oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: libxml2 "ampproblem" DoS

From: Tomas Hoger <thoger () redhat com>
Date: Mon, 6 Oct 2008 11:18:14 +0200
On Fri, 3 Oct 2008 17:09:15 -0400 (EDT) "Steven M. Christey"
<coley () linus mitre org> wrote:


The malicious XML file can be found on
http://bugzilla.gnome.org/show_bug.cgi?id=554660

I'm not sure if and how this is related to CVE-2008-3281.


  It's unrelated, the patch is attached to the bug, only 2.7.x is
affected and I will release 2.7.2 within a couple of hours.


Use CVE-2008-4422


Looks like this is also duplicate of previously assigned:

Name: CVE-2008-4409
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4409
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20081003
Category: 
Reference: MLIST:[oss-security] 20081002 libxml2 "ampproblem" DoS
Reference: URL:http://openwall.com/lists/oss-security/2008/10/02/4
Reference: CONFIRM:http://bugzilla.gnome.org/show_bug.cgi?id=554660

libxml2 2.7.0 and 2.7.1 does not properly handle "predefined entities
definitions" in entities, which allows context-dependent attackers to
cause a denial of service (memory consumption and application crash),
as demonstrated by use of xmllint on a certain XML document, a
different vulnerability than CVE-2003-1564 and CVE-2008-3281.


CVE-2008-4409 is public on NVD site, CVE-2008-4422 in Gentoo BZ and
here...  CVE-2008-4422 should probably be rejected.

-- 
Tomas Hoger / Red Hat Security Response Team
Previous By Date Next
Previous By Thread Next

Current thread: