oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled

From: Tomas Hoger <thoger () redhat com>
Date: Tue, 6 May 2014 20:55:58 +0200
On Tue, 06 May 2014 20:21:28 +0200 Nicolas Grégoire wrote:


libxml2 [...] incorrectly performs entity substituton in the doctype
prolog, even if the application using libxml2 disabled any entity
substitution. 


I'm not sure that I understand this bug. Do you have a PoC?


The new issue is very similar to the one fixed by:

https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f

which is linked to the infamous CVE-2013-0339.  4629ee0 fixed the issue
for general entities, while the 9cd1c3c fixes the same type of problem
for parameter entities.  Even when parsing without NOENT, external
parameter entities are fetched.

-- 
Tomas Hoger / Red Hat Security Response Team
Previous By Date Next
Previous By Thread Next

Current thread: