FS#40790 : [libxml2] security patch for CVE-2014-0191

FS#40790 - [libxml2] security patch for CVE-2014-0191

Attached to Project: Arch Linux
Opened by RbN (RbN) - Tuesday, 10 June 2014, 19:07 GMT
Last edited by Dave Reisner (falconindy) - Friday, 24 October 2014, 20:19 GMT

Task Type	Bug Report
Category	Security
Status	Closed
Assigned To	Jan de Groot (JGC) Jan Alexander Steffens (heftig) Dave Reisner (falconindy)
Architecture	All
Severity	High
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	2 Remi Gacogne (rgacogne) (2014-10-17) Levente Polyak (anthraxx) (2014-10-16)
Private	No

Details

Description (from oss-sec [0]):
"It was discovered that libxml2, a library providing support to read,
modify and write XML files, incorrectly performs entity substituton in
the doctype prolog, even if the application using libxml2 disabled any
entity substitution. A remote attacker could provide a
specially-crafted XML file that, when processed, would lead to the
exhaustion of CPU and memory resources or file descriptors."

Red Hat bug [1]

Resolution:
[3] patch

Ressources:
[0] http://www.openwall.com/lists/oss-security/2014/05/06/4
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1090976
[2] https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df

This task depends upon

Closed by Dave Reisner (falconindy)
Friday, 24 October 2014, 20:19 GMT
Reason for closing: Fixed
Additional comments about closing: libxml2-2.9.2-1

Comment by Levente Polyak (anthraxx) - Thursday, 16 October 2014, 10:18 GMT

There is an upstream release 2.9.2 which fixes this vulnerability (and also CVE-2014-3660)

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#40790 - [libxml2] security patch for CVE-2014-0191

Details

Loading...