OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
Re: [xml-dev] Article: Vulnerability In XML Libraries Discovered ... what are the vulnerabilities?

> Costello, Roger L. wrote:

>> Do you have information on specifically what the vulnerabilities are?
>> /Roger
>> [1]
>> http://www.eweekeurope.co.uk/news/vulnerability-in-xml-libraries-discovered-1554
> Finland CERT issued an advisory:
> <http://cert.fi/en/reports/2009/vulnerability2009085.html>
>   "The vulnerabilities are related to the parsing of XML elements with
>    unexpected byte values and recursive parentheses, which cause the
>    program to access memory out of bounds, or to loop indefinitely.
>    The effects of the vulnerabilities include denial of service and
>    potentially code execution. The vulnerabilities can be exploited by
>    enticing a user to open a specially modified file, or by submitting
>    it to a server that handles XML content."
> libxml2 was added to the list after the initial announcement.

I gather one of the issues was with recursive parameter entities in the
DOCTYPE declaration. This is a bug, since XML does not allow them. It was
not an "XML" vulnerability, but one of particular implementations.

Rick Jelliffe

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 1993-2007 XML.org. This site is hosted by OASIS