[xml/sgml-pkgs] Bug#296432: xerces25: [CAN-2004-1575] Xerces-C++ 2.5.0: Attribute blowup

SALVETTI Djoume SALVETTI Djoume <djoume@taket.org>, 296432@bugs.debian.org
Tue, 22 Feb 2005 14:49:36 +0100

Package: xerces25
Severity: normal

Good day,

>From [CAN-2004-1575] :

| The XML parser in Xerces-C++ 2.5.0 allows remote attackers to cause a
| denial of service (CPU consumption) via XML attributes in a crafted
| XML document.

This problem have been fixed in version 2.6 of Xerces.

It's not clear to me if prior versions ( xerces24, xerces23, xerces22,
xerces21) are also vulnerable. 

I can filed bugs if you think it's appropriate.

Could you also mention the CAN number in changelog entries about this problem.


-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro (charmap=ISO-8859-15) (ignored: LC_ALL set to fr_FR@euro)