Summary: | <dev-libs/libxml2-2.9.1: Internal/external entity expansion (CVE-2013-0338, CVE-2013-0339) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | gnome |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2013/02/22/3 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=483632 | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 476438 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2013-02-22 13:58:08 UTC
Isn't this a duplicate of bug #458430? CVE-2013-0338 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0338): libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, aka "internal entity expansion" with linear complexity. Both fixed [1] in libxml2-2.9.1. [1] https://git.gnome.org/browse/libxml2/commit/?id=23f05e0c33987d6605387b300c4be5da2120a7ab >=libxml2-2.9.1 is being stabilized at bug #476438
Added to existing GLSA draft This issue was resolved and addressed in GLSA 201311-06 at http://security.gentoo.org/glsa/glsa-201311-06.xml by GLSA coordinator Sean Amoss (ackle). |