oss-sec mailing list archives

Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled

From: Nicolas Grégoire <nicolas.gregoire () agarri fr>
Date: Tue, 06 May 2014 20:21:28 +0200

Hello,

libxml2 [...] incorrectly performs entity substituton in the doctype
prolog, even if the application using libxml2 disabled any entity
substitution.


I'm not sure that I understand this bug. Do you have a PoC?

Regards,
Nicolas Grégoire

Current thread:

CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Stefan Cornelius (May 06)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Nicolas Grégoire (May 06)
  - Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tomas Hoger (May 06)
    - Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Nicolas Grégoire (May 06)
    - Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Timoth D. Morgan (May 08)
    - Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tomas Hoger (May 12)
    - Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled David Jorm (Jun 02)
    - Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tim (Jun 03)
    - Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled David Jorm (Jun 06)
    - Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tim (Jun 03)
    - Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tomas Hoger (Jun 09)
    - Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tim (Jun 09)