[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
Re: [xml-dev] Article: Vulnerability In XML Libraries Discovered ... what are the vulnerabilities?
- From: rjelliffe@allette.com.au
- To: "Chuck Bearden" <cbearden@rice.edu>
- Date: Fri, 14 Aug 2009 11:25:38 +1000 (EST)
> Costello, Roger L. wrote:
>> Do you have information on specifically what the vulnerabilities are?
>>
>> /Roger
>>
>> [1]
>> http://www.eweekeurope.co.uk/news/vulnerability-in-xml-libraries-discovered-1554
>
> Finland CERT issued an advisory:
>
> <http://cert.fi/en/reports/2009/vulnerability2009085.html>
>
> "The vulnerabilities are related to the parsing of XML elements with
> unexpected byte values and recursive parentheses, which cause the
> program to access memory out of bounds, or to loop indefinitely.
> The effects of the vulnerabilities include denial of service and
> potentially code execution. The vulnerabilities can be exploited by
> enticing a user to open a specially modified file, or by submitting
> it to a server that handles XML content."
>
> libxml2 was added to the list after the initial announcement.
I gather one of the issues was with recursive parameter entities in the
DOCTYPE declaration. This is a bug, since XML does not allow them. It was
not an "XML" vulnerability, but one of particular implementations.
Cheers
Rick Jelliffe
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
