oss-sec mailing list archives
Re: Re: libxml2 "ampproblem" DoS
From: Tomas Hoger <thoger () redhat com>
Date: Mon, 6 Oct 2008 11:18:14 +0200
On Fri, 3 Oct 2008 17:09:15 -0400 (EDT) "Steven M. Christey" <coley () linus mitre org> wrote:
The malicious XML file can be found on http://bugzilla.gnome.org/show_bug.cgi?id=554660 I'm not sure if and how this is related to CVE-2008-3281.It's unrelated, the patch is attached to the bug, only 2.7.x is affected and I will release 2.7.2 within a couple of hours.Use CVE-2008-4422
Looks like this is also duplicate of previously assigned: Name: CVE-2008-4409 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4409 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20081003 Category: Reference: MLIST:[oss-security] 20081002 libxml2 "ampproblem" DoS Reference: URL:http://openwall.com/lists/oss-security/2008/10/02/4 Reference: CONFIRM:http://bugzilla.gnome.org/show_bug.cgi?id=554660 libxml2 2.7.0 and 2.7.1 does not properly handle "predefined entities definitions" in entities, which allows context-dependent attackers to cause a denial of service (memory consumption and application crash), as demonstrated by use of xmllint on a certain XML document, a different vulnerability than CVE-2003-1564 and CVE-2008-3281. CVE-2008-4409 is public on NVD site, CVE-2008-4422 in Gentoo BZ and here... CVE-2008-4422 should probably be rejected. -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- libxml2 "ampproblem" DoS Robert Buchholz (Oct 02)
- Re: libxml2 "ampproblem" DoS Daniel Veillard (Oct 03)
- Re: Re: libxml2 "ampproblem" DoS Robert Buchholz (Oct 03)
- Re: Re: libxml2 "ampproblem" DoS Steven M. Christey (Oct 03)
- Re: Re: libxml2 "ampproblem" DoS Tomas Hoger (Oct 06)
- Re: Re: libxml2 "ampproblem" DoS Robert Buchholz (Oct 06)
- Re: Re: libxml2 "ampproblem" DoS Steven M. Christey (Oct 07)
- Re: libxml2 "ampproblem" DoS Daniel Veillard (Oct 03)