't seem all that serious in the grand scheme of things
Then it's done. Thanks everyone.
