Re: Handling cases of CWE-776

[Marcus Meissner <meissner () suse de>]

On Wed, Oct 28, 2009 at 12:02:40AM +0000, Tim Brown wrote:
> All,
>
> How are problems with XML bombs (the so called "billion laughs" attack) being 
> handled?  Should I be filing such bugs against the applications that exposes 
> the XML parser to user input or is it better to report the issue against the 
> parser themselves.  For example, the test case I've prepared for one affected 
> parser simply causes the CPU to spin but the system appears to stay 
> responsive (so far ;)).  Is it even fair to call such a denial of service? 
> (If the code was executed in a real application, no further processing would 
> happen within the affected process as the parser is tied up in memmove()s).  
> I'm just curious as I don't want to waste peoples time with the disclosure 
> process if others are simply filing "standard" bugs against affected parsers 
> and moving on to more interesting matters.

If an application can be made unresponsive this way it would still be
a denial of service against this app, so Yes.

It always should however be checked if the application can get this data
from a real life attacker or if a admin user needs to push it in. For the
latter it is not DoS in my eyes.

Ciao, Marcus