Cart
[Home] [By Thread] [By Date] [Recent Entries]
> Costello, Roger L. wrote: >> Do you have information on specifically what the vulnerabilities are? >> >> /Roger >> >> [1] >> http://www.eweekeurope.co.uk/news/vulnerability-in-xml-libraries-discovered-1554 > > Finland CERT issued an advisory: > > <http://cert.fi/en/reports/2009/vulnerability2009085.html> > > "The vulnerabilities are related to the parsing of XML elements with > unexpected byte values and recursive parentheses, which cause the > program to access memory out of bounds, or to loop indefinitely. > The effects of the vulnerabilities include denial of service and > potentially code execution. The vulnerabilities can be exploited by > enticing a user to open a specially modified file, or by submitting > it to a server that handles XML content." > > libxml2 was added to the list after the initial announcement. I gather one of the issues was with recursive parameter entities in the DOCTYPE declaration. This is a bug, since XML does not allow them. It was not an "XML" vulnerability, but one of particular implementations. Cheers Rick Jelliffe
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] |
