oss-sec mailing list archives
Re: CVE Request: libxml2 external parsed entities issue
From: Marcus Meissner <meissner () suse de>
Date: Fri, 5 Jul 2013 16:38:34 +0200
On Fri, Jul 05, 2013 at 09:30:07AM -0400, Marc Deslauriers wrote:
On 13-07-05 09:17 AM, Marcus Meissner wrote:On Fri, Jul 05, 2013 at 08:48:04AM -0400, Marc Deslauriers wrote:Hello, libxml2 earlier than 2.9.0 fetches external parsed entities by default, with no way to disable the behaviour. Fixed by the following commit: https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f More Information: https://mail.gnome.org/archives/xml/2012-October/msg00045.html https://github.com/sparklemotion/nokogiri/issues/693 https://bugs.launchpad.net/ubuntu/+source/libxml2/+bug/1194410 Could a CVE please be assigned to this issue?Sounds like http://seclists.org/oss-sec/2013/q1/391 and "Please use CVE-2013-0339 for libxml2 external entities expansion" ?Hrm, I would have thought CVE-2013-0339 was for the entities expansion DoS issue fixed by this commit: https://git.gnome.org/browse/libxml2/commit/?id=23f05e0c33987d6605387b300c4be5da2120a7ab The other one is for external entities expansion being enabled by default with no way to turn it off. You would lump them together?
Mostly wondering, as it seemed more or less related. Perhaps someone else has more insight. Ciao, Marcus
Current thread:
- CVE Request: libxml2 external parsed entities issue Marc Deslauriers (Jul 05)
- Re: CVE Request: libxml2 external parsed entities issue Marcus Meissner (Jul 05)
- Re: CVE Request: libxml2 external parsed entities issue Marc Deslauriers (Jul 05)
- Re: CVE Request: libxml2 external parsed entities issue Marcus Meissner (Jul 05)
- Re: CVE Request: libxml2 external parsed entities issue Kurt Seifried (Jul 05)
- Re: CVE Request: libxml2 external parsed entities issue Marc Deslauriers (Jul 05)
- Re: CVE Request: libxml2 external parsed entities issue Marcus Meissner (Jul 05)