FS#40790 - [libxml2] security patch for CVE-2014-0191

Attached to Project: Arch Linux
Opened by RbN (RbN) - Tuesday, 10 June 2014, 19:07 GMT
Last edited by Dave Reisner (falconindy) - Friday, 24 October 2014, 20:19 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Jan de Groot (JGC)
Jan Alexander Steffens (heftig)
Dave Reisner (falconindy)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

Description (from oss-sec [0]):
"It was discovered that libxml2, a library providing support to read,
modify and write XML files, incorrectly performs entity substituton in
the doctype prolog, even if the application using libxml2 disabled any
entity substitution. A remote attacker could provide a
specially-crafted XML file that, when processed, would lead to the
exhaustion of CPU and memory resources or file descriptors."

Red Hat bug [1]

Resolution:
[3] patch

Ressources:
[0] http://www.openwall.com/lists/oss-security/2014/05/06/4
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1090976
[2] https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df
This task depends upon

Closed by  Dave Reisner (falconindy)
Friday, 24 October 2014, 20:19 GMT
Reason for closing:  Fixed
Additional comments about closing:  libxml2-2.9.2-1
Comment by Levente Polyak (anthraxx) - Thursday, 16 October 2014, 10:18 GMT
There is an upstream release 2.9.2 which fixes this vulnerability (and also CVE-2014-3660)

Loading...