[xml/sgml-pkgs] Bug#460292: libxml2: libxml2 UTF-8 parsing denial of service vulnerability

Nico Golde nion at debian.org
Sat Jan 12 03:31:07 UTC 2008


Hi,
* Pascal Volk <user at localhost.localdomain.org> [2008-01-12 04:04]:
> Package: libxml2
> Version: 2.6.30.dfsg-3
> Severity: normal
> 
> A vulnerability has been reported in libxml2, prior to version 2.6.31, from
> Daniel Veillard:
> "Two specially crafted broken UTF-8 sequences when occuring at the wrong
> place lead the parser to go into an infinite loop."
> The report is available at:
>     http://mail.gnome.org/archives/xml/2008-January/msg00036.html
> 
> A patch can be found at:
>     http://veillard.com/libxml2.patch
> The fixed source code can be downloaded from:
>     ftp://xmlsoft.org/libxml/libxml2-2.6.31.tar.gz

Is there any service using libxml2? If not I would consider 
this a normal bug rather than a security issue.
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/debian-xml-sgml-pkgs/attachments/20080112/58920e53/attachment.pgp 


More information about the debian-xml-sgml-pkgs mailing list