Summary: | <net-libs/ptlib-2.10.10: denial of service processing certain XML documents (CVE-2013-1864) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | neurogeek, voip+disabled |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=922177 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 464182 | ||
Bug Blocks: | 445846 |
Description
Agostino Sarubbo
2013-03-15 18:13:27 UTC
This is already fixed in ptlib-2.10.10 (In reply to comment #1) > This is already fixed in ptlib-2.10.10 Is this ready to be marked stable? Arches, please stabilize net-libs/ptlib-2.10.10 net-libs/opal-3.10.10 Target keywords: alpha amd64 ia64 ppc ppc64 sparc x86 (In reply to comment #3) > Arches, please stabilize > net-libs/ptlib-2.10.10 > net-libs/opal-3.10.10 > > Target keywords: alpha amd64 ia64 ppc ppc64 sparc x86 This will cause a downgrade for ekiga's users: the ebuild says: <net-libs/opal-3.10.8[audio,sip,video,debug=,h323?] <net-libs/ptlib-2.10.8[ldap?,stun,v4l?,video,wav,debug=] What we should do? Probably stabilize net-voip/ekiga-4.0.0-r1 since current stable ekiga does not work with these versions of net-libs/{opal,ptlib} amd64 stable x86 stable ppc stable ia64 stable alpha stable ppc64 stable sparc team: *ping* sparc is blocked by bug 464182 sparc stable Cleanup, please! GLSA vote: no NO too, keeping open for cleanup. CVE-2013-1864 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1864): The Portable Tool Library (aka PTLib) before 2.10.10, as used in Ekiga before 4.0.1, does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted PXML document containing a large number of nested entity references, aka a "billion laughs attack." Maintaner(s): Please drop affected versions, security will remove in 30 days if no response. Cleanup done, closing 29 Jan 2015; Kristian Fiskerstrand <k_f@gentoo.org> -ptlib-2.10.9.ebuild, -ptlib-2.6.7-r1.ebuild: Security cleanup c.f bug #461842 |