[xml/sgml-pkgs] Bug#287371: Bug#287371: xsltproc: Probable memory leak (when using document()?)
Vincent Lefevre
vincent at vinc17.net
Sat Feb 19 17:28:00 GMT 2022
On 2022-02-19 18:01:52 +0100, Mattia Rizzolo wrote:
> On Thu, Feb 10, 2022 at 01:08:33PM +0100, Vincent Lefevre wrote:
> > This is no different than CVE-2013-0338 and CVE-2013-0339[*]. The
> > point is that from a small document, one can exhaust the memory
> > of the machine. CVE-2013-0338 and CVE-2013-0339 are about entity
> > expansion, but there are the same consequences with just loading
> > data in memory.
> >
> > [*] https://www.openwall.com/lists/oss-security/2013/02/22/3
>
> If you believe so, and you confirmed that it hasn't been fixed in the
> past 15 years, could you please either (or both):
> * report it to mitre's CVE form
> * report it in https://gitlab.gnome.org/GNOME/libxml2/-/issues
> ?
I'll test again (I've been using a fake DTD for the past 15 years).
--
Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
More information about the debian-xml-sgml-pkgs
mailing list