[xml/sgml-pkgs] Bug#287371: Bug#287371: xsltproc: Probable memory leak (when using document()?)
Mattia Rizzolo
mattia at debian.org
Sat Feb 19 17:01:52 GMT 2022
On Thu, Feb 10, 2022 at 01:08:33PM +0100, Vincent Lefevre wrote:
> This is no different than CVE-2013-0338 and CVE-2013-0339[*]. The
> point is that from a small document, one can exhaust the memory
> of the machine. CVE-2013-0338 and CVE-2013-0339 are about entity
> expansion, but there are the same consequences with just loading
> data in memory.
>
> [*] https://www.openwall.com/lists/oss-security/2013/02/22/3
If you believe so, and you confirmed that it hasn't been fixed in the
past 15 years, could you please either (or both):
* report it to mitre's CVE form
* report it in https://gitlab.gnome.org/GNOME/libxml2/-/issues
?
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
More about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-xml-sgml-pkgs/attachments/20220219/253e0dd3/attachment.sig>
More information about the debian-xml-sgml-pkgs
mailing list