[v2.7] libxml2: do not fetch external parameter entities (CVE-2014-0191)
It was discovered that libxml2, a library providing support to read, modify and write XML files, incorrectly performs entity substituton in the doctype prolog, even if the application using libxml2 disabled any entity substitution. A remote attacker could provide a specially-crafted XML file that, when processed, would lead to the exhaustion of CPU and memory resources or file descriptors.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0191
http://www.openwall.com/lists/oss-security/2014/05/06/4
http://www.ubuntu.com/usn/usn-2214-1
COMMIT:
https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df
(from redmine: issue id 2931, created on 2014-05-22, closed on 2014-05-23)
- Relations:
- parent #2928 (closed)
- Changesets:
- Revision bdd75c7c by Natanael Copa on 2014-05-22T15:06:31Z:
main/libxml2: security fix for CVE-2014-0191
fixes #2931