OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
Re: [xml-dev] Article: Vulnerability In XML Libraries Discovered... what are the vulnerabilities?

Costello, Roger L. wrote:
> Hi Folks,
> This article [1] says that:
>     Researchers have uncovered numerous vulnerabilities 
>     in popular XML libraries from Sun Microsystems, 
>     Python and the Apache Software Foundation.
> But it doesn't say *what* the vulnerabilities are. 
> It says that:
>     More details about some of the XML vulnerabilities 
>     that were found [will be released] at the Hacker Halted  
>     2009 security conference in Miami, Florida, in September.
> Do you have information on specifically what the vulnerabilities are?
> /Roger
> [1] http://www.eweekeurope.co.uk/news/vulnerability-in-xml-libraries-discovered-1554

Finland CERT issued an advisory:


  "The vulnerabilities are related to the parsing of XML elements with
   unexpected byte values and recursive parentheses, which cause the
   program to access memory out of bounds, or to loop indefinitely.
   The effects of the vulnerabilities include denial of service and
   potentially code execution. The vulnerabilities can be exploited by
   enticing a user to open a specially modified file, or by submitting
   it to a server that handles XML content."

libxml2 was added to the list after the initial announcement.

Chuck Bearden (cbearden@rice.edu ; 713.348.3661)
XML Engineer, Connexions

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 1993-2007 XML.org. This site is hosted by OASIS