FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

libxml2 -- entity substitution DoS

Affected packages
libxml2 < 2.9.1
linux-c6-libxml2 < 2.7.6_2
* <= linux-f10-libxml2

Details

VuXML ID efdd0edc-da3d-11e3-9ecb-2c4138874f7d
Discovery 2013-12-03
Entry 2014-05-06
Modified 2015-07-15

Stefan Cornelius reports:

It was discovered that libxml2, a library providing support to read, modify and write XML files, incorrectly performs entity substitution in the doctype prolog, even if the application using libxml2 disabled any entity substitution. A remote attacker could provide a specially-crafted XML file that, when processed, would lead to the exhaustion of CPU and memory resources or file descriptors.

This issue was discovered by Daniel Berrange of Red Hat.

[source]

References

CVE Name CVE-2014-0191
URL http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0191
URL http://www.openwall.com/lists/oss-security/2014/05/06/4
URL https://git.gnome.org/browse/libxml2/tag/?id=CVE-2014-0191

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.