FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

qt4-xml -- XML Entity Expansion Denial of Service

Affected packages
qt4-xml < 4.8.6


VuXML ID 89709e58-d497-11e3-a3d5-5453ed2e2b49
Discovery 2013-12-05
Entry 2014-05-05

Richard J. Moore reports:

QXmlSimpleReader in Qt versions prior to 5.2 supports expansion of internal entities in XML documents without placing restrictions to ensure the document does not cause excessive memory usage. If an application using this API processes untrusted data then the application may use unexpected amounts of memory if a malicious document is processed.

It is possible to construct XML documents using internal entities that consume large amounts of memory and other resources to process, this is known as the 'Billion Laughs' attack. Qt versions prior to 5.2 did not offer protection against this issue.


CVE Name CVE-2013-4549