Date: Tue, 6 May 2014 20:55:58 +0200 From: Tomas Hoger <thoger@...hat.com> To: oss-security@...ts.openwall.com Cc: nicolas.gregoire@...rri.fr Subject: Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled On Tue, 06 May 2014 20:21:28 +0200 Nicolas Grégoire wrote: > > libxml2 [...] incorrectly performs entity substituton in the doctype > > prolog, even if the application using libxml2 disabled any entity > > substitution. > > I'm not sure that I understand this bug. Do you have a PoC? The new issue is very similar to the one fixed by: https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f which is linked to the infamous CVE-2013-0339. 4629ee0 fixed the issue for general entities, while the 9cd1c3c fixes the same type of problem for parameter entities. Even when parsing without NOENT, external parameter entities are fetched. -- Tomas Hoger / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ