FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

libxml2 -- entity substitution DoS

Affected packages
libxml2 < 2.9.1
linux-c6-libxml2 < 2.7.6_2
* <= linux-f10-libxml2

Details

VuXML ID efdd0edc-da3d-11e3-9ecb-2c4138874f7d
Discovery 2013-12-03
Entry 2014-05-06
Modified 2015-07-15

Stefan Cornelius reports:

It was discovered that libxml2, a library providing support to read, modify and write XML files, incorrectly performs entity substitution in the doctype prolog, even if the application using libxml2 disabled any entity substitution. A remote attacker could provide a specially-crafted XML file that, when processed, would lead to the exhaustion of CPU and memory resources or file descriptors.

This issue was discovered by Daniel Berrange of Red Hat.

References

CVE Name CVE-2014-0191
URL http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0191
URL http://www.openwall.com/lists/oss-security/2014/05/06/4
URL https://git.gnome.org/browse/libxml2/tag/?id=CVE-2014-0191