Arch Linux: ASA-201410-12 Medium: Libxml2 Denial Of Service

The package libxml2 before version 2.9.2-1 is vulnerable to denial of service, even if entity substitution is disabled.

Arch Linux Security Advisory ASA-201410-12
=========================================
Severity: Medium
Date    : 2014-10-24
CVE-ID  : CVE-2014-0191, CVE-2014-3660
Package : libxml2
Type    : Denial of service
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE-2014

Summary
======
The package libxml2 before version 2.9.2-1 is vulnerable to denial of
service, even if entity substitution is disabled.

Resolution
=========
Upgrade to 2.9.2-1.

# pacman -Syu "libxml2>=2.9.2-1"

The problems have been fixed upstream [0][1] in version 2.9.2.

Workaround
=========
None.

Description
==========
Daniel Berrange discovered that libxml2 incorrectly performs entity
substitution in the doctype prolog, even if the application using
libxml2 disabled any entity substitution. A remote attacker could
provide a specially crafted XML file that, when processed, leads to the
exhaustion of CPU and memory resources or file descriptors.

Impact
=====
A remote attacker is able to exploit this vulnerability using a
specially crafted XML document containing malicious attributes to
consume all available CPU and memory resources or file descriptors.

References
=========
[0] https://gitlab.gnome.org/users/sign_in
[1] https://gitlab.gnome.org/users/sign_in
https://access.redhat.com/security/cve/CVE-2014-0191
https://access.redhat.com/security/cve/CVE-2014-3660
https://bugs.archlinux.org/task/40790
https://www.openwall.com/lists/oss-security/2014/05/06/4