Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 6 May 2014 20:55:58 +0200
From: Tomas Hoger <thoger@...hat.com>
To: oss-security@...ts.openwall.com
Cc: nicolas.gregoire@...rri.fr
Subject: Re: CVE-2014-0191 libxml2: external parameter entity
 loaded when entity substitution is disabled

On Tue, 06 May 2014 20:21:28 +0200 Nicolas Grégoire wrote:

> > libxml2 [...] incorrectly performs entity substituton in the doctype
> > prolog, even if the application using libxml2 disabled any entity
> > substitution. 
> 
> I'm not sure that I understand this bug. Do you have a PoC?

The new issue is very similar to the one fixed by:

https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f

which is linked to the infamous CVE-2013-0339.  4629ee0 fixed the issue
for general entities, while the 9cd1c3c fixes the same type of problem
for parameter entities.  Even when parsing without NOENT, external
parameter entities are fetched.

-- 
Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ