libxml2: do not fetch external parameter entities (CVE-2014-0191)
It was discovered that libxml2, a library providing support to read, modify and write XML files, incorrectly performs entity substituton in the doctype prolog, even if the application using libxml2 disabled any entity substitution. A remote attacker could provide a specially-crafted XML file that, when processed, would lead to the exhaustion of CPU and memory resources or file descriptors.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0191
http://www.openwall.com/lists/oss-security/2014/05/06/4
http://www.ubuntu.com/usn/usn-2214-1
COMMIT:
https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df
(from redmine: issue id 2928, created on 2014-05-22, closed on 2014-05-23)
- Relations:
- child #2929 (closed)
- child #2930 (closed)
- child #2931 (closed)