From ${URL} : So here are the CVE's for the two big ones, libxml2 and expat. Both are affected by the expansion of internal entities (which can be used to consume resources) and external entities (which can cause a denial of service against other services, be used to port scan, etc.). To be clear: ==================== Internal entity expansion refers to the exponential/quadratic/fast linear expansion of XML entities, e.g.: ==================== <!DOCTYPE xmlbomb [ <!ENTITY a "1234567890" > <!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;"> <!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;"> <!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;"> ]> <bomb>&d;</bomb> or <!DOCTYPE bomb [ <!ENTITY a "xxxxxxx... a couple of ten thousand chars"> ]> <bomb>&a;&a;&a;... repeat</bomb> Which causes resources to be consumed ==================== External entity expansion refers to the loading of external resources such as XML entities from another server or a local file: ==================== <!DOCTYPE external [ <!ENTITY ee SYSTEM "http://www.example.org/some.xml"> ]> <root>ⅇ</root> <!DOCTYPE external [ <!ENTITY ee SYSTEM "file:///PATH/TO/simple.xml"> ]> <root>ⅇ</root> Which can cause resources to be consumed or can result in port scanning /application scanning information being sent to the attacker. So the CVE's to use: Please use CVE-2013-0340 for expat internal entity expansion Please use CVE-2013-0341 for expat external entities expansion
Not on red hat bugzie and haven't seen any suggested patches (if there are any).
CVE-2013-0340 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0340): expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.
https://bugzilla.redhat.com/show_bug.cgi?id=1000109 some additional information as no patches have been offered by upstream. Packages which are linked can mitigate this issue. May need a tracking bug to mitigate this on all rdeps.
CVE-2013-0341 was withdrawn by the CNA. 2.1.1-r1 is latest stable that is unaffected. Added to existing GLSA.
I missed comment #4...
This issue was resolved and addressed in GLSA 201701-21 at https://security.gentoo.org/glsa/201701-21 by GLSA coordinator Aaron Bauman (b-man).
