[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list]
Date: Mon, 6 Oct 2008 11:18:14 +0200
From: Tomas Hoger <thoger@...hat.com>
To: coley@...us.mitre.org
Cc: oss-security@...ts.openwall.com, veillard@...hat.com,
Robert Buchholz
<rbu@...too.org>
Subject: Re: Re: libxml2 "ampproblem" DoS
On Fri, 3 Oct 2008 17:09:15 -0400 (EDT) "Steven M. Christey"
<coley@...us.mitre.org> wrote:
> > > The malicious XML file can be found on
> > > http://bugzilla.gnome.org/show_bug.cgi?id=554660
> > >
> > > I'm not sure if and how this is related to CVE-2008-3281.
> >
> > It's unrelated, the patch is attached to the bug, only 2.7.x is
> > affected and I will release 2.7.2 within a couple of hours.
>
> Use CVE-2008-4422
Looks like this is also duplicate of previously assigned:
Name: CVE-2008-4409
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4409
Final-Decision:
Interim-Decision:
Modified:
Proposed:
Assigned: 20081003
Category:
Reference: MLIST:[oss-security] 20081002 libxml2 "ampproblem" DoS
Reference: URL:http://openwall.com/lists/oss-security/2008/10/02/4
Reference: CONFIRM:http://bugzilla.gnome.org/show_bug.cgi?id=554660
libxml2 2.7.0 and 2.7.1 does not properly handle "predefined entities
definitions" in entities, which allows context-dependent attackers to
cause a denial of service (memory consumption and application crash),
as demonstrated by use of xmllint on a certain XML document, a
different vulnerability than CVE-2003-1564 and CVE-2008-3281.
CVE-2008-4409 is public on NVD site, CVE-2008-4422 in Gentoo BZ and
here... CVE-2008-4422 should probably be rejected.
--
Tomas Hoger / Red Hat Security Response Team
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux