Explore top 10 tips to secure your open-source projects now. Read More
×
Arch Linux Security Advisory ASA-201410-12 ========================================= Severity: Medium Date : 2014-10-24 CVE-ID : CVE-2014-0191, CVE-2014-3660 Package : libxml2 Type : Denial of service Remote : Yes Link : https://wiki.archlinux.org/title/CVE-2014 Summary ====== The package libxml2 before version 2.9.2-1 is vulnerable to denial of service, even if entity substitution is disabled. Resolution ========= Upgrade to 2.9.2-1. # pacman -Syu "libxml2>=2.9.2-1" The problems have been fixed upstream [0][1] in version 2.9.2. Workaround ========= None. Description ========== Daniel Berrange discovered that libxml2 incorrectly performs entity substitution in the doctype prolog, even if the application using libxml2 disabled any entity substitution. A remote attacker could provide a specially crafted XML file that, when processed, leads to the exhaustion of CPU and memory resources or file descriptors. Impact ===== A remote attacker is able to exploit this vulnerability using a specially crafted XML document containing malicious attributes to consume all available CPU and memory resources or file descriptors. References ========= [0] https://gitlab.gnome.org/users/sign_in [1] https://gitlab.gnome.org/users/sign_in https://access.redhat.com/security/cve/CVE-2014-0191 https://access.redhat.com/security/cve/CVE-2014-3660 https://bugs.archlinux.org/task/40790 https://www.openwall.com/lists/oss-security/2014/05/06/4