Date: Fri, 22 Feb 2013 10:24:12 -0800 From: Tim <tim-security@...tinelchicken.org> To: oss-security@...ts.openwall.com Cc: Mitre CVE assign department <cve-assign@...re.org> Subject: Re: CVEs for libxml2 and expat internal and external XML entity expansion > > Please use CVE-2013-0338 for libxml2 internal entity expansion > > Hasn't libxml2 got countermeasures for that? Yeah, I believe so. Last I looked, I came up with recommendations for folks to use xmlCtxtUseOptions with XML_PARSE_NOENT, XML_PARSE_NONET, and XML_PARSE_DTDLOAD set appropriately. However, it wasn't 100% clear to me at the time if these addressed all edge cases. In particular, I didn't care much about the DoS cases at the time, but hopefully if DTDs are ignored, then it wouldn't be an issue. I'd love to hear from an expert on this matter. For sure the documentation needs to be improved... > > Please use CVE-2013-0341 for expat external entities expansion > > I don't think expat resolves external entities at all. Therefore, the > vulnerability resides entirely in the code which uses expat. Last I checked, I came to the same conclusion. tim
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.